From hvdkooij at vanderkooij.org Sun Nov 1 00:12:28 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 1 00:12:44 2009 Subject: MailScanner 4.78 "include" directive and MailWatch In-Reply-To: <1F8740F7-1817-42FC-B55B-F732D1F18379@mlrw.com> References: <1F8740F7-1817-42FC-B55B-F732D1F18379@mlrw.com> Message-ID: <4AECD26C.5020600@vanderkooij.org> On 10/31/09 05:59, Mike Wallace wrote: > Has anyone figured out how to get MailWatch to work with the new > "include" directive in MailScanner.conf? Currently MailWatch > functions.php only supports MailScanner.conf so any configuration > options in an "include" file are not seen. > > I am not a php developer so I don't know how to go about fixing the > functions get_conf_var and get_conf_truefalse in functions.php to > support "include" configuration options. > > I will also ask on the MailWatch mailing list. That is the only proper place. So Isuggest we considere this thread closed on this mailinglist. Hugo. From mmmm82 at gmail.com Sun Nov 1 11:25:13 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 1 11:25:23 2009 Subject: Please HELP Message-ID: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> I need help please: Its been a week I cant make mailscanner workcorrectly, I am sure its a simple thing that I am aware off , anyway I installed MailScanner on CentOS 5.2 Postfix as SMTP and its working as a mailgateway, any mail that comes is sent to out main mai server, up to here all is fine Now the problem is I tried to test my spam settings so I sent a message by using the mail command from the same machine and also by a telnet command from another machine in the network , both mails contain nothing but the words sex , porn, viagra nude, and they all pass by as if there is nothing wrong with them?? Under /var/log/maillog I see the messages get scanned , scanning new batch, spamassassin ...etc and they get a score like 0.456 and pass by as non spam, please anyone what am I missing here. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091101/dc4e18ab/attachment.html From Antony.Stone at mailscanner.open.source.it Sun Nov 1 11:53:18 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Sun Nov 1 11:53:29 2009 Subject: Please HELP In-Reply-To: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> Message-ID: <200911011153.18600.Antony.Stone@mailscanner.open.source.it> On Sunday 01 November 2009 11:25, Monis Monther wrote: > I tried to test my spam settings so I sent a message by > using the mail command from the same machine and also by a telnet command > from another machine in the network , both mails contain nothing but the > words sex , porn, viagra nude, and they all pass by as if there is nothing > wrong with them?? Try the test shown at: http://wiki.apache.org/spamassassin/TestingInstallation If that fails then you really do have a problem, however if it passes then you've simply confirmed what that page says: "don't send yourself 'spam' and expect SpamAssassin to agree!" Antony. -- Python is executable pseudocode. Perl is executable line noise. Please reply to the list; please don't CC me. From ms-list at alexb.ch Sun Nov 1 12:02:15 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sun Nov 1 12:02:25 2009 Subject: Please HELP In-Reply-To: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> Message-ID: <4AED78C7.4090701@alexb.ch> On 11/1/2009 12:25 PM, Monis Monther wrote: > Now the problem is I tried to test my spam settings so I sent a message by > using the mail command from the same machine and also by a telnet command > from another machine in the network , both mails contain nothing but the > words sex , porn, viagra nude, and they all pass by as if there is nothing > wrong with them?? not a MailScanner issue... and what's wrong with these words? if you really think these words only show up in spam, you may need to ask your users. If you really are sure any msg including those words should be marked as spam, go ahead and write SA rules for them. See Spamassassin docs for more details. Alex From mmmm82 at gmail.com Sun Nov 1 12:23:22 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 1 12:23:31 2009 Subject: Please HELP In-Reply-To: <200911011153.18600.Antony.Stone@mailscanner.open.source.it> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <200911011153.18600.Antony.Stone@mailscanner.open.source.it> Message-ID: <837e17ab0911010423gdb71411ya37b5e042538b077@mail.gmail.com> OK I tried the spamassassin -D < sample-spam.txt and got a lot of output this is the last part of it, in which I assume means that all is Ok, your advise please [22131] dbg: learn: auto-learn? no: scored as spam but autolearn wanted ham [22131] dbg: check: is spam? score=999.998 required=5 [22131] dbg: check: tests=GTUBE,NO_RECEIVED,NO_RELAYS [22131] dbg: check: subtests=__CT,__CTE,__CT_TEXT_PLAIN,__HAS_MSGID,__HAS_SUBJECT,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__TOCC_EXISTS,__TVD_BODY,__TVD_MIME_ATT_TP,__UNUSABLE_MSGID Received: from localhost by mailscanner.localdomain with SpamAssassin (version 3.2.5); Sun, 01 Nov 2009 16:03:35 +0200 From: Sender To: Recipient Subject: Test spam mail (GTUBE) Date: Wed, 23 Jul 2003 23:30:00 +0200 Message-Id: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mailscanner.localdomain X-Spam-Level: ************************************************** X-Spam-Status: Yes, score=1000.0 required=5.0 tests=GTUBE,NO_RECEIVED, NO_RELAYS autolearn=no version=3.2.5 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_4AED9537.1275837C" This is a multi-part message in MIME format. ------------=_4AED9537.1275837C Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "mailscanner.localdomain", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see y for details. Content preview: This is the GTUBE, the Generic Test for Unsolicited Bulk Email If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam. You can send yourself a test mail containing the following string of characters (in upper case and with no white spaces and line breaks): [...] Content analysis details: (1000.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email -0.0 NO_RECEIVED Informational: message has no Received headers ------------=_4AED9537.1275837C Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Subject: Test spam mail (GTUBE) Message-ID: Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender To: Recipient Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is the GTUBE, the Generic Test for Unsolicited Bulk Email If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam. You can send yourself a test mail containing the following string of characters (in upper case and with no white spaces and line breaks): XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X You should send this test mail from an account outside of your network. ------------=_4AED9537.1275837C-- On Sun, Nov 1, 2009 at 1:53 PM, Antony Stone < Antony.Stone@mailscanner.open.source.it> wrote: > On Sunday 01 November 2009 11:25, Monis Monther wrote: > > > I tried to test my spam settings so I sent a message by > > using the mail command from the same machine and also by a telnet command > > from another machine in the network , both mails contain nothing but the > > words sex , porn, viagra nude, and they all pass by as if there is > nothing > > wrong with them?? > > Try the test shown at: > http://wiki.apache.org/spamassassin/TestingInstallation > > If that fails then you really do have a problem, however if it passes then > you've simply confirmed what that page says: "don't send yourself 'spam' > and > expect SpamAssassin to agree!" > > > Antony. > > -- > Python is executable pseudocode. > Perl is executable line noise. > > Please reply to the > list; > please don't CC > me. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091101/eae99bb8/attachment.html From mmmm82 at gmail.com Sun Nov 1 12:26:21 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 1 12:26:31 2009 Subject: Please HELP In-Reply-To: <4AED78C7.4090701@alexb.ch> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <4AED78C7.4090701@alexb.ch> Message-ID: <837e17ab0911010426l1cb668e6xe5b06d55f39cebbb@mail.gmail.com> and what's wrong with these words? They are in the 20_porn.cf file under the spamassassin rules, also we have another antispam product called cleanmail that is based on spamassassin , it detected it as spam and gave it a score more than 7 , we want to replace this clean mail with mailscanner , Thanks Best Regards On Sun, Nov 1, 2009 at 2:02 PM, Alex Broens wrote: > On 11/1/2009 12:25 PM, Monis Monther wrote: > > Now the problem is I tried to test my spam settings so I sent a message > by > >> using the mail command from the same machine and also by a telnet command >> from another machine in the network , both mails contain nothing but the >> words sex , porn, viagra nude, and they all pass by as if there is nothing >> wrong with them?? >> > > not a MailScanner issue... > > and what's wrong with these words? > > if you really think these words only show up in spam, you may need to ask > your users. > > If you really are sure any msg including those words should be marked as > spam, go ahead and write SA rules for them. > > See Spamassassin docs for more details. > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091101/5d46b773/attachment.html From ms-list at alexb.ch Sun Nov 1 12:49:13 2009 From: ms-list at alexb.ch (Alex Broens) Date: Sun Nov 1 12:49:22 2009 Subject: Please HELP In-Reply-To: <837e17ab0911010426l1cb668e6xe5b06d55f39cebbb@mail.gmail.com> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <4AED78C7.4090701@alexb.ch> <837e17ab0911010426l1cb668e6xe5b06d55f39cebbb@mail.gmail.com> Message-ID: <4AED83C9.4020101@alexb.ch> On 11/1/2009 1:26 PM, Monis Monther wrote: > and what's wrong with these words? > They are in the 20_porn.cf file under the spamassassin rules, also we have > another antispam product called cleanmail that is based on spamassassin , it > detected it as spam and gave it a score more than 7 , we want to replace > this clean mail with mailscanner , Thanks MailScanner is the glue between Spamassassin and any other antispam, AV, etc application. Its not MailScanner's duty to give it a score. If you want these words to get a high score you need to do it via Spamassassin rules or some other method, but not in MailScanner itself. > > On Sun, Nov 1, 2009 at 2:02 PM, Alex Broens wrote: > >> On 11/1/2009 12:25 PM, Monis Monther wrote: >> > Now the problem is I tried to test my spam settings so I sent a message >> by >> >>> using the mail command from the same machine and also by a telnet command >>> from another machine in the network , both mails contain nothing but the >>> words sex , porn, viagra nude, and they all pass by as if there is nothing >>> wrong with them?? >>> >> not a MailScanner issue... >> >> and what's wrong with these words? >> >> if you really think these words only show up in spam, you may need to ask >> your users. >> >> If you really are sure any msg including those words should be marked as >> spam, go ahead and write SA rules for them. >> >> See Spamassassin docs for more details. >> >> Alex >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From mmmm82 at gmail.com Sun Nov 1 12:58:58 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 1 12:59:08 2009 Subject: Please HELP In-Reply-To: <4AED83C9.4020101@alexb.ch> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <4AED78C7.4090701@alexb.ch> <837e17ab0911010426l1cb668e6xe5b06d55f39cebbb@mail.gmail.com> <4AED83C9.4020101@alexb.ch> Message-ID: <837e17ab0911010458x561479e0ld4cfab42efed55f6@mail.gmail.com> Ok, so now this is clear to me that its not Mailscanner but how am I supposed to stop spam coming out from my users, where do I need to configure this, Thanks Best Regards On Sun, Nov 1, 2009 at 2:49 PM, Alex Broens wrote: > On 11/1/2009 1:26 PM, Monis Monther wrote: > >> and what's wrong with these words? >> They are in the 20_porn.cf file under the spamassassin rules, also we >> have >> another antispam product called cleanmail that is based on spamassassin , >> it >> detected it as spam and gave it a score more than 7 , we want to replace >> this clean mail with mailscanner , Thanks >> > > MailScanner is the glue between Spamassassin and any other antispam, AV, > etc application. > Its not MailScanner's duty to give it a score. > > If you want these words to get a high score you need to do it via > Spamassassin rules or some other method, but not in MailScanner itself. > > > > > > >> On Sun, Nov 1, 2009 at 2:02 PM, Alex Broens wrote: >> >> On 11/1/2009 12:25 PM, Monis Monther wrote: >>> > Now the problem is I tried to test my spam settings so I sent a >>> message >>> by >>> >>> using the mail command from the same machine and also by a telnet command >>>> from another machine in the network , both mails contain nothing but the >>>> words sex , porn, viagra nude, and they all pass by as if there is >>>> nothing >>>> wrong with them?? >>>> >>>> not a MailScanner issue... >>> >>> and what's wrong with these words? >>> >>> if you really think these words only show up in spam, you may need to ask >>> your users. >>> >>> If you really are sure any msg including those words should be marked as >>> spam, go ahead and write SA rules for them. >>> >>> See Spamassassin docs for more details. >>> >>> Alex >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091101/fe8342de/attachment.html From Antony.Stone at mailscanner.open.source.it Sun Nov 1 15:57:15 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Sun Nov 1 15:57:27 2009 Subject: Please HELP In-Reply-To: <837e17ab0911010458x561479e0ld4cfab42efed55f6@mail.gmail.com> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <4AED83C9.4020101@alexb.ch> <837e17ab0911010458x561479e0ld4cfab42efed55f6@mail.gmail.com> Message-ID: <200911011557.15367.Antony.Stone@mailscanner.open.source.it> On Sunday 01 November 2009 12:58, Monis Monther wrote: > Ok, so now this is clear to me that its not Mailscanner but how am I > supposed to stop spam coming out from my users, where do I need to > configure this, Thanks Firstly define what specific things you want to block in emails. Then create some SpamAssassin rules (if you're not sure how to do this, look at the copious examples in /usr/share/spamassassin, or wherever your distro puts the SA ruleset), not forgetting to include the "score"s for each rule. The score which a message has to reach to be marked (by MailScanner) as Spam is "Required SpamAssassin Score" in MailScanner.conf. Rule scores are cumulative, so two rules which match an email, valued at 2.7 each, will score 5.4. For further guidance on these rules I suggest the SpamAssassin documentation and mailing list. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please don't CC me. From Antony.Stone at mailscanner.open.source.it Sun Nov 1 20:05:42 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Sun Nov 1 20:05:56 2009 Subject: "Does not make sense to bounce non-spam" Message-ID: <200911012005.42764.Antony.Stone@mailscanner.open.source.it> Hi. I'm trying to use "SpamAssassin Rule Actions" to detect emails which contain one or more words from a list of unacceptable words, and if found, either: a) modify the subject line with something like "{Content?}" - similar to "{Virus?}" and "{Spam?}" - and deliver the message as usual or b) quarantine the message and bounce a notification back to the sender to let them know the email was not delivered. I would previously have used the MCP feature for this, however with MailScanner 4.74.16 (Debian Lenny backports) this appears not to work and I've been advised to use SA Rule Actions instead. The trouble is, I see no way to modify the Subject line with the available Actions, and when I declare Bounce to be one of the rule actions, I simply see in the log file "Does not make sense to bounce non-spam", and MS doesn't do what I asked it to :( Please can someone either help me debug why MCP isn't working in MS 4.74.16 (I've used it in much older versions, and I know how to do what I want to using MCP), or let me know how to do either (preferably both, since I probably need to do both actions, depending on which list the objectionable word was found in) of the above actions using SA Rule Actions? Many thanks, Antony. -- Having been asked for a reference for this man, I can confirm that you will be very lucky indeed if you can get him to work for you. Please reply to the list; please don't CC me. From mmmm82 at gmail.com Mon Nov 2 07:27:46 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Mon Nov 2 07:27:56 2009 Subject: Please HELP In-Reply-To: <200911011557.15367.Antony.Stone@mailscanner.open.source.it> References: <837e17ab0911010325r5f44229cl637f0040aae330d0@mail.gmail.com> <4AED83C9.4020101@alexb.ch> <837e17ab0911010458x561479e0ld4cfab42efed55f6@mail.gmail.com> <200911011557.15367.Antony.Stone@mailscanner.open.source.it> Message-ID: <837e17ab0911012327v4f82ad87xa92c4c95d6d4c9d2@mail.gmail.com> Thanks for everyone , I will look into the docs and try to work things out. Best Regards On Sun, Nov 1, 2009 at 5:57 PM, Antony Stone < Antony.Stone@mailscanner.open.source.it> wrote: > On Sunday 01 November 2009 12:58, Monis Monther wrote: > > > Ok, so now this is clear to me that its not Mailscanner but how am I > > supposed to stop spam coming out from my users, where do I need to > > configure this, Thanks > > Firstly define what specific things you want to block in emails. > Then create some SpamAssassin rules (if you're not sure how to do this, > look > at the copious examples in /usr/share/spamassassin, or wherever your distro > puts the SA ruleset), not forgetting to include the "score"s for each rule. > > The score which a message has to reach to be marked (by MailScanner) as > Spam > is "Required SpamAssassin Score" in MailScanner.conf. Rule scores are > cumulative, so two rules which match an email, valued at 2.7 each, will > score > 5.4. > > For further guidance on these rules I suggest the SpamAssassin > documentation > and mailing list. > > > Regards, > > > Antony. > > -- > Ramdisk is not an installation procedure. > > Please reply to the > list; > please don't CC > me. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091102/d79154cd/attachment.html From markus at markusoft.se Mon Nov 2 09:01:38 2009 From: markus at markusoft.se (Markus Nilsson) Date: Mon Nov 2 09:01:48 2009 Subject: Multiple MailScanner instances (DEBIAN) In-Reply-To: <223f97700910301030i1c46881era7f2b739019dc1e3@mail.gmail.com> References: <223f97700910300648n4f128071la44c82cab9255e72@mail.gmail.com><86F353A9028C4BCC80036F3CB851F4E5@eemea.ericsson.se> <223f97700910301030i1c46881era7f2b739019dc1e3@mail.gmail.com> Message-ID: Hmm, Maybe you have convinced me. If you say bayes is not an issue, the possibility to have different scoring in spamassassin for different domains is not possible, right? This might however be just a tiny issue that if needed could be solved with VM's. Thanks /Markus -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: den 30 oktober 2009 18:31 To: MailScanner discussion Subject: Re: Multiple MailScanner instances (DEBIAN) I wouldn't worry about Bayes:-)... It's concerned with tokens, not language... Sure, certain words would make sense for some domains, but not others... But the total impact shouldn't be that dominant. You can either have a ruleset for spam scores, or have individual scores either through MailWatch or some own hack/custom function (in SQL, of course). There's always another way;-) 2009/10/30, Markus Nilsson : > Sure, Virtual Machines would work, but would take more resources. I'd > rather have multiple MailScanner processes if possible; or of course > just one that can achieve what I want, but I don't think that's possible. > > My goal is to be able to have different configurations for different > domains, for example multiple spam.assassin.conf-files (mainly for > domain-level bayes db's, due to different languages), different spam > scores etc, it seems like those things are only read at start-up; not > for every mail scanned, right? > > > /Markus > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn > Steen > Sent: den 30 oktober 2009 14:48 > To: MailScanner discussion > Subject: Re: Multiple MailScanner instances (DEBIAN) > > Why? Since you can use rulesets for most anything, there usually are > no real need for this type of setup. Probably easier to use separate > virtual machines, if I can't dissuade you...;-) > > 2009/10/30, Markus Nilsson : >> Hi, >> >> I would like to be able to have two (or more) different MailScanner >> instances running on the same system; they will work with seperate >> incoming and work dirs; and have different rules and settings. >> >> I guess I need to change the pid-file location in the conf-file, and >> create multiple start-stop-scripts to be able to start and stop them > independently. >> Beside multiple configuration files with seperate working folders, >> are there any other things I need to keep in mind? Is it possible to >> have multiple instances working on different folders at the same >> time, or will this somehow screw-up MailScanner's internals? >> >> >> BR >> Markus Nilsson >> > > -- > Skickat fr?n min mobila enhet > > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by CronLab, and is believed to be clean. If this really was spam, please copy this link into your browser to make the anti-spam system learn! http://cronlabPR0908001.cronlab.com:80/mail/index.php?id=D6A6D1C406E.A3802-& learn=spam For more information about CronLab's anti-spam services, please visit http://www.cronlab.com. From john at tradoc.fr Mon Nov 2 09:29:37 2009 From: john at tradoc.fr (John Wilcock) Date: Mon Nov 2 09:29:48 2009 Subject: Multiple MailScanner instances (DEBIAN) In-Reply-To: References: <223f97700910300648n4f128071la44c82cab9255e72@mail.gmail.com><86F353A9028C4BCC80036F3CB851F4E5@eemea.ericsson.se> <223f97700910301030i1c46881era7f2b739019dc1e3@mail.gmail.com> Message-ID: <4AEEA681.9060807@tradoc.fr> Le 02/11/2009 10:01, Markus Nilsson a ?crit : > If you say bayes is not an issue, the possibility to have different scoring > in spamassassin for different domains is not possible, right? > This might however be just a tiny issue that if needed could be solved with > VM's. Rather than multiple instances or VMs just for that, you could always get round the problem with meta-rules in spamassassin that simply adjust scores depending on the domain. Probably safest to do this by turning on "Add Envelope To Header = yes" then testing that header: header __EXAMPLE_COM X-orgname-MailScanner-To =~ /\@example\.com/i meta WANTS_DIET_DRUGS __EXAMPLE_COM && (DRUGS_DIET || DRUGS_DIET_OBFU) score WANTS_DIET_DRUGS -2.0 John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From edward.prendergast at netring.co.uk Mon Nov 2 12:10:17 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Nov 2 12:10:31 2009 Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl modules Message-ID: <4AEECC29.40407@netring.co.uk> Hi, After having upgraded to CentOS 5.4 I'm seeing the following errors from MailScanner: [root@server8 MailScanner]# MailScanner --version is only avaliable with the XS version at /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9 BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9. Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. Compilation failed in require at /usr/lib/MailScanner/MailScanner/Message.pm line 48. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/Message.pm line 48. Compilation failed in require at /usr/sbin/MailScanner line 108. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 108. I tried upgrading to the latest version of MailScanner (MailScanner-4.78.17-1 installed from MailScanner-4.78.17-1.rpm.tar.gz's install.sh) but this hasn't resolved the issue. After yum upgrades downgrading perl packages below the minimum version requirement for MailScanner my process to fix has usually been: 1) Identify problem packages from MailScanner errors 2) Add these to yum exclude list 3) Reinstall MailScanner stable and allow it to force the packages back up to the right version As shown above this approach hasn't worked this time. Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From J.Ede at birchenallhowden.co.uk Mon Nov 2 12:34:59 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Nov 2 12:35:20 2009 Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl modules In-Reply-To: <4AEECC29.40407@netring.co.uk> References: <4AEECC29.40407@netring.co.uk> Message-ID: <1213490F1F316842A544A850422BFA9612870A1473@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Edward Prendergast > Sent: 02 November 2009 12:10 > To: MailScanner discussion > Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl > modules > > Hi, > > After having upgraded to CentOS 5.4 I'm seeing the following errors > from > MailScanner: > > [root@server8 MailScanner]# MailScanner --version > is only avaliable with the XS version at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9 > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9. > Compilation failed in require at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. > Compilation failed in require at > /usr/lib/MailScanner/MailScanner/Message.pm line 48. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 48. > Compilation failed in require at /usr/sbin/MailScanner line 108. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 108. > > I tried upgrading to the latest version of MailScanner > (MailScanner-4.78.17-1 installed from MailScanner-4.78.17- > 1.rpm.tar.gz's > install.sh) but this hasn't resolved the issue. > > After yum upgrades downgrading perl packages below the minimum version > requirement for MailScanner my process to fix has usually been: > > 1) Identify problem packages from MailScanner errors > 2) Add these to yum exclude list > 3) Reinstall MailScanner stable and allow it to force the packages back > up to the right version > > As shown above this approach hasn't worked this time. > > Thanks, > Edward Obtain a rpm of latest Scalar::Utils and install that... Will then be fine. Jason From edward.prendergast at netring.co.uk Mon Nov 2 13:27:34 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Mon Nov 2 13:27:47 2009 Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl modules In-Reply-To: <1213490F1F316842A544A850422BFA9612870A1473@BHLSBS.bhl.local> References: <4AEECC29.40407@netring.co.uk> <1213490F1F316842A544A850422BFA9612870A1473@BHLSBS.bhl.local> Message-ID: <4AEEDE46.80304@netring.co.uk> Jason Ede wrote: >> After yum upgrades downgrading perl packages below the minimum version >> requirement for MailScanner my process to fix has usually been: >> >> 1) Identify problem packages from MailScanner errors >> 2) Add these to yum exclude list >> 3) Reinstall MailScanner stable and allow it to force the packages back >> up to the right version >> >> As shown above this approach hasn't worked this time. >> >> Thanks, >> Edward >> > > Obtain a rpm of latest Scalar::Utils and install that... Will then be fine Thanks for the response. Scalar::Util now appears to be included in perl core (see below) which means I get transaction errors if I try to install it again (via yum install perl-Scalar-Util). What's the preferred method for handling this? Should I run yum localinstall perl-Scalar-Util and add it to the yum exclude list so it doesn't get removed in a subsequent update? perl-Scalar-List-Utils-1.21-1.el5.rf.i386 : Common Scalar and List utility subroutines Repo : rpmforge Matched from: Other : perl(Scalar::Util) perl-Scalar-List-Utils-1.19-1.el5.rf.i386 : Common Scalar and List utility subroutines Repo : rpmforge Matched from: Other : perl(Scalar::Util) 4:perl-5.8.8-27.el5.i386 : The Perl programming language Repo : base Matched from: Other : perl(Scalar::Util) 4:perl-5.8.8-27.el5.i386 : The Perl programming language Repo : installed Matched from: Other : Provides-match: perl(Scalar::Util) Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From J.Ede at birchenallhowden.co.uk Mon Nov 2 15:07:19 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Nov 2 15:07:37 2009 Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl modules In-Reply-To: <4AEEDE46.80304@netring.co.uk> References: <4AEECC29.40407@netring.co.uk> <1213490F1F316842A544A850422BFA9612870A1473@BHLSBS.bhl.local> <4AEEDE46.80304@netring.co.uk> Message-ID: <1213490F1F316842A544A850422BFA9612870A1493@BHLSBS.bhl.local> Get latest source code, build a rpm with rpmbuild and then install... I'm afraid don't know options offhand... Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Edward Prendergast > Sent: 02 November 2009 13:28 > To: MailScanner discussion > Subject: Re: Issue after CentOS upgrade to 5.4 using yum/rpm for perl > modules > > Jason Ede wrote: > > > >> After yum upgrades downgrading perl packages below the minimum > version > >> requirement for MailScanner my process to fix has usually been: > >> > >> 1) Identify problem packages from MailScanner errors > >> 2) Add these to yum exclude list > >> 3) Reinstall MailScanner stable and allow it to force the packages > back > >> up to the right version > >> > >> As shown above this approach hasn't worked this time. > >> > >> Thanks, > >> Edward > >> > > > > Obtain a rpm of latest Scalar::Utils and install that... Will then be > fine > > Thanks for the response. > > Scalar::Util now appears to be included in perl core (see below) which > means I get transaction errors if I try to install it again (via yum > install perl-Scalar-Util). What's the preferred method for handling > this? Should I run yum localinstall perl-Scalar-Util and add it to the > yum exclude list so it doesn't get removed in a subsequent update? > > perl-Scalar-List-Utils-1.21-1.el5.rf.i386 : Common Scalar and List > utility subroutines > Repo : rpmforge > Matched from: > Other : perl(Scalar::Util) > > perl-Scalar-List-Utils-1.19-1.el5.rf.i386 : Common Scalar and List > utility subroutines > Repo : rpmforge > Matched from: > Other : perl(Scalar::Util) > > 4:perl-5.8.8-27.el5.i386 : The Perl programming language > Repo : base > Matched from: > Other : perl(Scalar::Util) > > 4:perl-5.8.8-27.el5.i386 : The Perl programming language > Repo : installed > Matched from: > Other : Provides-match: perl(Scalar::Util) > > Thanks, > Edward > > > > > > > ************ > The information in this email is confidential and may be legally > privileged. > It is intended solely for the addressee. Access to this email by anyone > else > is unauthorised. If you are not the intended recipient, any action > taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please > notify > us immediately. Please also destroy and delete the message from your > computer. > ************ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From iveymr at gmail.com Mon Nov 2 15:10:04 2009 From: iveymr at gmail.com (Ryan Ivey) Date: Mon Nov 2 15:10:16 2009 Subject: MailScanner 4.78 Message-ID: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> After upgrading to 4.78, I'm having problems getting MailScanner to process mail properly. It seems to only process mail originating from our domain. Incoming email seems to hang in the queue indefinitely. Specifically, I believe the problem is here: [root@mailserver incoming]# /usr/sbin/MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Can't call method "print" on an undefined value at /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 743. Some searching lead to checking the permission on the working dir: drwxrwxr-x 14 clamav clamav 4096 Nov 2 10:04 incoming But, not matter how much worldwritable permission I give it, it still complains, so I'm not so sure it's a permission issue. Not sure if they're related, but I also receive this in --lint: [root@mailserver incoming]# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Read 856 hostnames from the phishing whitelist Read 6690 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 763 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule =========================================================================== Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1210 MailScanner.conf: [root@mailserver MailScanner]# cat /etc/MailScanner/MailScanner.conf |grep -v ^# |grep -v ^$ %org-name% = ##Hidden to protect Privacy## %org-long-name% = ##Hidden to protect Privacy## %web-site% = www.##Hidden to protect Privacy##.com %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 12 Run As User = postfix Run As Group = postfix Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = clamav Incoming Work Group = clamav Incoming Work Permissions = 0640 Quarantine User = root Quarantine Group = apache Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = %rules-dir%/scan.messages.rules Reject Message = no Maximum Processing Attempts = 6 Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = %rules-dir%/max-depth-archive.rules Find Archives By Content = yes Unpack Microsoft Documents = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Add Text Of Doc = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Unzip Maximum Files Per Archive = 0 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = %rules-dir%/passprotected.zipok.rules Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = %rules-dir%/content.scanning.rules Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = %rules-dir%/formtag.rules Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Archives Are = zip rar ole Allow Filenames = \.pdf$ Deny Filenames = Filename Rules = %rules-dir%/filename.rules Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %rules-dir%/filetype.rules Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Information Header = X-%org-name%-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: ID Header = X-%org-name%-MailScanner-ID: IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Place New Headers At Top Of Message = no Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Attach Image To Signature = no Attach Image To HTML Message Only = yes Allow Multiple HTML Signatures = no Dont Sign HTML If Headers Exist = # In-Reply-To: References: Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Blocked Size Attachments = yes Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Rejected File Attachment} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = no Disarmed Subject Text = {Disarmed} Phishing Modify Subject = no Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {High Scoring Spam} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Missing Mail Archive Is = directory Send Notices = yes Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\ nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = # spamhaus-ZEN # You can un-comment this to enable them Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 512k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 5 High SpamAssassin Score = 8 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = Spam Actions = store store-nonspam deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = store Non Spam Actions = %rules-dir%/nonspam.rules SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Delivery And Non-Delivery = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = yes SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Read IP Address From Received Header = no Spam Score Number Format = %d MailScanner Version Number = 4.78.17 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /var/spool/MailScanner/incoming/Locks Custom Functions Dir = /usr/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091102/b2734005/attachment.html From jakari at bithose.com Mon Nov 2 21:19:52 2009 From: jakari at bithose.com (Jameel Akari) Date: Mon Nov 2 21:20:03 2009 Subject: Trend Micro scanner in MS... Message-ID: Slightly off-topic I suppose. Is anyone here using a current release of Trend's AV for Linux? I'm not directly finding anything in Trend's current products for Linux that provide command-line scanners which MailScanner are looking for (i.e. vscan). Instead you have "ServerProtect" which basically seems only on-access (with a kernel module, ugh) or "InterScan VirusWall" which seems to have 'isvw-scan' but needs a 4GB install of other junk I don't need in order to work. Am I missing something obvious here? -- Jameel Akari From alex at rtpty.com Mon Nov 2 23:35:56 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 2 23:36:12 2009 Subject: Trend Micro scanner in MS... In-Reply-To: References: Message-ID: The opportunity to use Clam instead? ;-) On Nov 2, 2009, at 4:19 PM, Jameel Akari wrote: > Am I missing something obvious here? From mailscanner at pdscc.com Tue Nov 3 03:11:20 2009 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Tue Nov 3 03:11:51 2009 Subject: problem with requeue losing recipient Message-ID: <20091103031127.AE15413D3@sinclaire.sibble.net> Not sure if this is a postfix, mailscanner or mailwatch problem or a combination. I'm guessing this is a consequence of the single postfix queue method I am using with MailScanner. Basically emails comes in addressed to one person in the to: field (recipient1)and cc'd to a second person (recipient2). After the requeue and change of message id, it only gets delivered to to recipient2 and recipient1 seems to get lost. Any ideas on why this issue is occuring and how I stop this happening in the future. In mailwatch it shows both recipients and shows the action as deliver, so one would expect that both recipients received the email, but as below the logs show a different picture and that is confirmed by recipient1 # cat /root/maillog | grep 6E587B34001 Nov 1 18:29:34 mymailservername postfix/smtpd[6938]: 6E587B34001: client=smtp42.singnet.com.sg[165.21.103.146] Nov 1 18:29:34 mymailservername postgrey[4778]: 6E587B34001: action=greylist, reason=new, client_name=smtp42.singnet.com.sg, client_address=165.21.103.146, sender=sender.person1@sendingdomain.com.tld, recipient=recipient1@domain.tld Nov 1 18:29:34 mymailservername postfix/smtpd[6938]: 6E587B34001: reject: RCPT from smtp42.singnet.com.sg[165.21.103.146]: 450 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/recipientdomain.tld.html; from= to= proto=ESMTP helo= Nov 1 18:29:34 mymailservername postfix/cleanup[6948]: 6E587B34001: hold: header Received: from smtp42.singnet.com.sg (smtp42.singnet.com.sg [165.21.103.146])??by mailscan.recipientdomain.tld (Postfix) with ESMTP id 6E587B34001??for ; Sun, 1 Nov 2009 18:29:34 -0800 (PST from smtp42.singnet.com.sg[165.21.103.146]; from= to= proto=ESMTP helo= Nov 1 18:29:34 mymailservername postfix/cleanup[6948]: 6E587B34001: hold: header Received: from sendingdomain.com.tld (bb116-14-192-65.singnet.com.sg [116.14.192.65])??by smtp42.singnet.com.sg (8.14.3/8.14.1) with ESMTP id nA22TTHD024555;??Mon, 2 Nov 2009 10:29:29 +0800 from smtp42.singnet.com.sg[165.21.103.146]; from= to= proto=ESMTP helo= Nov 1 18:29:34 mymailservername postfix/cleanup[6948]: 6E587B34001: message- id=<11A235F44D36EF4CB7F3A78ECD874B7E760596@lanserver.Sendingco.local> Nov 1 18:29:35 mymailservername MailScanner[4818]: Archived message 6E587B34001.A7D63 to mbox file /var/spool/MailScanner/archive/mail-archive Nov 1 18:29:35 mymailservername MailScanner[4818]: Saved archive copies of 6E587B34001.A7D63 Nov 1 18:29:44 mymailservername MailScanner[4818]: Requeue: 6E587B34001.A7D63 to 44B78B34002 Nov 1 18:29:44 mymailservername MailScanner[4818]: Logging message 6E587B34001.A7D63 to SQL Nov 1 18:29:44 mymailservername MailScanner[6540]: 6E587B34001.A7D63: Logged to MailWatch SQL You'll note 9 lines down it says Nov 1 18:29:44 mymailservername MailScanner[4818]: Requeue: 6E587B34001.A7D63 to 44B78B34002 Now searching for the new id file gives us # cat /root/maillog | grep 44B78B34002 Nov 1 18:29:44 mymailservername MailScanner[4818]: Requeue: 6E587B34001.A7D63 to 44B78B34002 Nov 1 18:29:44 mymailservername postfix/qmgr[25214]: 44B78B34002: from=, size=10888, nrcpt=1 (queue active) Nov 1 18:29:44 mymailservername postfix/smtp[6957]: 44B78B34002: to=, relay=10.11.12.9[10.11.12.9], delay=10, status=sent (250 2.6.0 <11A235F44D36EF4CB7F3A78ECD874B7E760596@lanserver.Seaways.local> Queued mail for delivery) Nov 1 18:29:44 mymailservername postfix/qmgr[25214]: 44B78B34002: removed -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice) From iveymr at gmail.com Tue Nov 3 12:52:11 2009 From: iveymr at gmail.com (Ryan Ivey) Date: Tue Nov 3 12:52:20 2009 Subject: MailScanner 4.78 In-Reply-To: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> Message-ID: <16174a770911030452y8966194jb667b6754ee17d83@mail.gmail.com> After upgrading to 4.78, I'm having problems getting MailScanner to process mail properly. It seems to only process mail originating from our domain. Incoming email seems to hang in the queue indefinitely. Specifically, I believe the problem is here: [root@mailserver incoming]# /usr/sbin/MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Can't call method "print" on an undefined value at /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 743. Some searching lead to checking the permission on the working dir: drwxrwxr-x 14 clamav clamav 4096 Nov 2 10:04 incoming But, not matter how much worldwritable permission I give it, it still complains, so I'm not so sure it's a permission issue. Not sure if they're related, but I also receive this in --lint: [root@mailserver incoming]# MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Read 856 hostnames from the phishing whitelist Read 6690 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 763 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule =========================================================================== Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1210 MailScanner.conf: [root@mailserver MailScanner]# cat /etc/MailScanner/MailScanner.conf |grep -v ^# |grep -v ^$ %org-name% = ##Hidden to protect Privacy## %org-long-name% = ##Hidden to protect Privacy## %web-site% = www.##Hidden to protect Privacy##.com %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 12 Run As User = postfix Run As Group = postfix Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = clamav Incoming Work Group = clamav Incoming Work Permissions = 0640 Quarantine User = root Quarantine Group = apache Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = %rules-dir%/scan.messages.rules Reject Message = no Maximum Processing Attempts = 6 Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = %rules-dir%/max-depth-archive.rules Find Archives By Content = yes Unpack Microsoft Documents = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Add Text Of Doc = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Unzip Maximum Files Per Archive = 0 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain Virus Scanning = yes Virus Scanners = clamav Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = %rules-dir%/passprotected.zipok.rules Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = %rules-dir%/content.scanning.rules Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = %rules-dir%/formtag.rules Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Archives Are = zip rar ole Allow Filenames = \.pdf$ Deny Filenames = Filename Rules = %rules-dir%/filename.rules Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %rules-dir%/filetype.rules Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Information Header = X-%org-name%-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: ID Header = X-%org-name%-MailScanner-ID: IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Place New Headers At Top Of Message = no Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = no Attach Image To Signature = no Attach Image To HTML Message Only = yes Allow Multiple HTML Signatures = no Dont Sign HTML If Headers Exist = # In-Reply-To: References: Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Blocked Size Attachments = yes Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Rejected File Attachment} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = no Disarmed Subject Text = {Disarmed} Phishing Modify Subject = no Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {High Scoring Spam} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Missing Mail Archive Is = directory Send Notices = yes Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\ nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = # spamhaus-ZEN # You can un-comment this to enable them Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 512k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 5 High SpamAssassin Score = 8 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = Spam Actions = store store-nonspam deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = store Non Spam Actions = %rules-dir%/nonspam.rules SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Delivery And Non-Delivery = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = yes SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Read IP Address From Received Header = no Spam Score Number Format = %d MailScanner Version Number = 4.78.17 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /var/spool/MailScanner/incoming/Locks Custom Functions Dir = /usr/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091103/70f0db2e/attachment.html From Antony.Stone at mailscanner.open.source.it Tue Nov 3 13:06:23 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Tue Nov 3 13:06:33 2009 Subject: MailScanner 4.78 In-Reply-To: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> Message-ID: <200911031306.24041.Antony.Stone@mailscanner.open.source.it> On Monday 02 November 2009 15:10, Ryan Ivey wrote: > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamavmodule You do realise that these are not the same thing, I hope? They're the same virus scanning engine, but two different versions, which are used in very different ways - "clamav" is a command-line scanner, whereas "clamavmodule" is a Perl module which talks directly to the scanning engine and is more efficient in use. You might be better off leaving the config setting as "Virus Scanners = auto" so that MailScanner can use whatever you really do have installed. Regards, Antony. -- "The problem with television is that the people must sit and keep their eyes glued on a screen; the average American family hasn't time for it." - New York Times, following a demonstration at the 1939 World's Fair. Please reply to the list; please don't CC me. From roland at inbox4u.de Tue Nov 3 17:18:22 2009 From: roland at inbox4u.de (Ehle, Roland) Date: Tue Nov 3 17:18:36 2009 Subject: AW: Message attempted to kill MailScanner In-Reply-To: References: Message-ID: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FC3@ts-dc2.ts-webarts.local> Hi All, I can confirm having the issue again, which was solved in the past (Mail from 31.08. to the group). If I run MailScanner in debug mode I get an error message (see below). For me it seems, as if the the letter t is put as prefix to the original filename and it looks, as if there is a problem with filenames containing spaces in the name. I am running the current version of MailScanner on a CentOS 5.4 Box. Regards, Roland Have a batch of 8 messages. MIME::Body::File->open /var/spool/MailScanner/incoming/4210/nA3GkPM2031267/tEHCPremium-Vermarktung: No such file or directory at /usr/lib/perl5/site_perl/5.8.8/MIME/Body.pm line 435. [root@mx1 rules]# cd /var/spool/MailScanner/incoming/4210/nA3GkPM2031267 [root@mx1 nA3GkPM2031267]# ls nmsg-4210-10.txt nmsg-4210-9.txt nwinmail.dat tsomefilename.pdf [root@mx1 nA3GkPM2031267]# -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Scott Silva Gesendet: Freitag, 16. Oktober 2009 21:19 An: mailscanner@lists.mailscanner.info Betreff: Message attempted to kill MailScanner I have been getting a lot of bogus Internal Revenue Service messages that trigger "Message attempted to kill MailScanner" report and then stick in processing db. Does anyone have any magic on these? I know I can't be the only one that sees them! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6203 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091103/644253c0/smime.bin From claygoss at gosscomputerprojects.net Tue Nov 3 18:31:42 2009 From: claygoss at gosscomputerprojects.net (Clay Goss) Date: Tue Nov 3 18:32:29 2009 Subject: MailScanner Overload... Message-ID: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> I am having fits with a mail server running MailScanner. For many a year now, it has just hummed along without much fuss - about 1 year ago, I doubled the RAM after it got sluggish, but lately... I restart it - all seems well, but after 12 to 48 hours, it comes to its knees. The box is marginal - I'm building a new one, but for now, I need to keep this one up. When things have gone south, I find: The named server has crashed out.... SpamAssassin is timing out, being killed and restarted... I have many "MailScanner" and "sendmail" processes running, to the point that I must execute "service MailScanner stop" 4, 5, 6 times to get all the MailScanner instances stopped and then "service sendmail stop" a few times to stop all of those. Then I can restart everything and its good for another 12 to 48. The box is a PIII with 768 MB RAM. Any help much appreciated. Here are the versions of the items I believe are pertinent: bind-9.2.5-3 bind-libs-9.2.5-3 bind-utils-9.2.5-3 fedora-release-3-8 kernel-2.6.12-1.1381_FC3 mailscanner-4.68.8-1 MailScanner-perl-MIME-Base64-3.05-5 perl-5.8.5-24.FC3 perl-Archive-Tar-1.08-3 perl-Bit-Vector-6.3-3 perl-Compress-Zlib-1.41-1 perl-Convert-BinHex-1.119-2 perl-Crypt-OpenSSL-Bignum-0.03-1.1.fc3.rf perl-Date-Calc-5.3-9 perl-DateManip-5.42a-3 perl-DBD-SQLite-1.13-1 perl-DBI-1.56-1 perl-Devel-Symdump-2.03-19 perl-Digest-SHA1-2.11-1 perl-File-MMagic-1.21-2 perl-File-Temp-0.19-1 perl-Filesys-Df-0.90-1 perl-Filter-Simple-0.79-4 perl-HTML-Parser-3.56-1 perl-HTML-Tagset-3.03-30 perl-IO-1.2301-1 perl-IO-stringy-2.110-1 perl-libwww-perl-5.79-5 perl-libxml-enno-1.02-31 perl-libxml-perl-0.07-30 perl-MailTools-2.02-1 perl-Math-BigInt-1.86-1 perl-Math-BigRat-0.19-1 perl-MIME-Base64-3.07-1 perl-MIME-tools-5.425-1 perl-Net-CIDR-0.11-1 perl-Net-DNS-0.63-1 perl-Net-IP-1.25-1 perl-NKF-2.04-3 perl-Parse-RecDescent-1.94-4 perl-Parse-Yapp-1.05-32 perl-PDL-2.4.1-5 perl-Pod-Escapes-1.04-1 perl-RPM2-0.66-7 perl-SGMLSpm-1.03ii-14 perl-suidperl-5.8.5-24.FC3 perl-Sys-Hostname-Long-1.4-1 perl-Sys-Syslog-0.18-1 perl-TermReadKey-2.20-17 perl-Test-Simple-0.70-1 perl-Text-Kakasi-1.05-11 perl-Time-HiRes-1.9707-1 perl-TimeDate-1.16-3 perl-XML-Dumper-0.71-2 perl-XML-Grove-0.46alpha-27 perl-XML-Twig-3.13-6 sendmail-8.13.1-2 sendmail-cf-8.13.1-2 sendmail-devel-8.13.1-2 sendmail-doc-8.13.1-2 spamass-milter-0.2.0-1.1.fc3.rf spamassassin-3.0.4-2.fc3 And here is the MailScanner.conf: %org-name% = MY_NET %org-long-name% = My Net Place %web-site% = www.My.net %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 5 Run As User = Run As Group = Queue Scan Interval = 30 Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = sendmail Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = yes Reject Message = no Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 50 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 2 Find Archives By Content = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Virus Scanning = yes Virus Scanners = auto Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = yes Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = yes Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = yes Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Information Header = X-%org-name%-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = yes Attach Image To Signature = no Attach Image To HTML Message Only = yes Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Blocked Size Attachments = no Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Filename?} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = start Disarmed Subject Text = {Disarmed} Phishing Modify Subject = start Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {Spam?} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Send Notices = no Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = # spamhaus-ZEN # You can un-comment this to enable them Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 Spam List Timeout = 20 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = no Definite Spam Is High Scoring = yes Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 100k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 4 High SpamAssassin Score = 6 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = store Non Spam Actions = deliver header "X-Spam-Status: No" SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = no SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Spam Score Number Format = %d MailScanner Version Number = 4.68.8 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /tmp Custom Functions Dir = /usr/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported Thank you, Clay Goss -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Tue Nov 3 18:56:19 2009 From: roland at inbox4u.de (Ehle, Roland) Date: Tue Nov 3 18:56:34 2009 Subject: AW: MailScanner Overload... In-Reply-To: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> Message-ID: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FC6@ts-dc2.ts-webarts.local> Clay, you should reduce the value for Max Children in the MailScanner.conf file to reduce the load on your machine. Each MailScanner process consumes memory. According to may experience a value of 3 should reduce load notably. Which virus scanners do you use? Regards, Roland -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Clay Goss Gesendet: Dienstag, 3. November 2009 19:32 An: mailscanner@lists.mailscanner.info Betreff: MailScanner Overload... I am having fits with a mail server running MailScanner. For many a year now, it has just hummed along without much fuss - about 1 year ago, I doubled the RAM after it got sluggish, but lately... I restart it - all seems well, but after 12 to 48 hours, it comes to its knees. The box is marginal - I'm building a new one, but for now, I need to keep this one up. When things have gone south, I find: The named server has crashed out.... SpamAssassin is timing out, being killed and restarted... I have many "MailScanner" and "sendmail" processes running, to the point that I must execute "service MailScanner stop" 4, 5, 6 times to get all the MailScanner instances stopped and then "service sendmail stop" a few times to stop all of those. Then I can restart everything and its good for another 12 to 48. The box is a PIII with 768 MB RAM. Any help much appreciated. Here are the versions of the items I believe are pertinent: bind-9.2.5-3 bind-libs-9.2.5-3 bind-utils-9.2.5-3 fedora-release-3-8 kernel-2.6.12-1.1381_FC3 mailscanner-4.68.8-1 MailScanner-perl-MIME-Base64-3.05-5 perl-5.8.5-24.FC3 perl-Archive-Tar-1.08-3 perl-Bit-Vector-6.3-3 perl-Compress-Zlib-1.41-1 perl-Convert-BinHex-1.119-2 perl-Crypt-OpenSSL-Bignum-0.03-1.1.fc3.rf perl-Date-Calc-5.3-9 perl-DateManip-5.42a-3 perl-DBD-SQLite-1.13-1 perl-DBI-1.56-1 perl-Devel-Symdump-2.03-19 perl-Digest-SHA1-2.11-1 perl-File-MMagic-1.21-2 perl-File-Temp-0.19-1 perl-Filesys-Df-0.90-1 perl-Filter-Simple-0.79-4 perl-HTML-Parser-3.56-1 perl-HTML-Tagset-3.03-30 perl-IO-1.2301-1 perl-IO-stringy-2.110-1 perl-libwww-perl-5.79-5 perl-libxml-enno-1.02-31 perl-libxml-perl-0.07-30 perl-MailTools-2.02-1 perl-Math-BigInt-1.86-1 perl-Math-BigRat-0.19-1 perl-MIME-Base64-3.07-1 perl-MIME-tools-5.425-1 perl-Net-CIDR-0.11-1 perl-Net-DNS-0.63-1 perl-Net-IP-1.25-1 perl-NKF-2.04-3 perl-Parse-RecDescent-1.94-4 perl-Parse-Yapp-1.05-32 perl-PDL-2.4.1-5 perl-Pod-Escapes-1.04-1 perl-RPM2-0.66-7 perl-SGMLSpm-1.03ii-14 perl-suidperl-5.8.5-24.FC3 perl-Sys-Hostname-Long-1.4-1 perl-Sys-Syslog-0.18-1 perl-TermReadKey-2.20-17 perl-Test-Simple-0.70-1 perl-Text-Kakasi-1.05-11 perl-Time-HiRes-1.9707-1 perl-TimeDate-1.16-3 perl-XML-Dumper-0.71-2 perl-XML-Grove-0.46alpha-27 perl-XML-Twig-3.13-6 sendmail-8.13.1-2 sendmail-cf-8.13.1-2 sendmail-devel-8.13.1-2 sendmail-doc-8.13.1-2 spamass-milter-0.2.0-1.1.fc3.rf spamassassin-3.0.4-2.fc3 And here is the MailScanner.conf: %org-name% = MY_NET %org-long-name% = My Net Place %web-site% = www.My.net %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 5 Run As User = Run As Group = Queue Scan Interval = 30 Incoming Queue Dir = /var/spool/mqueue.in Outgoing Queue Dir = /var/spool/mqueue Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = sendmail Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = yes Reject Message = no Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 50 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 2 Find Archives By Content = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Virus Scanning = yes Virus Scanners = auto Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = yes Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = yes Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = yes Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Information Header = X-%org-name%-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = yes Attach Image To Signature = no Attach Image To HTML Message Only = yes Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Blocked Size Attachments = no Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Filename?} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = start Disarmed Subject Text = {Disarmed} Phishing Modify Subject = start Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {Spam?} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Send Notices = no Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = # spamhaus-ZEN # You can un-comment this to enable them Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 1 Spam List Timeout = 20 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = no Definite Spam Is High Scoring = yes Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 100k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 4 High SpamAssassin Score = 6 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = deliver header "X-Spam-Status: Yes" High Scoring Spam Actions = store Non Spam Actions = deliver header "X-Spam-Status: No" SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = no SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Spam Score Number Format = %d MailScanner Version Number = 4.68.8 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /tmp Custom Functions Dir = /usr/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported Thank you, Clay Goss -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6203 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091103/22971c16/smime.bin From mrm at medicine.wisc.edu Tue Nov 3 19:07:35 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Nov 3 19:08:05 2009 Subject: MailScanner Overload... In-Reply-To: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> Message-ID: <4AF02B17020000FC000089D6@gwmail.medicine.wisc.edu> I had a similar problem and it turned out to be my bayes expiration cleanup script that was supposed to run everyday wasn't and so the bayes database got huge over months and months of no expirations. This caused SA to just take forever on each message and incoming queues would just pile up during the day when it got busy. -Mike >>> On 11/3/2009 at 12:31 PM, in message <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3>, "Clay Goss" wrote: > I am having fits with a mail server running MailScanner. For many a year > now, it has just hummed along without much fuss - about 1 year ago, I > doubled the RAM after it got sluggish, but lately... I restart it - all > seems well, but after 12 to 48 hours, it comes to its knees. The box is > marginal - I'm building a new one, but for now, I need to keep this one up. > When things have gone south, I find: > The named server has crashed out.... > SpamAssassin is timing out, being killed and restarted... > I have many "MailScanner" and "sendmail" processes running, to the point > that I must execute "service MailScanner stop" 4, 5, 6 times to get all the > MailScanner instances stopped and then "service sendmail stop" a few times > to stop all of those. Then I can restart everything and its good for > another 12 to 48. > Thank you, > Clay Goss > From ugob at lubik.ca Tue Nov 3 19:16:54 2009 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Nov 3 19:17:27 2009 Subject: OT: Red Hat Enterprise Virtualization is out Message-ID: Hi, Sorry for the OT post, but I know there are many Red Hat admins here... Red Hat Enterprise Virtualization is here! http://www.redhat.com/virtualization/rhev/ RHEV is targeted to be a substitute for virtualization management that has features similar to the big player's, but its price seems to be very reasonable. It supports Xen and KVM, automatic live migration, and many other neat features. Pricing: http://www.redhat.com/f/pdf/rhev/DOC113R6-Pricing-and-Licensing-for-RHEV-for-Servers.pdf It is available for servers and clients. Note: I am not affiliated to Red Hat. I just think this will help many people on this list, and the cause of Open Source Software. Regards, Ugo From claygoss at gosscomputerprojects.net Tue Nov 3 20:35:32 2009 From: claygoss at gosscomputerprojects.net (Clay Goss) Date: Tue Nov 3 20:36:22 2009 Subject: MailScanner Overload... In-Reply-To: <4AF02B17020000FC000089D6@gwmail.medicine.wisc.edu> References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> <4AF02B17020000FC000089D6@gwmail.medicine.wisc.edu> Message-ID: <5B4C350478D145858862BDC276194765@GCPNB3> Mike wrote: > "...my bayes expiration cleanup script that was supposed to run everyday wasn't..." Can you give me a lead to this script? Roland wrote: > "...a value of 3 should reduce load notably..." Ok. Max Children = 3. I'll give that a go. > "Which virus scanners do you use?" ClamAV Thanks, Clay -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mrm at medicine.wisc.edu Tue Nov 3 21:48:58 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Nov 3 21:49:19 2009 Subject: MailScanner Overload... In-Reply-To: <5B4C350478D145858862BDC276194765@GCPNB3> References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> <4AF02B17020000FC000089D6@gwmail.medicine.wisc.edu> <5B4C350478D145858862BDC276194765@GCPNB3> Message-ID: <4AF050EA020000FC00008A37@gwmail.medicine.wisc.edu> >>> On 11/3/2009 at 2:35 PM, in message <5B4C350478D145858862BDC276194765@GCPNB3>, "Clay Goss" wrote: > Mike wrote: > >> "...my bayes expiration cleanup script that was supposed to run everyday > wasn't..." > > Can you give me a lead to this script? > sa-learn --force-expire From pal at mssl.ucl.ac.uk Tue Nov 3 22:21:45 2009 From: pal at mssl.ucl.ac.uk (Paul Lamb) Date: Tue Nov 3 22:21:58 2009 Subject: Sophos failure: sophos-autoupdate is missing new Sophos files Message-ID: <4AF0ACF9.4060702@mssl.ucl.ac.uk> The Sophos AV November 2009 distribution:- Product version : 4.47.0 Engine version : 3.01.0 Virus data version : 4.47 User interface version : 2.07.250 Platform : Linux/Intel Released : 02 November 2009 is installing additional files ./lib/xvdl*.vdb sophos-autoupdate will not create softlinks to these in ./ide/ Running sweep through strace shows an open failure on /usr/local/Sophos/ide/xvdl01.vdb leading to "Error initialising detection engine - missing part of virus data" As a quick workround, I have added the following cloned fragment into sophos-autoupdate before "Add the new swpmess.dat..." - # Add the even newer xvdl*.vdb files if they are there foreach $vdlsus ("xvdl") { foreach $number (1..99) { $string = $vdlsus . sprintf("%02d", $number) . ".vdb"; symlink("$VDLDir/$string", $string) if -f "$VDLDir/$string"; } } # end I am running MailScanner version 4.72.5 whose version of sophos-autoupdate looks little different to the current version. Regards, Paul Lamb From hvdkooij at vanderkooij.org Tue Nov 3 23:19:26 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Nov 3 23:19:36 2009 Subject: Trend Micro scanner in MS... In-Reply-To: References: Message-ID: <4AF0BA7E.10302@vanderkooij.org> On 11/02/09 22:19, Jameel Akari wrote: > > Slightly off-topic I suppose. > Is anyone here using a current release of Trend's AV for Linux? > > I'm not directly finding anything in Trend's current products for Linux > that provide command-line scanners which MailScanner are looking for > (i.e. vscan). > > Instead you have "ServerProtect" which basically seems only on-access > (with a kernel module, ugh) or "InterScan VirusWall" which seems to have > 'isvw-scan' but needs a 4GB install of other junk I don't need in order > to work. > > Am I missing something obvious here? Yes. The fact that Trend Micro and other AV vendors know that there is no way you can stop malware just by using signature detection the way people used to think about malware scanning. I know that Dr Web refuses to enter there product to enter any test that is in effect just a static signature test. ClamAV is old school in this regard as they still do signature scanning instead of looking more into the behaviour of applications and how they access resources. Because interaction with the OS is very important in this philosophy, they focus on the weakest and most prolific OS at hand. And all the serious AV vendors either work in that dirction or are moving towards that direction. I did a test about 3 years ago and ploughed through 2 months worth of samples and suspects and there were about 10000 new variants present. With signature scanning you need 10000 signatues to get them. Perhaps slightly less. If you can detect behaviours and detect anomalies in them you may need just 100 behaviour rules which all of them will break. As far as signature scanning goes. ClamAV does an amazing job. But it will be limited to the design of signature detection. Signature detection in email may still work to a reasonable extend. But it becomes highly unpractical in webbased slutions. And I think most bots propogate themselves through websites. (Hijack a favicon, .....) So now you know why there is now commandline scanner from Trend Micro. It simply does not fit in their philosophy. And historically Trend Micro is not the best in signature detection in my experience. Hugo. From hvdkooij at vanderkooij.org Tue Nov 3 23:33:21 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Nov 3 23:33:30 2009 Subject: problem with requeue losing recipient In-Reply-To: <20091103031127.AE15413D3@sinclaire.sibble.net> References: <20091103031127.AE15413D3@sinclaire.sibble.net> Message-ID: <4AF0BDC1.4020304@vanderkooij.org> On 11/03/09 04:11, Harondel J. Sibble wrote: > Nov 1 18:29:34 mymailservername postfix/smtpd[6938]: 6E587B34001: > client=smtp42.singnet.com.sg[165.21.103.146] > Nov 1 18:29:34 mymailservername postgrey[4778]: 6E587B34001: > action=greylist, reason=new, client_name=smtp42.singnet.com.sg, > client_address=165.21.103.146, sender=sender.person1@sendingdomain.com.tld, > recipient=recipient1@domain.tld > Nov 1 18:29:34 mymailservername postfix/smtpd[6938]: 6E587B34001: reject: > RCPT from smtp42.singnet.com.sg[165.21.103.146]: 450: > Recipient address rejected: Greylisted, see > http://postgrey.schweikert.ch/help/recipientdomain.tld.html; > from= to= > proto=ESMTP helo= The message was NOT accepted according to this log line. Your greylist prevented that. > Nov 1 18:29:34 mymailservername postfix/cleanup[6948]: 6E587B34001: hold: > header Received: from smtp42.singnet.com.sg (smtp42.singnet.com.sg > [165.21.103.146])??by mailscan.recipientdomain.tld (Postfix) with ESMTP id > 6E587B34001??for; Sun, 1 Nov 2009 18:29:34 -0800 > (PST from smtp42.singnet.com.sg[165.21.103.146]; > from= to= > proto=ESMTP helo= This one however is accepted. .... Basically your postfix config accepted the connection but not all of the recipients. So only the allowed recipients will receive the message. but the sender has patted itself on the back for yet another job well done. You should disconnect after a 450 and not keep the SMTP connection open to prevent the ambigious situation you have created. A packet capture will propably show this much clearer. (tcpdump and wireshark are your friends here.) I do not recall having done anything special to make it work the way I explained. Can you show the postfix configuration? Hugo. From lists at tippingmar.com Wed Nov 4 02:26:32 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Nov 4 02:26:52 2009 Subject: Sophos failure: sophos-autoupdate is missing new Sophos files In-Reply-To: <4AF0ACF9.4060702@mssl.ucl.ac.uk> References: <4AF0ACF9.4060702@mssl.ucl.ac.uk> Message-ID: <4AF0E658.9060206@tippingmar.com> Paul Lamb wrote: > The Sophos AV November 2009 distribution:- > Product version : 4.47.0 > Engine version : 3.01.0 > Virus data version : 4.47 > User interface version : 2.07.250 > Platform : Linux/Intel > Released : 02 November 2009 > > is installing additional files > ./lib/xvdl*.vdb > > sophos-autoupdate will not create softlinks to these in ./ide/ > > Running sweep through strace shows an open failure on > /usr/local/Sophos/ide/xvdl01.vdb leading to > "Error initialising detection engine - missing part of virus data" > > As a quick workround, I have added the following cloned fragment into > sophos-autoupdate before "Add the new swpmess.dat..." - > > # Add the even newer xvdl*.vdb files if they are there > foreach $vdlsus ("xvdl") { > foreach $number (1..99) { > $string = $vdlsus . sprintf("%02d", $number) . ".vdb"; > symlink("$VDLDir/$string", $string) if -f "$VDLDir/$string"; > } > } > # end > > I am running MailScanner version 4.72.5 whose version of > sophos-autoupdate looks little different to the current version. > > Regards, > Paul Lamb I guess you are using Sophos V4, correct? I have V5 and it reports: [root@tesla bin]# savscan -v SAVScan virus detection utility Copyright (c) 1989-2009 Sophos Group. All rights reserved. System time 06:19:20 PM, System date 03 November 2009 Product version : 4.46.0 Engine version : 3.00.1 Virus data version : 4.46 User interface version : 2.07.249 Platform : Linux/Intel Released : 05 October 2009 Total viruses (with IDEs) : 1061548 Information on additional data files: Data file name : /opt/sophos-av/lib/sav/daonol-a.ide Data file type : IDE Data file date : 03 November 2009, 16:12:47 Data file status : Loaded etc... For V5, sophos-autoupdate just calls the Sophos provided savupdate program and it takes care of itself. I think the edit you show would only be needed for V4. Mark Nienberg From mailscanner at pdscc.com Wed Nov 4 07:22:02 2009 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Wed Nov 4 07:22:32 2009 Subject: problem with requeue losing recipient In-Reply-To: <4AF0BDC1.4020304@vanderkooij.org> References: <20091103031127.AE15413D3@sinclaire.sibble.net>, <4AF0BDC1.4020304@vanderkooij.org> Message-ID: <20091104072210.0BF011322@sinclaire.sibble.net> On 4 Nov 2009 at 0:33, Hugo van der Kooij wrote: > The message was NOT accepted according to this log line. Your greylist > prevented that. I noticed that after posting.... > This one however is accepted. I never realized it would greylist on a per recipient basis like that > Basically your postfix config accepted the connection but not all of > the recipients. So only the allowed recipients will receive the message. > but the sender has patted itself on the back for yet another job well > done. The odd thing about this, is the client had another instance of this happening today, what's interesting is that the Exchange 2007 server that MS is relaying for shows it sees all 3 recipients (1x To: and 2x CC), but only successfully delivers to the recipient in the To field, The Exchange tracking shows the other 2 recipients stuck at the RESOLVE, ROUTING stage. The other strange thing is nothing has changed on this box in months. > You should disconnect after a 450 and not keep the SMTP connection open > to prevent the ambigious situation you have created. Is this what you are refering too? # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches $mydestination or # ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty # and the recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 > A packet capture will propably show this much clearer. (tcpdump and > wireshark are your friends here.) > > I do not recall having done anything special to make it work the way I > explained. Can you show the postfix configuration? Same, I have at least a half dozen or so mail relays like this at various sites with the same kind of config without any issues. are you asking to the see the whole config file? Does postfix have a way to output just the active settings in the main.cf without comments. I know there is a way to do this with dovecot, but don't know if postfix has a similar thing, nothing found via google so far ### ADDED June 05/06 for postgrey smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10023 -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice) From john at tradoc.fr Wed Nov 4 08:50:49 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Nov 4 08:51:06 2009 Subject: problem with requeue losing recipient In-Reply-To: <20091104072210.0BF011322@sinclaire.sibble.net> References: <20091103031127.AE15413D3@sinclaire.sibble.net>, <4AF0BDC1.4020304@vanderkooij.org> <20091104072210.0BF011322@sinclaire.sibble.net> Message-ID: <4AF14069.9000805@tradoc.fr> Le 04/11/2009 08:22, Harondel J. Sibble a ?crit : >> You should disconnect after a 450 and not keep the SMTP connection open >> > to prevent the ambigious situation you have created. > Is this what you are refering too? > unknown_local_recipient_reject_code = 550 No, that's for rejecting *unknown* recipients. Your server *did* reject with a 450 code, so the sending server should try to resend the message for the other recipient. I don't think there's any way of making postfix close the SMTP connection at this stage. What is your postgrey delay set to? > are you asking to the see the whole config file? Does postfix have a way to > output just the active settings in the main.cf without comments. I know there > is a way to do this with dovecot, but don't know if postfix has a similar > thing, nothing found via google so far postconf -n will show you a list of all non-default settings. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From gandalf at shopzeus.com Wed Nov 4 09:27:01 2009 From: gandalf at shopzeus.com (Laszlo Nagy) Date: Wed Nov 4 09:27:12 2009 Subject: mailscanner + disarmed + sa-learn - how? Message-ID: <4AF148E5.1000304@shopzeus.com> Hi All, We have some emails. Mailscanner has "{disarmed}" them. We have other programs that process these emails automatically, and now they stopped working because the subject and mail content was changed by Mailscanner. I'm not sure what part of mailscanner has this disarm feature. Is is spamassassin? I was thinking about teaching spamassassin with sa-learn, but we do not have the original emails. Only the disarmed ones. Or is it somewhere else? Probably I do not need full explanation, just a good starting point. Thanks, Laszlo From Amelein at dantumadiel.eu Wed Nov 4 09:48:09 2009 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Wed Nov 4 09:48:25 2009 Subject: MailScanner hates Microsoft office Message-ID: <4AF15BE90200008E00011943@10.1.0.206> For some reason a lot of our office files are being held hostage by MailScanner by the filetype filter for various reasons which to me dont make any sense. These range from the file being identified as an executable to AVI movies. When I do 'file -i' on it, it'll always show 'application/msword; charset=binary' So far i've tried setting 'unpack microsoft documents' to no and removed 'ole' from the 'Archives Are' setting, but that did not change anything. Am I overlooking anything ? - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091104/55aaf896/attachment.html From pal at mssl.ucl.ac.uk Wed Nov 4 10:45:08 2009 From: pal at mssl.ucl.ac.uk (Paul Lamb) Date: Wed Nov 4 10:45:20 2009 Subject: Sophos failure: sophos-autoupdate is missing new Sophos files In-Reply-To: <4AF0E658.9060206@tippingmar.com> References: <4AF0ACF9.4060702@mssl.ucl.ac.uk> <4AF0E658.9060206@tippingmar.com> Message-ID: <4AF15B34.7070703@mssl.ucl.ac.uk> Mark Nienberg wrote: > Paul Lamb wrote: >> The Sophos AV November 2009 distribution:- >> Product version : 4.47.0 >> Engine version : 3.01.0 >> Virus data version : 4.47 >> User interface version : 2.07.250 >> Platform : Linux/Intel >> Released : 02 November 2009 >> >> is installing additional files >> ./lib/xvdl*.vdb >> >> sophos-autoupdate will not create softlinks to these in ./ide/ >> >> Running sweep through strace shows an open failure on >> /usr/local/Sophos/ide/xvdl01.vdb leading to >> "Error initialising detection engine - missing part of virus data" >> >> As a quick workround, I have added the following cloned fragment into >> sophos-autoupdate before "Add the new swpmess.dat..." - >> >> # Add the even newer xvdl*.vdb files if they are there >> foreach $vdlsus ("xvdl") { >> foreach $number (1..99) { >> $string = $vdlsus . sprintf("%02d", $number) . ".vdb"; >> symlink("$VDLDir/$string", $string) if -f "$VDLDir/$string"; >> } >> } >> # end >> >> I am running MailScanner version 4.72.5 whose version of >> sophos-autoupdate looks little different to the current version. >> >> Regards, >> Paul Lamb > I guess you are using Sophos V4, correct? > I have V5 and it reports: > > [root@tesla bin]# savscan -v > SAVScan virus detection utility > Copyright (c) 1989-2009 Sophos Group. All rights reserved. > > System time 06:19:20 PM, System date 03 November 2009 > > Product version : 4.46.0 > Engine version : 3.00.1 > Virus data version : 4.46 > User interface version : 2.07.249 > Platform : Linux/Intel > Released : 05 October 2009 > Total viruses (with IDEs) : 1061548 > > Information on additional data files: > > Data file name : /opt/sophos-av/lib/sav/daonol-a.ide > Data file type : IDE > Data file date : 03 November 2009, 16:12:47 > Data file status : Loaded > > etc... > > For V5, sophos-autoupdate just calls the Sophos provided savupdate > program and it takes care of itself. I think the edit you show would > only be needed for V4. > > Mark Nienberg Yes, I am using Sophos v4. Thanks for adding the caveat. Paul From Antony.Stone at mailscanner.open.source.it Wed Nov 4 11:50:44 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Wed Nov 4 11:50:54 2009 Subject: mailscanner + disarmed + sa-learn - how? In-Reply-To: <4AF148E5.1000304@shopzeus.com> References: <4AF148E5.1000304@shopzeus.com> Message-ID: <200911041150.44337.Antony.Stone@mailscanner.open.source.it> On Wednesday 04 November 2009 09:27, Laszlo Nagy wrote: > Hi All, > > We have some emails. Mailscanner has "{disarmed}" them. We have other > programs that process these emails automatically, and now they stopped > working because the subject and mail content was changed by Mailscanner. > I'm not sure what part of mailscanner has this disarm feature. Try "grep disarm MailScanner.conf" to see where you have this action selected. The default config file has: Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Allow Object Codebase Tags = disarm Antony. -- We all get the same amount of time - twenty-four hours per day. How you use it is up to you. Please reply to the list; please don't CC me. From paulo-m-roncon at ptinovacao.pt Wed Nov 4 12:09:25 2009 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Wed Nov 4 12:14:25 2009 Subject: spamassassin --lint problem Message-ID: Hi, I known this is not a spamassassin list but you may have the same problem: -CentOS release 5.4 (Final) -Perl version 5.008008 (5.8.8) -MailScanner version 4.77.9 When I do spamassassin --lint I get: [25661] warn: Use of uninitialized value in numeric lt (<) at /usr/lib/perl5/vendor_perl/5.8.8/IO/Zlib.pm line 303. My perl & Zlib rpms: perl-Compress-Raw-Zlib.x86_64 2.021-1.el5.rf installed perl-IO-Zlib.noarch 1.10-1.el5.rf installed zlib.i386 1.2.3-3 installed zlib.x86_64 1.2.3-3 installed zlib-devel.x86_64 1.2.3-3 installed Anyone can help?? Thanks! From steve at fsl.com Wed Nov 4 12:43:01 2009 From: steve at fsl.com (Stephen Swaney) Date: Wed Nov 4 12:43:11 2009 Subject: MailScanner hates Microsoft office In-Reply-To: <4AF15BE90200008E00011943@10.1.0.206> References: <4AF15BE90200008E00011943@10.1.0.206> Message-ID: <43C286B4-2DE5-48DA-B272-9900BB1470D4@fsl.com> On Nov 4, 2009, at 4:48 AM, Arjan Melein wrote: > For some reason a lot of our office files are being held hostage by > MailScanner by the filetype filter for various reasons which to me > dont make any sense. > These range from the file being identified as an executable to AVI > movies. > When I do 'file -i' on it, it'll always show 'application/msword; > charset=binary' > > So far i've tried setting 'unpack microsoft documents' to no and > removed 'ole' from the 'Archives Are' setting, but that did not > change anything. > Am I overlooking anything ? > > - > Arjan To accomodate Word 2007, add the following lines to your filename.rule.conf file being very careful to use "tabs" instead of "spaces" between the fields in each line that is not commented out. Alswo you may have different ideas about which file types to allow or deny so you should review carefully before implementing. # Word 2007 File Type Extensions # ------------------------------------------- allow \.docx$ Word 2007 XML Document Word 2007 XML Document deny \.docmx$ Word 2007 XML Macro-Enabled Document Word 2007 XML Macro-Enabled Document deny \.dotx$ Word 2007 XML Template Word 2007 XML Template deny \.dotm$ Word 2007 XML Macro-Enabled Template Word 2007 XML Macro-Enabled Template # Excel 2007 File Type Extension # ------------------------------------------- allow \.xlsx$ Excel 2007 XML Workbook Excel 2007 XML Workbook deny \.xlsm$ Excel 2007 XML Macro-Enabled Workbook Excel 2007 XML Macro-Enabled Workbook deny \.xltx$ Excel 2007 XML Template Excel 2007 XML Template deny \.xltm$ Excel 2007 XML Macro-Enabled Template Excel 2007 XML Macro-Enabled Template deny \.xlsb$ Excel 2007 binary workbook Excel 2007 binary workbook deny \.xlam$ Excel 2007 XML Macro-Enabled Add-In Excel 2007 XML Macro-Enabled Add-In # PowerPoint 2007 File Type Extension # ------------------------------------------- allow \.pptx$ PowerPoint 2007 XML Presentation PowerPoint 2007 XML Presentation deny \.pptm$ PowerPoint 2007 Macro-Enabled XML Presentation PowerPoint 2007 Macro-Enabled XML Presentation deny \.potx$ PowerPoint 2007 XML Template PowerPoint 2007 XML Template deny \.potm$ PowerPoint 2007 Macro-Enabled XML Template PowerPoint 2007 Macro-Enabled XML Template deny \.ppam$ PowerPoint 2007 Macro-Enabled XML Add-In PowerPoint 2007 Macro-Enabled XML Add-In deny \.ppsx$ PowerPoint 2007 XML Show PowerPoint 2007 XML Show deny \.ppsm$ PowerPoint 2007 Macro-Enabled XML Show PowerPoint 2007 Macro-Enabled XML Show # ----------- End Insert You probably also want to change or delete the defaults for the "repetitive filename extensions", like the ones below, to accommodate the tendency of the Office programs to add some new attachment with aaaaa.xxx.yyy filenames. # Repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091104/28a053c0/attachment.html From Amelein at dantumadiel.eu Wed Nov 4 12:58:14 2009 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Wed Nov 4 12:58:45 2009 Subject: Betr.: Re: MailScanner hates Microsoft office In-Reply-To: <43C286B4-2DE5-48DA-B272-9900BB1470D4@fsl.com> References: <4AF15BE90200008E00011943@10.1.0.206> <43C286B4-2DE5-48DA-B272-9900BB1470D4@fsl.com> Message-ID: <4AF188760200008E0001196B@10.1.0.206> >>> Op 4-11-2009 om 13:43 is door Stephen Swaney geschreven: To accomodate Word 2007, add the following lines to your filename.rule.conf file being very careful to use "tabs" instead of "spaces" between the fields in each line that is not commented out. Alswo you may have different ideas about which file types to allow or deny so you should review carefully before implementing. # Word 2007 File Type Extensions # ------------------------------------------- allow \.docx$ Word 2007 XML Document Word 2007 XML Document deny \.docmx$ Word 2007 XML Macro-Enabled Document Word 2007 XML Macro-Enabled Document deny \.dotx$ Word 2007 XML Template Word 2007 XML Template deny \.dotm$ Word 2007 XML Macro-Enabled Template Word 2007 XML Macro-Enabled Template # Excel 2007 File Type Extension # ------------------------------------------- allow \.xlsx$ Excel 2007 XML Workbook Excel 2007 XML Workbook deny \.xlsm$ Excel 2007 XML Macro-Enabled Workbook Excel 2007 XML Macro-Enabled Workbook deny \.xltx$ Excel 2007 XML Template Excel 2007 XML Template deny \.xltm$ Excel 2007 XML Macro-Enabled Template Excel 2007 XML Macro-Enabled Template deny \.xlsb$ Excel 2007 binary workbook Excel 2007 binary workbook deny \.xlam$ Excel 2007 XML Macro-Enabled Add-In Excel 2007 XML Macro-Enabled Add-In # PowerPoint 2007 File Type Extension # ------------------------------------------- allow \.pptx$ PowerPoint 2007 XML Presentation PowerPoint 2007 XML Presentation deny \.pptm$ PowerPoint 2007 Macro-Enabled XML Presentation PowerPoint 2007 Macro-Enabled XML Presentation deny \.potx$ PowerPoint 2007 XML Template PowerPoint 2007 XML Template deny \.potm$ PowerPoint 2007 Macro-Enabled XML Template PowerPoint 2007 Macro-Enabled XML Template deny \.ppam$ PowerPoint 2007 Macro-Enabled XML Add-In PowerPoint 2007 Macro-Enabled XML Add-In deny \.ppsx$ PowerPoint 2007 XML Show PowerPoint 2007 XML Show deny \.ppsm$ PowerPoint 2007 Macro-Enabled XML Show PowerPoint 2007 Macro-Enabled XML Show # ----------- End Insert You probably also want to change or delete the defaults for the "repetitive filename extensions", like the ones below, to accommodate the tendency of the Office programs to add some new attachment with aaaaa.xxx.yyy filenames. # Repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available Thanks Steve, I'll add these for office 2007. The problem I am having is with office XP and 2003 files however. It affects both outgoing and incoming e-mails. (We're not using 2007 because of the $$$ involved with upgrading and there's a good chance it'll become openoffice :-)) - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091104/b485dd78/attachment.html From raymond at prolocation.net Wed Nov 4 14:36:27 2009 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Nov 4 14:36:38 2009 Subject: spamassassin --lint problem In-Reply-To: References: Message-ID: Hi! > I known this is not a spamassassin list but you may have the same problem: > -CentOS release 5.4 (Final) > -Perl version 5.008008 (5.8.8) > -MailScanner version 4.77.9 > > When I do spamassassin --lint I get: > [25661] warn: Use of uninitialized value in numeric lt (<) at > /usr/lib/perl5/vendor_perl/5.8.8/IO/Zlib.pm line 303. > > My perl & Zlib rpms: > perl-Compress-Raw-Zlib.x86_64 2.021-1.el5.rf installed > perl-IO-Zlib.noarch 1.10-1.el5.rf installed > zlib.i386 1.2.3-3 installed > zlib.x86_64 1.2.3-3 installed > zlib-devel.x86_64 1.2.3-3 installed This isnt really a MailScanner question but you could try installing perl-Compress-Zlib Bye, Raymond. From mailscanner at pdscc.com Wed Nov 4 15:55:01 2009 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Wed Nov 4 15:55:33 2009 Subject: problem with requeue losing recipient In-Reply-To: <4AF14069.9000805@tradoc.fr> References: <20091103031127.AE15413D3@sinclaire.sibble.net>, <20091104072210.0BF011322@sinclaire.sibble.net>, <4AF14069.9000805@tradoc.fr> Message-ID: <20091104155510.05E7D13BC@sinclaire.sibble.net> On 4 Nov 2009 at 9:50, John Wilcock wrote: > Your server *did* reject with a 450 code, so the sending server should > try to resend the message for the other recipient. I'll have to look a bit deeper in this, as looking on the exchange side, the first instance of this problem, the exchange server did NIOT see recpient1, only recepient2, on the second example of this problem (not posted here), the exchange server saw all 3 recipients but only delivered to 1. Log trolling here I come :-| > I don't think there's any way of making postfix close the SMTP > connection at this stage. What is your postgrey delay set to? either 3 or 5 minutes. > postconf -n will show you a list of all non-default settings. Thanks! -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice) From housey at sme-ecom.co.uk Wed Nov 4 17:16:11 2009 From: housey at sme-ecom.co.uk (Paul) Date: Wed Nov 4 17:16:45 2009 Subject: OT - Sendmail Address Syntax Message-ID: <4AF1B6DB.6050600@sme-ecom.co.uk> Hi Apologies for the off topic post but I know there's lots of send mail gurus around and I cant find anything via google. I get lots of email addressed to aliases like |ajshdasd@domain.com ---- note the pipe at the start of the address, I act as a front end relay for various other mailservers, and wondering if there is a way in sendmail to 550 reject based on an invalid address syntax? I don't believe | is an allowed character in an email address. Thanks Paul From dave.list at pixelhammer.com Wed Nov 4 20:33:44 2009 From: dave.list at pixelhammer.com (DAve) Date: Wed Nov 4 20:34:17 2009 Subject: OT: Book recommendations Message-ID: <4AF1E528.2030502@pixelhammer.com> I have a quick question just because this is the best list I know for all things email, and the best behaved. We will be starting a new product hosting Exchange Servers in our cloud, likely all servers will be behind our MailScanner cluster. I need a good book suggestion on Exchange management as I will be tasked with supporting the Exchange servers for the clients who will, undoubtedly, require assistance. I am looking at the following books. http://www.amazon.com/Microsoft-Exchange-Server-2007-Reference/dp/0071490841/ref=sr_1_7?ie=UTF8&s=books&qid=1257366408&sr=8-7 http://www.amazon.com/Microsoft-Exchange-Server-2007-Beginners/dp/0071486399/ref=sr_1_2?ie=UTF8&s=books&qid=1257366408&sr=8-2 http://www.amazon.com/Cheat-Configuring-Exchange-Server-2007/dp/1597491373/ref=pd_bxgy_b_img_c Please reply offlist directly to me at dave.list@pixelhammer.com so we don't clutter up the list traffic. Thanks, DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Quincy Adams http://appleseedinfo.org From lstewart at superb.net Wed Nov 4 21:02:49 2009 From: lstewart at superb.net (Landon Stewart) Date: Wed Nov 4 21:03:21 2009 Subject: Getting Clamd error in /var/log/maillog (Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied) Message-ID: I'm repeatedly getting an error from clamd in /var/log/maillog but I cannot figure out what is causing it. We have two mailscanner machines, only one of them is getting the error. What directory/file permissions should I check? Is that the cause? *The errors are:* Nov 4 15:49:50 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/19819 Nov 4 15:51:11 mail-out2 MailScanner[18089]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/18089 Nov 4 15:53:44 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/19819 Nov 4 15:55:43 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/19819 There's lots of other lines and mail appears to be handled normally but I'm afraid the anti-virus is not working properly. *The directory and contents of the razor-agent.log file look like this:* [root@mail-out2 ~]# ls -la /var/spool/MailScanner/incoming/19819 total 16 drwxr-x--- 2 postfix clamav 4096 Nov 4 15:55 . drwxr-xr-x 9 postfix clamav 4096 Nov 4 15:59 .. -rw------- 1 postfix postfix 2507 Nov 4 15:55 razor-agent.log [root@mail-out2 ~]# cat /var/spool/MailScanner/incoming/19819/razor-agent.log Nov 04 14:28:09.567341 check[20526]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:32:51.197651 check[21072]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:41:14.958356 check[21741]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:41:26.494634 check[21745]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:44:08.053185 check[21815]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:44:13.677588 check[21820]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:49:19.335533 check[22023]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:49:24.725745 check[22024]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:49:30.167252 check[22037]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:49:36.138546 check[22048]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:49:41.226018 check[22049]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 14:59:16.999392 check[22929]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:01:16.895978 check[23533]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:03:22.486145 check[23871]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:05:03.986974 check[23935]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:06:03.465041 check[23992]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:19:45.436067 check[24960]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:24:20.911340 check[25606]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:31:02.463732 check[26346]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:42:08.837213 check[27283]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:49:50.879510 check[27532]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:53:44.375244 check[28146]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log Nov 04 15:55:43.938283 check[28212]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log *Here's more info about MailScanner:* [root@mail-out2 ~]# MailScanner -v Running on Linux mail-out2.superb.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux This is CentOS release 5.3 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.78.17 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.23 bignum 1.04 Carp 2.021 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 3.60 HTML::Entities 3.62 HTML::Parser 3.57 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.40 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.814 DB_File 1.25 DBD::SQLite 1.609 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.12 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 2.38 Getopt::Long missing Inline missing IO::String 1.10 IO::Zlib missing IP::Country missing Mail::ClamAV 3.002005 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query missing Module::Build missing Net::CIDR::Lite 0.65 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free: 888-354-6128 x 4199 (US/Canada) Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091104/a60dabbd/attachment.html From alex at rtpty.com Wed Nov 4 21:20:29 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Nov 4 21:20:56 2009 Subject: Getting Clamd error in /var/log/maillog (Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied) In-Reply-To: References: Message-ID: 1. Looks like permissions, indeed. 2. Check the one that works and compare to the one that doesn't. Check clamd.conf and related files, /var/spool/MailScanner/incoming 3. Probably so. On Nov 4, 2009, at 4:02 PM, Landon Stewart wrote: > I'm repeatedly getting an error from clamd in /var/log/maillog but I > cannot figure out what is causing it. We have two mailscanner > machines, only one of them is getting the error. What directory/ > file permissions should I check? Is that the cause? From ms-list at alexb.ch Wed Nov 4 21:23:25 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Nov 4 21:23:36 2009 Subject: Getting Clamd error in /var/log/maillog (Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied) In-Reply-To: References: Message-ID: <4AF1F0CD.6020209@alexb.ch> On 11/4/2009 10:02 PM, Landon Stewart wrote: > I'm repeatedly getting an error from clamd in /var/log/maillog but I cannot > figure out what is causing it. We have two mailscanner machines, only one > of them is getting the error. What directory/file permissions should I > check? Is that the cause? > > *The errors are:* > Nov 4 15:49:50 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD > RETURN ./razor-agent.log/Access denied. ERROR :: > /var/spool/MailScanner/incoming/19819 > Nov 4 15:51:11 mail-out2 MailScanner[18089]: Clamd::ERROR:: UNKNOWN CLAMD > RETURN ./razor-agent.log/Access denied. ERROR :: > /var/spool/MailScanner/incoming/18089 > Nov 4 15:53:44 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD > RETURN ./razor-agent.log/Access denied. ERROR :: > /var/spool/MailScanner/incoming/19819 > Nov 4 15:55:43 mail-out2 MailScanner[19819]: Clamd::ERROR:: UNKNOWN CLAMD > RETURN ./razor-agent.log/Access denied. ERROR :: > /var/spool/MailScanner/incoming/19819 > > There's lots of other lines and mail appears to be handled normally but I'm > afraid the anti-virus is not working properly. unless I'm missing something ... you need to move your razor log out of that path mkdir /etc/mail/spamassassin/razor create /etc/mail/spamassassin/razor.conf add to razor.conf: razorhome /etc/mail/spamassassin/razor logfile /var/log/razor-agent.log in /etc/MailScanner/mailscanner.cf edit/add razor_config /etc/mail/spamassassin/razor/razor-agents.conf restart MailScanner should cleanup your problem h2h Alex PS: Pls note that your paths may vary. From lists at tippingmar.com Wed Nov 4 21:55:55 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Nov 4 21:56:19 2009 Subject: Viruses Undetected in MailScanner after Sophos Update In-Reply-To: <4AE80D9D02000000000E8CD5@gw.caspercollege.edu> References: <4AE80D9D02000000000E8CD5@gw.caspercollege.edu> Message-ID: <4AF1F86B.5080403@tippingmar.com> Daniel Straka wrote: > Hi all, > > Two days ago I upgraded Sophos as I do every two months to version 446, after which virus laden attachments began coming through my MailScanner system undetected. > So, I back-revved to version 444 and the virus attachments are again being detected and removed from the messages properly. (whew) > > Does anyone know if Sophos has made some changes to their "linux.intel.libc6.glibc.2.2.tar.Z" distributions that breaks it functionality with MailScanner? > > Thanks, > > I'm guessing it is this problem: http://lists.mailscanner.info/pipermail/mailscanner/2009-November/093776.html Mark Nienberg From iulianld at gmail.com Thu Nov 5 04:19:28 2009 From: iulianld at gmail.com (Iulian L Dragomir) Date: Thu Nov 5 04:20:32 2009 Subject: Issue after CentOS upgrade to 5.4 using yum/rpm for perl modules In-Reply-To: <4AEECC29.40407@netring.co.uk> References: <4AEECC29.40407@netring.co.uk> Message-ID: On Mon, Nov 2, 2009 at 2:10 PM, Edward Prendergast wrote: > Hi, > > After having upgraded to CentOS 5.4 I'm seeing the following errors from > MailScanner: > > [root@server8 MailScanner]# MailScanner --version > is only avaliable with the XS version at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9 > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Compress/Zlib.pm line 9. > Compilation failed in require at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.8/Archive/Zip.pm line 24. > Compilation failed in require at /usr/lib/MailScanner/MailScanner/Message.pm > line 48. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/Message.pm line 48. > Compilation failed in require at /usr/sbin/MailScanner line 108. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 108. > > I tried upgrading to the latest version of MailScanner > (MailScanner-4.78.17-1 installed from MailScanner-4.78.17-1.rpm.tar.gz's > install.sh) but this hasn't resolved the issue. > > After yum upgrades downgrading perl packages below the minimum version > requirement for MailScanner my process to fix has usually been: > > 1) Identify problem packages from MailScanner errors > 2) Add these to yum exclude list > 3) Reinstall MailScanner stable and allow it to force the packages back up > to the right version > > As shown above this approach hasn't worked this time. > > Thanks, > Edward > > ************ > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee. Access to this email by anyone else > is unauthorised. If you are not the intended recipient, any action taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please notify > us immediately. Please also destroy and delete the message from your > computer. > ************ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Some time ago Redhat/Centos repo from rpmforge replaced some neat perl rpms. Try this to reverse the efect. remove: perl-IO-Compress install : perl-IO-Compress-Zlib perl-IO-Compress-Base perl-Compress-Zlib Add these to yum exclude list From mgregory at agama.com.au Thu Nov 5 10:40:16 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Thu Nov 5 10:40:29 2009 Subject: VMware image? Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local> Hi, I would like to use mailscanner with exchange 2003 and would appreciate knowing if someone has created a VMWare image of linux + mailscanner. I'm not trying to be lazy, just don't know enough about linux to do the install. Regards Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/55b874ec/attachment.html From claygoss at gosscomputerprojects.net Thu Nov 5 10:40:30 2009 From: claygoss at gosscomputerprojects.net (Clay Goss) Date: Thu Nov 5 10:41:08 2009 Subject: MailScanner Overload... In-Reply-To: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FC6@ts-dc2.ts-webarts.local> References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FC6@ts-dc2.ts-webarts.local> Message-ID: Roland, Reducing Max Children to 3 settled it down. It is still a very marginal box and once I have the time to get the new system completed, I can retire this old friend. Thanks! Clay Goss -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Thu Nov 5 10:54:58 2009 From: lhaig at haigmail.com (=?utf-8?B?TGFuY2UgSGFpZw==?=) Date: Thu Nov 5 10:55:29 2009 Subject: VMware image? Message-ID: <20091105105459.2F16C88E25@mail.redarmour.co.uk> Go to www.global-domination.org/ESVA.php This is what I have used in the past Thanks Lance Sent from my HTC ----- Reply message ----- From: "Mark Gregory" Date: Thu, Nov 5, 2009 10:40 Subject: VMware image? To: Hi, I would like to use mailscanner with exchange 2003 and would appreciate knowing if someone has created a VMWare image of linux + mailscanner. I'm not trying to be lazy, just don't know enough about linux to do the install. Regards Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/03051112/attachment.html From bernard.lheureux at bbsoft4.org Thu Nov 5 12:02:36 2009 From: bernard.lheureux at bbsoft4.org (Bernard Lheureux) Date: Thu Nov 5 12:02:51 2009 Subject: VMware image? In-Reply-To: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local> Message-ID: <4AF2BEDC.4080507@bbsoft4.org> Mark Gregory wrote: I run sveral installations of MailScanner/Mailwatch in machines running CentOS 4 virtual machines under VMware ESX 3.5 for a lot of my customers... They could havec mail environements as Lotus Domino, Exchange, or Zarafa bihind it(in seperate machines physical or virtual, of course)... The MailScanner/Mailwatch is acting as a gateway that filters the mail and forward it once cleaned to the MailServer... Working like a charm... but don't forget to install the VMware Tools in the Linux box once installed and keep an eye on the time settings configuration of the linux virtual machines to avoid time lating surprises on this machine ! http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006427 > Hi, > > I would like to use mailscanner with exchange 2003 and would > appreciate knowing if someone has created a VMWare image of linux + > mailscanner. > > I?m not trying to be lazy, just don?t know enough about linux to do > the install. > > Regards > > Mark > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4574 (20091104) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com From lists at elasticmind.net Thu Nov 5 12:17:48 2009 From: lists at elasticmind.net (Mog) Date: Thu Nov 5 12:17:51 2009 Subject: VMware image? In-Reply-To: <4AF2BEDC.4080507@bbsoft4.org> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local> <4AF2BEDC.4080507@bbsoft4.org> Message-ID: <4AF2C26C.5040807@elasticmind.net> Hi, If you don't know much about *nix operating systems and don't feel confident enough to manage this on your own, perhaps you should considering hiring someone to help you with this or do it for you? > >> Hi, >> >> I would like to use mailscanner with exchange 2003 and would >> appreciate knowing if someone has created a VMWare image of linux + >> mailscanner. >> >> I?m not trying to be lazy, just don?t know enough about linux to do >> the install. >> >> Regards >> >> Mark >> >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4574 (20091104) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com > From glenn.steen at gmail.com Thu Nov 5 12:40:48 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 5 12:40:57 2009 Subject: MailScanner 4.78 In-Reply-To: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> Message-ID: <223f97700911050440n7f161826o2d98aeed8235b22d@mail.gmail.com> 2009/11/2 Ryan Ivey : > After upgrading to 4.78, I'm having problems getting MailScanner to process > mail properly.? It seems to only process mail originating from our domain. > Incoming email seems to hang in the queue indefinitely. > > Specifically, I believe the problem is here: > > > [root@mailserver incoming]# /usr/sbin/MailScanner --debug > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Can't call method "print" on an undefined value at > /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 743. > Something is pretyty much wrong here, probably regardiing directory permissions... Can the user "postfix" (or whatever PF runs as) really write to that working directory? Methinks not:-). Test it with "su - postfix -s /bin/bash", and then try cd into place, use touch and mkdir etc to see where (and what) the problem seems to be. > Some searching lead to checking the permission on the working dir: > drwxrwxr-x 14 clamav? clamav? 4096 Nov? 2 10:04 incoming Dear me, but you are _not_ running postfix as the clamav user, now are you? So chown that appropriately, and things should start cooking. While you're at it, since it seems you are trying to get clamd running correctly, be aware that you need setup MS so that the incoming directories are owned postfix.clamav and that the permissions are at least 0640 ... So that both postfix and clamd can read (and possibly write:-) the dirs. (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 5 12:48:12 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 5 12:48:22 2009 Subject: MailScanner 4.78 In-Reply-To: <200911031306.24041.Antony.Stone@mailscanner.open.source.it> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> Message-ID: <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> 2009/11/3 Antony Stone : > On Monday 02 November 2009 15:10, Ryan Ivey wrote: > >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamavmodule > > You do realise that these are not the same thing, I hope? > Anthony... When MS does the lint, it'll "prefer" clamavmodule or clamd over clamav. But there need eb no "differing installs". So the look of things is actually quite normal, apart from noone really using clamav (the clamscan command) anymore, since it is too bog slow/costly to use. Actually, the clamavmodule is deprecated too, since it'll eat too much memory;-). > They're the same virus scanning engine, but two different versions, which are > used in very different ways - "clamav" is a command-line scanner, whereas > "clamavmodule" is a Perl module which talks directly to the scanning engine > and is more efficient in use. As said, this looks quite normal. No need to worry;-). > You might be better off leaving the config setting as "Virus Scanners = auto" > so that MailScanner can use whatever you really do have installed. Well, yes and no... If one uses MailWatch, that one will need understand what auto means (which it doesn't... You'll have to make an "auto" VIRUS_REGEXP case statement that match the first one found... perhaps not what you want... Better then to be explicit:-). Also, if the aim is (as I suspect) to move to clamd (which is the sane choice, these days), there's no need to be less than explicit either;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From yann.b at capensis.fr Thu Nov 5 13:07:18 2009 From: yann.b at capensis.fr (Yann Bachy) Date: Thu Nov 5 13:07:42 2009 Subject: From header problem In-Reply-To: <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> Message-ID: <20091105140718.eyngqptgcgkwk4k8@webmail.capensis.fr> Hello everyone, I currently have a problem on my mail server: I get spam which has 2 different "From" addresses. Is there anyway to block this kind of spam?, to explain my problem I join an screenshot of mailscanner showing the phenomenon. thanks -- Yann Bachy CAPENSIS 30 rue du Triez 59290 Wasquehal ---------------------- Tel 03 59 39 13 40 Fax 03 59 39 13 49 -------------- next part -------------- A non-text attachment was scrubbed... Name: sans_nom.gif Type: image/gif Size: 16200 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/c0501202/sans_nom.gif From prandal at herefordshire.gov.uk Thu Nov 5 13:45:26 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 5 13:45:44 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> Hi folks, McAfee have released version 6.00.0 of their Unix commandline virus scanners (available from the corporate downl;oad portal with your McAfee grant number). This supports the avvdat pattern formats used by VirusScan 8.5 and 8.7 on windows, and will need an update to the McAfee autoupdate script in MailScanner. Users will need to upgrade by the end of March 2010 when the old DAT formats used by earlier versions of uvscan will no longer be provided by McAfee. If I get a chance next week, I'll have a look at the mcafee-autoupdate script to see what changes are needed. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/64c5e914/attachment.html From iveymr at gmail.com Thu Nov 5 14:16:29 2009 From: iveymr at gmail.com (Ryan Ivey) Date: Thu Nov 5 14:16:40 2009 Subject: MailScanner 4.78 In-Reply-To: <223f97700911050440n7f161826o2d98aeed8235b22d@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <223f97700911050440n7f161826o2d98aeed8235b22d@mail.gmail.com> Message-ID: <16174a770911050616r74cf0042gb9fc72da0e006f51@mail.gmail.com> Yes, after further investigation, this boils down to permissions on /var/spool/MailScanner/incoming. Using ClamAV, permissions are postfix:clamav - 755 on the parent directory and insure the Locks directory and the temporary lock directories are the same. postfix:postfix - 600 on the remaining: Processing.db razor-agent.log SpamAssassin.cache.db SpamAssassin-Temp Thanks On Thu, Nov 5, 2009 at 7:40 AM, Glenn Steen wrote: > 2009/11/2 Ryan Ivey : > > After upgrading to 4.78, I'm having problems getting MailScanner to > process > > mail properly. It seems to only process mail originating from our > domain. > > Incoming email seems to hang in the queue indefinitely. > > > > Specifically, I believe the problem is here: > > > > > > [root@mailserver incoming]# /usr/sbin/MailScanner --debug > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > Building a message batch to scan... > > Can't call method "print" on an undefined value at > > /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 743. > > > Something is pretyty much wrong here, probably regardiing directory > permissions... Can the user "postfix" (or whatever PF runs as) really > write to that working directory? Methinks not:-). > Test it with "su - postfix -s /bin/bash", and then try cd into place, > use touch and mkdir etc to see where (and what) the problem seems to > be. > > > > Some searching lead to checking the permission on the working dir: > > drwxrwxr-x 14 clamav clamav 4096 Nov 2 10:04 incoming > > Dear me, but you are _not_ running postfix as the clamav user, now are you? > So chown that appropriately, and things should start cooking. While > you're at it, since it seems you are trying to get clamd running > correctly, be aware that you need setup MS so that the incoming > directories are owned postfix.clamav and that the permissions are at > least 0640 ... So that both postfix and clamd can read (and possibly > write:-) the dirs. > > (snip) > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/593849f5/attachment.html From Garrod.Alwood at lorodoes.com Thu Nov 5 14:48:33 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Thu Nov 5 14:54:03 2009 Subject: MailScanner 4.78 In-Reply-To: <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it>, <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> Message-ID: I have found that if you comment out that line it fixes the issue also and I haven't seen any adverse affects on my servers at all. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: Thursday, November 05, 2009 7:48 AM To: MailScanner discussion Subject: Re: MailScanner 4.78 2009/11/3 Antony Stone : > On Monday 02 November 2009 15:10, Ryan Ivey wrote: > >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamavmodule > > You do realise that these are not the same thing, I hope? > Anthony... When MS does the lint, it'll "prefer" clamavmodule or clamd over clamav. But there need eb no "differing installs". So the look of things is actually quite normal, apart from noone really using clamav (the clamscan command) anymore, since it is too bog slow/costly to use. Actually, the clamavmodule is deprecated too, since it'll eat too much memory;-). > They're the same virus scanning engine, but two different versions, which are > used in very different ways - "clamav" is a command-line scanner, whereas > "clamavmodule" is a Perl module which talks directly to the scanning engine > and is more efficient in use. As said, this looks quite normal. No need to worry;-). > You might be better off leaving the config setting as "Virus Scanners = auto" > so that MailScanner can use whatever you really do have installed. Well, yes and no... If one uses MailWatch, that one will need understand what auto means (which it doesn't... You'll have to make an "auto" VIRUS_REGEXP case statement that match the first one found... perhaps not what you want... Better then to be explicit:-). Also, if the aim is (as I suspect) to move to clamd (which is the sane choice, these days), there's no need to be less than explicit either;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Nov 5 16:17:26 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 5 16:17:39 2009 Subject: MailScanner 4.78 In-Reply-To: References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> Message-ID: <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com> 2009/11/5 Garrod M. Alwood : > I have found that if you comment out that line it fixes the issue also and I haven't seen any adverse affects on my servers at all. > After doing that, does your system detect any infections at all? It is the wrong fix;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Garrod.Alwood at lorodoes.com Thu Nov 5 16:17:23 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Thu Nov 5 16:23:33 2009 Subject: MailScanner 4.78 In-Reply-To: <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> , <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com> Message-ID: Clamav doesn't catch everything, I'll try your fix and see if it helps. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen [glenn.steen@gmail.com] Sent: Thursday, November 05, 2009 11:17 AM To: MailScanner discussion Subject: Re: MailScanner 4.78 2009/11/5 Garrod M. Alwood : > I have found that if you comment out that line it fixes the issue also and I haven't seen any adverse affects on my servers at all. > After doing that, does your system detect any infections at all? It is the wrong fix;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Thu Nov 5 16:51:00 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Nov 5 16:51:23 2009 Subject: MailScanner 4.78 In-Reply-To: <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com> Message-ID: <06677BAD-940D-48BD-84DF-BB386F39DD73@rtpty.com> By "the wrong fix" he means "making the problem go away isn't necessarily the same as solving it". Reminds me of the time a friend disconnected the internal speaker because of some "infernal beeping". Turns out that the noise the broken CPU fan was making was made worse by the beeping. He was replacing his CPU soon after. Just my 2c. On Nov 5, 2009, at 11:17 AM, Glenn Steen wrote: > 2009/11/5 Garrod M. Alwood : >> I have found that if you comment out that line it fixes the issue >> also and I haven't seen any adverse affects on my servers at all. >> > After doing that, does your system detect any infections at all? It is > the wrong fix;-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Garrod.Alwood at lorodoes.com Thu Nov 5 17:25:52 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Thu Nov 5 17:31:21 2009 Subject: MailScanner 4.78 In-Reply-To: <06677BAD-940D-48BD-84DF-BB386F39DD73@rtpty.com> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> <223f97700911050817j3f8e98bbhcd12e9813a74e2f5@mail.gmail.com>, <06677BAD-940D-48BD-84DF-BB386F39DD73@rtpty.com> Message-ID: I know what he meant, but I was in a hurry and under pressure. My spamfilters still catch viruses if thats what you are asking. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman [alex@rtpty.com] Sent: Thursday, November 05, 2009 11:51 AM To: MailScanner discussion Subject: Re: MailScanner 4.78 By "the wrong fix" he means "making the problem go away isn't necessarily the same as solving it". Reminds me of the time a friend disconnected the internal speaker because of some "infernal beeping". Turns out that the noise the broken CPU fan was making was made worse by the beeping. He was replacing his CPU soon after. Just my 2c. On Nov 5, 2009, at 11:17 AM, Glenn Steen wrote: > 2009/11/5 Garrod M. Alwood : >> I have found that if you comment out that line it fixes the issue >> also and I haven't seen any adverse affects on my servers at all. >> > After doing that, does your system detect any infections at all? It is > the wrong fix;-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Nov 5 19:20:02 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 5 19:20:13 2009 Subject: MailScanner Overload... In-Reply-To: References: <36AEF7A71719452FB1E5E466F4A296A1@GCPNB3> <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FC6@ts-dc2.ts-webarts.local> Message-ID: <223f97700911051120i1a691dd7m4d7dbcdd75db6fa5@mail.gmail.com> Also check that your bayes_seen file isn't ridiculously large, and if so... Clear it. One other thing is to radically increase your SpamAssassin Timeout value, so that an expiry has a chance of finishing;-)... Cheers -- -- Glenn 2009/11/5, Clay Goss : > Roland, > > Reducing Max Children to 3 settled it down. It is still a very marginal box > and once I have the time to get the new system completed, I can retire this > old friend. > > Thanks! > Clay Goss > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 5 19:26:49 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 5 19:27:00 2009 Subject: VMware image? In-Reply-To: <4AF2C26C.5040807@elasticmind.net> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local> <4AF2BEDC.4080507@bbsoft4.org> <4AF2C26C.5040807@elasticmind.net> Message-ID: <223f97700911051126k1681cec7qdf57723d32bf72a6@mail.gmail.com> ... Or buy something nice, like DefenderMX, from fortress systems... It is a nicely packaged and supported commercial version of MailScanner...;-) Cheers 2009/11/5, Mog : > Hi, > > If you don't know much about *nix operating systems and don't feel > confident enough to manage this on your own, perhaps you should > considering hiring someone to help you with this or do it for you? > > > >> >>> Hi, >>> >>> I would like to use mailscanner with exchange 2003 and would >>> appreciate knowing if someone has created a VMWare image of linux + >>> mailscanner. >>> >>> I?m not trying to be lazy, just don?t know enough about linux to do >>> the install. >>> >>> Regards >>> >>> Mark >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4574 (20091104) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mgregory at agama.com.au Thu Nov 5 22:06:28 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Thu Nov 5 22:06:42 2009 Subject: VMware image? In-Reply-To: <4AF2C26C.5040807@elasticmind.net> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org> <4AF2C26C.5040807@elasticmind.net> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local> Hi, This is a good idea too. I will hunt around and see who is local with this knowledge. Regards, Mark -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mog Sent: Thursday, 5 November 2009 11:18 PM To: MailScanner discussion Subject: Re: VMware image? Hi, If you don't know much about *nix operating systems and don't feel confident enough to manage this on your own, perhaps you should considering hiring someone to help you with this or do it for you? > >> Hi, >> >> I would like to use mailscanner with exchange 2003 and would >> appreciate knowing if someone has created a VMWare image of linux + >> mailscanner. >> >> I'm not trying to be lazy, just don't know enough about linux to do >> the install. >> >> Regards >> >> Mark >> >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4574 (20091104) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4575 (20091105) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4577 (20091105) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From prandal at herefordshire.gov.uk Thu Nov 5 22:48:39 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Nov 5 22:48:59 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CFBA@HC-MBX02.herefordshire.gov.uk> OK, here's the difference in output between new and old uvscan. New uvscan V6.00: ------------------------------------------------------------------------ ------------------------ # uvscan eicar.com McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - November 05 2009 AV Engine version: 5400.1158 for Linux32. Dat set version: 5793 created Nov 5 2009 Scanning for 582800 viruses, trojans and variants. /usr/src/eicar.com ... Found: EICAR test file NOT a virus. Time: 00:00.00 ------------------------------------------------------------------------ ------------------------ Old: ------------------------------------------------------------------------ ------------------------ # uvscan eicar.com /usr/src/eicar.com Found: EICAR test file NOT a virus. ------------------------------------------------------------------------ ------------------------ So SweepViruses.pm will need amending to parse the output... mcafee-autoupdate for the new DAT files needs a few changes. Here's a .diff (tested, working) ------------------------------------------------------------------------ ------------------------ --- mcafee-autoupdate.old 2009-11-05 20:56:43.000000000 +0000 +++ mcafee-autoupdate 2009-11-05 21:44:26.000000000 +0000 @@ -21,7 +21,7 @@ # defaults OPTS="-d" PREFIX=/usr/local/uvscan -FTPDIR=http://download.nai.com/products/datfiles/4.x/nai +FTPDIR=http://download.nai.com/products/commonupdater RETRIES=1 INTERVAL=300 @@ -100,7 +100,7 @@ # where this script finds things DATDIR=$PREFIX/datfiles -DATFILES="clean.dat extra.dat internet.dat names.dat scan.dat" +DATFILES="avvclean.dat extra.dat avvnames.dat avvscan.dat runtime.dat" LINKNAME=current LINKREL=datfiles/$LINKNAME @@ -248,14 +248,14 @@ while : do # fetch and extract dat files - TARFILE=dat-$VERSION.tar + TARFILE=avvdat-$VERSION.zip run mkdir $VERSION run cd $VERSION run chmod 700 . if ! run wget --tries=$try --waitretry=$INTERVAL --passive-ftp --progre ss=dot:mega $FTPDIR/$TARFILE then retry fi - run tar xvf $TARFILE + run unzip $TARFILE run chmod 644 * run chmod 755 . ------------------------------------------------------------------------ ------------------------------- At this point I'm going to hand over to someone who knows perl and bash scripting better than I do. Cheers, Phil ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 05 November 2009 13:45 To: MailScanner discussion Subject: McAfee VirusScan 6.00.0 for Unix is now out Hi folks, McAfee have released version 6.00.0 of their Unix commandline virus scanners (available from the corporate downl;oad portal with your McAfee grant number). This supports the avvdat pattern formats used by VirusScan 8.5 and 8.7 on windows, and will need an update to the McAfee autoupdate script in MailScanner. Users will need to upgrade by the end of March 2010 when the old DAT formats used by earlier versions of uvscan will no longer be provided by McAfee. If I get a chance next week, I'll have a look at the mcafee-autoupdate script to see what changes are needed. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091105/5128c2b5/attachment-0001.html From alvaro at hostalia.com Fri Nov 6 09:53:33 2009 From: alvaro at hostalia.com (=?ISO-8859-15?Q?Alvaro_Mar=EDn?=) Date: Fri Nov 6 09:53:39 2009 Subject: Postfix and MailScanner logger Message-ID: <4AF3F21D.7060904@hostalia.com> Hi, I'm searching for a logger tool to store in a MySQL table Postfix and MailScanner's logs. The idea is to save in a database values like: - sender IP - sender address - destination address - if the mail was blocked by RBLs, rate-limit... - the result of SpamAssassin test (from MailScanner) - the result of MailScanner process (deliver, deliver+header or delete) or something like that. I've found this project: http://white-box.us/projects/maillog-logger/ but I can't download the code (not found) and the developer doesn't reply. Anyone knows a tool like this or I've to do it myself? :) Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From pascal.maes at elec.ucl.ac.be Fri Nov 6 10:14:15 2009 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Fri Nov 6 10:14:49 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CFBA@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA03CFBA@HC-MBX02.herefordshire.gov.uk> Message-ID: <386E3671-9D06-4757-A231-255BE3849528@elec.ucl.ac.be> Le 5 nov. 2009 ? 23:48, Randal, Phil a ?crit : > OK, here's the difference in output between new and old uvscan. > > New uvscan V6.00: > ------------------------------------------------------------------------------------------------ > # uvscan eicar.com > McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 > Copyright (C) 2009 McAfee, Inc. > (408) 988-3832 LICENSED COPY - November 05 2009 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5793 created Nov 5 2009 > Scanning for 582800 viruses, trojans and variants. > > /usr/src/eicar.com ... Found: EICAR test file NOT a virus. > > > Time: 00:00.00 > ------------------------------------------------------------------------------------------------ > > Old: > ------------------------------------------------------------------------------------------------ > # uvscan eicar.com > /usr/src/eicar.com > Found: EICAR test file NOT a virus. > ------------------------------------------------------------------------------------------------ > > So SweepViruses.pm will need amending to parse the output... > > mcafee-autoupdate for the new DAT files needs a few changes. Here's > a .diff (tested, working) Thanks for the update. Another difference between the versions is the time needed to scan a directory Old: # time /usr/local/bin/uvscan --recursive --ignore-links --analyze -- mime --secure --noboot /tmp/EI /tmp/EI/EICAR.COM Found: EICAR test file NOT a virus. real 0m11.041s user 0m2.962s sys 0m0.294s New: # time ./uvscan --recursive --ignore-links --analyze --mime --secure -- noboot /tmp/EI McAfee VirusScan Command Line for Linux64 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - November 05 2009 AV Engine version: 5400.1158 for Linux64. Dat set version: 5793 created Nov 5 2009 Scanning for 582800 viruses, trojans and variants. /tmp/EI/EICAR.COM ... Found: EICAR test file NOT a virus. Time: 00:00.00 real 1m55.151s user 0m18.324s sys 0m0.214s -- Pascal From Antony.Stone at mailscanner.open.source.it Fri Nov 6 10:21:07 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Fri Nov 6 10:21:17 2009 Subject: Postfix and MailScanner logger In-Reply-To: <4AF3F21D.7060904@hostalia.com> References: <4AF3F21D.7060904@hostalia.com> Message-ID: <200911061021.07890.Antony.Stone@mailscanner.open.source.it> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: > Hi, > > I'm searching for a logger tool to store in a MySQL table Postfix and > MailScanner's logs. > The idea is to save in a database values like: > > - sender IP > - sender address > - destination address > - if the mail was blocked by RBLs, rate-limit... > - the result of SpamAssassin test (from MailScanner) > - the result of MailScanner process (deliver, deliver+header or delete) > Anyone knows a tool like this or I've to do it myself? :) Have you considered http://mailwatch.sourceforge.net/ ? Antony. -- I conclude that there are two ways of constructing a software design: One way is to make it so simple that there are _obviously_ no deficiencies, and the other way is to make it so complicated that there are no _obvious_ deficiences. - C A R Hoare Please reply to the list; please don't CC me. From ms-list at alexb.ch Fri Nov 6 10:24:59 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Nov 6 10:25:11 2009 Subject: Postfix and MailScanner logger In-Reply-To: <200911061021.07890.Antony.Stone@mailscanner.open.source.it> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> Message-ID: <4AF3F97B.4070504@alexb.ch> On 11/6/2009 11:21 AM, Antony Stone wrote: > On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: > >> Hi, >> >> I'm searching for a logger tool to store in a MySQL table Postfix and >> MailScanner's logs. >> The idea is to save in a database values like: >> >> - sender IP >> - sender address >> - destination address >> - if the mail was blocked by RBLs, rate-limit... >> - the result of SpamAssassin test (from MailScanner) >> - the result of MailScanner process (deliver, deliver+header or delete) > >> Anyone knows a tool like this or I've to do it myself? :) > > Have you considered http://mailwatch.sourceforge.net/ ? mailwatch only stores data processed by MailScanner and not MTA data, Sendmail, Postfix,etc data. rsyslog or syslog-ng seem to closer to what Alvaro is looking for. Alex From mailadmin at midland-ics.ie Fri Nov 6 10:26:13 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Fri Nov 6 10:26:35 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local> Message-ID: <7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> Has anyone tried using Nod32 Version 4 on their MS Boxes? Is it hard on processor/ram? Is the configuration easy? Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From mgregory at agama.com.au Fri Nov 6 10:33:25 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Fri Nov 6 10:33:41 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net><8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local> <7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A539@phoenix.gtoffice.local> We use and sell NOD32. It is very easy to use and works well. We have a couple of clients who wish to try the Microsoft antivirus / defender approach and time will tell if this works as well as NOD32. Regards Mark -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of MailAdmin Sent: Friday, 6 November 2009 9:26 PM To: MailScanner discussion Subject: ESET Nod 32 Version 4 Has anyone tried using Nod32 Version 4 on their MS Boxes? Is it hard on processor/ram? Is the configuration easy? Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From alvaro at hostalia.com Fri Nov 6 10:37:17 2009 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Fri Nov 6 10:37:20 2009 Subject: Postfix and MailScanner logger In-Reply-To: <4AF3F97B.4070504@alexb.ch> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> <4AF3F97B.4070504@alexb.ch> Message-ID: <4AF3FC5D.6020609@hostalia.com> Alex Broens escribi?: > On 11/6/2009 11:21 AM, Antony Stone wrote: >> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: >> >>> Hi, >>> >>> I'm searching for a logger tool to store in a MySQL table Postfix and >>> MailScanner's logs. >>> The idea is to save in a database values like: >>> >>> - sender IP >>> - sender address >>> - destination address >>> - if the mail was blocked by RBLs, rate-limit... >>> - the result of SpamAssassin test (from MailScanner) >>> - the result of MailScanner process (deliver, deliver+header or delete) >> >>> Anyone knows a tool like this or I've to do it myself? :) >> >> Have you considered http://mailwatch.sourceforge.net/ ? > > mailwatch only stores data processed by MailScanner and not MTA data, > Sendmail, Postfix,etc data. > > rsyslog or syslog-ng seem to closer to what Alvaro is looking for. Yes, as you've said, Mailwatch is only for MailScanner. Anyway, I think that I have soo much traffic to have a solution like rsyslog/syslog-ng (in real time) or MW. I'm searching for a script that parses the logs (each hour, for example) and stores SMTP/MailScanner data in MySQL; then a web interface in PHP. I think that I'll have to program it myself :) Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From jonas at vrt.dk Fri Nov 6 10:54:51 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Fri Nov 6 10:55:03 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local> <7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> Message-ID: <001301ca5ecf$90d2b650$b27822f0$@dk> I've used Nod32 for a couple of years and we often sell it to our clients. And I use version 3.x on our MS servers. As far as I know there is no version 4 for linux servers? Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 11:26 > To: MailScanner discussion > Subject: ESET Nod 32 Version 4 > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > Is it hard on processor/ram? > Is the configuration easy? > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mgregory at agama.com.au Fri Nov 6 11:01:53 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Fri Nov 6 11:02:06 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <001301ca5ecf$90d2b650$b27822f0$@dk> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local><7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> <001301ca5ecf$90d2b650$b27822f0$@dk> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A53A@phoenix.gtoffice.local> I did not realize that version 3.x would install on win servers. Does it still do ok at finding problems? I have been installing a great port of clamav onto my win servers recently and it seems ok too. Regards Mark -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: Friday, 6 November 2009 9:55 PM To: 'MailScanner discussion' Subject: RE: ESET Nod 32 Version 4 I've used Nod32 for a couple of years and we often sell it to our clients. And I use version 3.x on our MS servers. As far as I know there is no version 4 for linux servers? Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 11:26 > To: MailScanner discussion > Subject: ESET Nod 32 Version 4 > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > Is it hard on processor/ram? > Is the configuration easy? > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From mailadmin at midland-ics.ie Fri Nov 6 11:10:34 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Fri Nov 6 11:10:55 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <001301ca5ecf$90d2b650$b27822f0$@dk> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local><7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local> <001301ca5ecf$90d2b650$b27822f0$@dk> Message-ID: <7AF154895A006D46BA4FFB035ABC0993704B@aragorn.midland-ics.local> Thanks to you both for your quick responses. I also sell the Eset, I have a good contact in ESET and will ask re the Version 4. I know Version 5 is soon out. Mark - I think Jonas means MS = MailScanner running Version 3.x Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 06 November 2009 10:55 To: 'MailScanner discussion' Subject: RE: ESET Nod 32 Version 4 I've used Nod32 for a couple of years and we often sell it to our clients. And I use version 3.x on our MS servers. As far as I know there is no version 4 for linux servers? Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 11:26 > To: MailScanner discussion > Subject: ESET Nod 32 Version 4 > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > Is it hard on processor/ram? > Is the configuration easy? > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From mgregory at agama.com.au Fri Nov 6 11:21:30 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Fri Nov 6 11:21:41 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <7AF154895A006D46BA4FFB035ABC0993704B@aragorn.midland-ics.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local><7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local><001301ca5ecf$90d2b650$b27822f0$@dk> <7AF154895A006D46BA4FFB035ABC0993704B@aragorn.midland-ics.local> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A53B@phoenix.gtoffice.local> Hi Kevin, Thank you for the response. I did not realize mailscanner can run on a win32 box. I'm going to try to setup esva as a gateway to my exchange server. Gotta stop the spam and the cost of antivirus. Regards Mark -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of MailAdmin Sent: Friday, 6 November 2009 10:11 PM To: MailScanner discussion Subject: RE: ESET Nod 32 Version 4 Thanks to you both for your quick responses. I also sell the Eset, I have a good contact in ESET and will ask re the Version 4. I know Version 5 is soon out. Mark - I think Jonas means MS = MailScanner running Version 3.x Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 06 November 2009 10:55 To: 'MailScanner discussion' Subject: RE: ESET Nod 32 Version 4 I've used Nod32 for a couple of years and we often sell it to our clients. And I use version 3.x on our MS servers. As far as I know there is no version 4 for linux servers? Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 11:26 > To: MailScanner discussion > Subject: ESET Nod 32 Version 4 > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > Is it hard on processor/ram? > Is the configuration easy? > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From paul.hutchings at mira.co.uk Fri Nov 6 11:35:00 2009 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Fri Nov 6 11:35:17 2009 Subject: Remove Duplicate Signatures Not Working? Message-ID: Any idea why my html signatures give an "Error! Filename not specified." when using the signature block below? The "MailScanner Signature MIRA" line is what I've been given by our html chap as the bit to remove duplicate sigs. ---- BEGIN ----

MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

MailScanner Signature MIRA ---- END ---- -- Paul Hutchings Network Administrator, MIRA Ltd t: +44 (0)24 7635 5378 e: paul.hutchings@mira.co.uk -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From mailadmin at midland-ics.ie Fri Nov 6 11:35:23 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Fri Nov 6 11:35:44 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <8B6E1874AEFB4E47BBB5184243791F8E19A53B@phoenix.gtoffice.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local><7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local><001301ca5ecf$90d2b650$b27822f0$@dk><7AF154895A006D46BA4FFB035ABC0993704B@aragorn.midland-ics.local> <8B6E1874AEFB4E47BBB5184243791F8E19A53B@phoenix.gtoffice.local> Message-ID: <7AF154895A006D46BA4FFB035ABC0993704C@aragorn.midland-ics.local> Hi Mark, There was no mention of Win32 :) I don't think MailScanner runs on it. Not that I would put it on one if it did. All the best Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mark Gregory Sent: 06 November 2009 11:22 To: MailScanner discussion Subject: RE: ESET Nod 32 Version 4 Hi Kevin, Thank you for the response. I did not realize mailscanner can run on a win32 box. I'm going to try to setup esva as a gateway to my exchange server. Gotta stop the spam and the cost of antivirus. Regards Mark -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of MailAdmin Sent: Friday, 6 November 2009 10:11 PM To: MailScanner discussion Subject: RE: ESET Nod 32 Version 4 Thanks to you both for your quick responses. I also sell the Eset, I have a good contact in ESET and will ask re the Version 4. I know Version 5 is soon out. Mark - I think Jonas means MS = MailScanner running Version 3.x Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 06 November 2009 10:55 To: 'MailScanner discussion' Subject: RE: ESET Nod 32 Version 4 I've used Nod32 for a couple of years and we often sell it to our clients. And I use version 3.x on our MS servers. As far as I know there is no version 4 for linux servers? Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 11:26 > To: MailScanner discussion > Subject: ESET Nod 32 Version 4 > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > Is it hard on processor/ram? > Is the configuration easy? > > Thanks > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4578 (20091106) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From jonas at vrt.dk Fri Nov 6 11:50:17 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Fri Nov 6 11:50:29 2009 Subject: ESET Nod 32 Version 4 In-Reply-To: <7AF154895A006D46BA4FFB035ABC0993704C@aragorn.midland-ics.local> References: <8B6E1874AEFB4E47BBB5184243791F8E19A514@phoenix.gtoffice.local><4AF2BEDC.4080507@bbsoft4.org><4AF2C26C.5040807@elasticmind.net> <8B6E1874AEFB4E47BBB5184243791F8E19A517@phoenix.gtoffice.local><7AF154895A006D46BA4FFB035ABC09937048@aragorn.midland-ics.local><001301ca5ecf$90d2b650$b27822f0$@dk><7AF154895A006D46BA4FFB035ABC0993704B@aragorn.midland-ics.local> <8B6E1874AEFB4E47BBB5184243791F8E19A53B@phoenix.gtoffice.local> <7AF154895A006D46BA4FFB035ABC0993704C@aragorn.midland-ics.local> Message-ID: <001c01ca5ed7$4f942950$eebc7bf0$@dk> Hehe indeed, this got confusing quickly :) My point was simply this: ESET Nod32 version 3.x works great with mailscanner. However I don't think there is a version 4 which will install on the operating sytems that mailscanner supports *nix) I am running version 3.x on our mailscanners and I would be supprised if there was a version 4 I could install, at least there was no such product a couple of months back. (It exists for the windows platform not the unix one) Hope that clears up my part of the confusion :) Best regards Jonas > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: 6. november 2009 12:35 > To: MailScanner discussion > Subject: RE: ESET Nod 32 Version 4 > > Hi Mark, > > There was no mention of Win32 :) I don't think MailScanner runs on it. > Not that I would put it on one if it did. > > All the best > Kevin > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mark > Gregory > Sent: 06 November 2009 11:22 > To: MailScanner discussion > Subject: RE: ESET Nod 32 Version 4 > > Hi Kevin, > > Thank you for the response. I did not realize mailscanner can run on a > win32 box. > > I'm going to try to setup esva as a gateway to my exchange server. > Gotta > stop the spam and the cost of antivirus. > > Regards > Mark > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > MailAdmin > Sent: Friday, 6 November 2009 10:11 PM > To: MailScanner discussion > Subject: RE: ESET Nod 32 Version 4 > > Thanks to you both for your quick responses. > I also sell the Eset, I have a good contact in ESET and will ask re the > Version 4. > I know Version 5 is soon out. > Mark - I think Jonas means MS = MailScanner running Version 3.x > > Kevin > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas > A. Larsen > Sent: 06 November 2009 10:55 > To: 'MailScanner discussion' > Subject: RE: ESET Nod 32 Version 4 > > I've used Nod32 for a couple of years and we often sell it to our > clients. > And I use version 3.x on our MS servers. > > As far as I know there is no version 4 for linux servers? > > Best regards > > Jonas A. Larsen > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > > Sent: 6. november 2009 11:26 > > To: MailScanner discussion > > Subject: ESET Nod 32 Version 4 > > > > Has anyone tried using Nod32 Version 4 on their MS Boxes? > > Is it hard on processor/ram? > > Is the configuration easy? > > > > Thanks > > > > This e-mail is intended solely for the addressee(s) and is strictly > > confidential. The unauthorised use, disclosure or copying of this e- > > mail, or any information it contains is prohibited. If you have > > received this e-mail in error, please notify us immediately and then > > permanently delete it. Although Midland Internet & Computer Solutions > > make every effort to keep our systems free from viruses you should > > check this e-mail and any attachments to it for viruses as we cannot > > accept any liability for viruses inadvertently transmitted by use. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this > e-mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check > this e-mail and any attachments to it for viruses as we cannot accept > any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4578 (20091106) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4578 (20091106) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > This e-mail is intended solely for the addressee(s) and is strictly > confidential. The unauthorised use, disclosure or copying of this e- > mail, or any information it contains is prohibited. If you have > received this e-mail in error, please notify us immediately and then > permanently delete it. Although Midland Internet & Computer Solutions > make every effort to keep our systems free from viruses you should > check this e-mail and any attachments to it for viruses as we cannot > accept any liability for viruses inadvertently transmitted by use. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Antony.Stone at mailscanner.open.source.it Fri Nov 6 12:02:07 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Fri Nov 6 12:02:20 2009 Subject: Remove Duplicate Signatures Not Working? In-Reply-To: References: Message-ID: <200911061202.08061.Antony.Stone@mailscanner.open.source.it> On Friday 06 November 2009 11:35, Paul Hutchings wrote: > Any idea why my html signatures give an "Error! Filename not specified." > when using the signature block below? > > The "MailScanner Signature MIRA" line is > what I've been given by our html chap as the bit to remove duplicate > sigs. 'src' is a required attribute of the 'img' tag. You haven't specified what the image *is*. Antony. -- Atheism is a non-prophet-making organisation. Please reply to the list; please don't CC me. From paul.hutchings at mira.co.uk Fri Nov 6 12:39:26 2009 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Fri Nov 6 12:39:43 2009 Subject: Remove Duplicate Signatures Not Working? In-Reply-To: <200911061202.08061.Antony.Stone@mailscanner.open.source.it> References: <200911061202.08061.Antony.Stone@mailscanner.open.source.it> Message-ID: Ok keep in mind what I know about html could be written on a small stamp, but from the config guide, it suggested you don't need an image..? http://www.mailscanner.info/MailScanner.conf.index.html#Allow Multiple HTML Signatures "If you want to use this option without inserting an image into the signature, simply specify an tag without a "src" attribute." -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Antony Stone Sent: 06 November 2009 12:02 To: MailScanner discussion Subject: Re: Remove Duplicate Signatures Not Working? On Friday 06 November 2009 11:35, Paul Hutchings wrote: > Any idea why my html signatures give an "Error! Filename not specified." > when using the signature block below? > > The "MailScanner Signature MIRA" line is > what I've been given by our html chap as the bit to remove duplicate > sigs. 'src' is a required attribute of the 'img' tag. You haven't specified what the image *is*. Antony. -- Atheism is a non-prophet-making organisation. Please reply to the list; please don't CC me. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From Antony.Stone at mailscanner.open.source.it Fri Nov 6 12:57:58 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Fri Nov 6 12:58:45 2009 Subject: Remove Duplicate Signatures Not Working? In-Reply-To: References: <200911061202.08061.Antony.Stone@mailscanner.open.source.it> Message-ID: <200911061357.58900.Antony.Stone@mailscanner.open.source.it> On Friday 06 November 2009, Paul Hutchings wrote: > Ok keep in mind what I know about html could be written on a small > stamp, but from the config guide, it suggested you don't need an > image..? > >http://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Multiple%20HTML%20Signatures > > "If you want to use this option without inserting an image > into the signature, simply specify an tag without a "src" > attribute." Fair enough, I hadn't seen that. I was simply going from my understanding of HTML, such as: http://www.w3schools.com/tags/att_img_src.asp http://www.htmlcodetutorial.com/images/_IMG_SRC.html http://htmlhelp.com/reference/html40/special/img.html These all state that src is required for img. Antony. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Antony > Stone > Sent: 06 November 2009 12:02 > To: MailScanner discussion > Subject: Re: Remove Duplicate Signatures Not Working? > > On Friday 06 November 2009 11:35, Paul Hutchings wrote: > > Any idea why my html signatures give an "Error! Filename not > > specified." when using the signature block below? > > > > The "MailScanner Signature MIRA" line is > > what I've been given by our html chap as the bit to remove duplicate > > sigs. > > 'src' is a required attribute of the 'img' tag. > > You haven't specified what the image *is*. > > > Antony. -- If you can't find an Open Source solution for it, then it isn't a real problem. Please reply to the list; please don't CC me. From J.Ede at birchenallhowden.co.uk Fri Nov 6 13:15:14 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Nov 6 13:15:35 2009 Subject: Postfix and MailScanner logger In-Reply-To: <4AF3FC5D.6020609@hostalia.com> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> <4AF3F97B.4070504@alexb.ch> <4AF3FC5D.6020609@hostalia.com> Message-ID: <1213490F1F316842A544A850422BFA9612870A166B@BHLSBS.bhl.local> I've been thinking of writing something very similar for use here to bring together from all our mail servers with an additional field of receiving server name... Any chance can post to the list if you manage to do this? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n > Sent: 06 November 2009 10:37 > To: MailScanner discussion > Subject: Re: Postfix and MailScanner logger > > Alex Broens escribi?: > > On 11/6/2009 11:21 AM, Antony Stone wrote: > >> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: > >> > >>> Hi, > >>> > >>> I'm searching for a logger tool to store in a MySQL table Postfix > and > >>> MailScanner's logs. > >>> The idea is to save in a database values like: > >>> > >>> - sender IP > >>> - sender address > >>> - destination address > >>> - if the mail was blocked by RBLs, rate-limit... > >>> - the result of SpamAssassin test (from MailScanner) > >>> - the result of MailScanner process (deliver, deliver+header or > delete) > >> > >>> Anyone knows a tool like this or I've to do it myself? :) > >> > >> Have you considered http://mailwatch.sourceforge.net/ ? > > > > mailwatch only stores data processed by MailScanner and not MTA data, > > Sendmail, Postfix,etc data. > > > > rsyslog or syslog-ng seem to closer to what Alvaro is looking for. > > Yes, as you've said, Mailwatch is only for MailScanner. > > Anyway, I think that I have soo much traffic to have a solution like > rsyslog/syslog-ng (in real time) or MW. I'm searching for a script that > parses the logs (each hour, for example) and stores SMTP/MailScanner > data in MySQL; then a web interface in PHP. > > I think that I'll have to program it myself :) > > Thanks! > > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mmmm82 at gmail.com Fri Nov 6 19:25:50 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Fri Nov 6 19:26:01 2009 Subject: Postfix and MailScanner logger In-Reply-To: <4AF3F97B.4070504@alexb.ch> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> <4AF3F97B.4070504@alexb.ch> Message-ID: <837e17ab0911061125j230d392bs9e891d945e15f83@mail.gmail.com> MailWatch has a patch to process postfix data Fix to allow MailWatch to work with Postfix Inbound/Outbound Queue the URL changed to: http://www.gbnetwork.co.uk/mailscanner/files/postfixmail.tar.gz I have not used it yet , buy planning to do so in the coming days On Fri, Nov 6, 2009 at 12:24 PM, Alex Broens wrote: > On 11/6/2009 11:21 AM, Antony Stone wrote: > >> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: >> >> Hi, >>> >>> I'm searching for a logger tool to store in a MySQL table Postfix and >>> MailScanner's logs. >>> The idea is to save in a database values like: >>> >>> - sender IP >>> - sender address >>> - destination address >>> - if the mail was blocked by RBLs, rate-limit... >>> - the result of SpamAssassin test (from MailScanner) >>> - the result of MailScanner process (deliver, deliver+header or delete) >>> >> >> Anyone knows a tool like this or I've to do it myself? :) >>> >> >> Have you considered http://mailwatch.sourceforge.net/ ? >> > > mailwatch only stores data processed by MailScanner and not MTA data, > Sendmail, Postfix,etc data. > > rsyslog or syslog-ng seem to closer to what Alvaro is looking for. > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091106/670e0a5a/attachment.html From Dstraka at caspercollege.edu Fri Nov 6 22:40:18 2009 From: Dstraka at caspercollege.edu (Daniel Straka) Date: Fri Nov 6 22:40:49 2009 Subject: Sophos failure: sophos-autoupdate is missing new Sophos files In-Reply-To: <4AF0ACF9.4060702@mssl.ucl.ac.uk> References: <4AF0ACF9.4060702@mssl.ucl.ac.uk> Message-ID: <4AF4436202000000000E9964@gw.caspercollege.edu> -- Dan Straka Systems Coordinator Casper College 307.268.2399 http://www.caspercollege.edu >>> On 11/3/2009 at 3:21 PM, in message <4AF0ACF9.4060702@mssl.ucl.ac.uk>, Paul Lamb wrote: > The Sophos AV November 2009 distribution:- > Product version : 4.47.0 > Engine version : 3.01.0 > Virus data version : 4.47 > User interface version : 2.07.250 > Platform : Linux/Intel > Released : 02 November 2009 > > is installing additional files > ./lib/xvdl*.vdb > > sophos-autoupdate will not create softlinks to these in ./ide/ > > Running sweep through strace shows an open failure on > /usr/local/Sophos/ide/xvdl01.vdb leading to > "Error initialising detection engine - missing part of virus data" > > As a quick workround, I have added the following cloned fragment into > sophos-autoupdate before "Add the new swpmess.dat..." - > > # Add the even newer xvdl*.vdb files if they are there > foreach $vdlsus ("xvdl") { > foreach $number (1..99) { > $string = $vdlsus . sprintf("%02d", $number) . ".vdb"; > symlink("$VDLDir/$string", $string) if -f "$VDLDir/$string"; > } > } > # end > > I am running MailScanner version 4.72.5 whose version of > sophos-autoupdate looks little different to the current version. > > Regards, > Paul Lamb > Another fix with a less typing :-) seems to work for my installation. Sent to me by Joachim Holzfuss you have to add xvdlXX.vdb to the list of virus defs in /usr/lib/MailScanner/sophos-autoupdate like this ---- excerpt # Add the new vdl*.vdb files if they are there foreach $vdlsus ("vdl", "sus", "xvdl") { ----end excerpt From mgregory at agama.com.au Sat Nov 7 03:26:10 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Sat Nov 7 03:26:25 2009 Subject: VMware image? In-Reply-To: <20091105105459.2F16C88E25@mail.redarmour.co.uk> References: <20091105105459.2F16C88E25@mail.redarmour.co.uk> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A53E@phoenix.gtoffice.local> Hi, I?m having a good morning. I have ESVA installed on my ESX3.x box and it is working and configured. I would now like to know how to configure my exchange server to use this gateway or does it not matter for outgoing mail from the exchange server? So what I mean is I think my next steps are: 1. Tell my firewall to send email to the mailscanner server 2. Tell my exchange server to send outgoing mail to the mailscanner server or is that not necessary? Do I really need to setup a user for each domain on mailwatch? This could take some time. Can one user manage all domains through mailwatch? The admin account? Also in mailwatch the username should be something like admin@mydomain.com? There is no entry for a mail address so I?m assuming that each user should have a username that is their email address. I would appreciate help on this because I?m assuming I need to set the admin username to a real email address for reports and so on. Regards Mark From: Lance Haig [mailto:lhaig@haigmail.com] Sent: Thursday, 5 November 2009 9:55 PM To: Mark Gregory; mailscanner@lists.mailscanner.info Subject: Re: VMware image? Go to www.global-domination.org/ESVA.php This is what I have used in the past Thanks Lance Sent from my HTC ----- Reply message ----- From: "Mark Gregory" Date: Thu, Nov 5, 2009 10:40 Subject: VMware image? To: Hi, I would like to use mailscanner with exchange 2003 and would appreciate knowing if someone has created a VMWare image of linux + mailscanner. I'm not trying to be lazy, just don't know enough about linux to do the install. Regards Mark -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __________ Information from ESET NOD32 Antivirus, version of virus signature database 4575 (20091105) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091107/03bfbc04/attachment.html From lists at elasticmind.net Sat Nov 7 14:44:21 2009 From: lists at elasticmind.net (Mog) Date: Sat Nov 7 14:44:29 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: References: Message-ID: <4AF587C5.9000701@elasticmind.net> So I've upgraded to 7.2 to see if that makes a difference and followed this upgrade procedure. Still I'm getting this recurring Perl problem whereby custom functions could not be required :( Jose Amengual M wrote: > Hi Guys. > > I saw some emails about perl 5.10.1 giving errors when running > mailscanner, I had the same problem and I follow the instructions > below but it din't work for me, but finally after 2 days of work I > found the solution!!!. > > This is working 7.2 should work on 8.0. > > if you have already mailscanner installed don't worry, portupgrade can > do all the job for you :). > > 1.- Remove old perl version : > pkg_info|grep perl ( copy the exact name of you perl version like > perl5.10.1 ) > pkg_delete -f perl5.10.1 > > 2.- Install old perl. > pkg_add -r > ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-7.2-release/lang/perl-5.10.0_2.tbz > > > 3.- Clean up any work directory > portsclean -C > > 4.- Update pkgdb add upgrade any perl package > pkgdb -Ff > portupgrade -fr perl ( this is going to upgrade everything that uses > perl including mailscanner). > perl-after-upgrade && perl-after-upgrade -f > > After that the error was gone and everything was working fine. > > I was in the process of deciding of going towards mailscanner or > amavisd-new and I decided to use mailscanner because was easier to > configure and I expend 2 days fixing a problem with perl that I didn't > have on amavis :). > > I hope this help. > > Thanks. > > Jose Amengual. > > > This like > > > Mog wrote: > > >> > Hi all, > > >> > > > >> > I upgraded MailScanner last night along with a number of other ports, > > > >> > which unfortunately included a micro update to Perl. On FreeBSD it > > went > >> > from perl-5.10.0 to perl-5.10.1, and judging by the error messages in > > > >> > the maillog, it seems that the old taint mode problem has resurfaced: > > >> > > > >> > Could not use Custom Function code > > >> > /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SpamWhitelist.pm, > > >> > it could not be "require"d. Make sure the last line is "1;" and the > > >> > module is correct with perl -wc (Error: Insecure dependency in > > require > >> > while running with -T switch at > > >> > /usr/local/lib/MailScanner/MailScanner/Config.pm line 754. > > >> > > > >> > I'm seeing this same error message being shown for these files as > > well: > >> > MyExample.pm, DavidHooton.pm, LastSpam.pm, GenericSpamScanner.pm, > > >> > CustomAction.pm, Ruleset-from-Function.pm and ZMRouterDirHash.pm. > > >> > > > >> > > > >> > From what I understand, FreeBSD runs perl programs with the -T > > option > >> > (taint mode), which is basically some additional security check. If > > I'm > >> > reading this right, the additional security check (for some reason) > > >> > seems to have a problem with 'eval { require $fullfile; };', the code > > > >> > used to require the CustomFunction modules MailScanner uses: > > >> > > > >> > $fullfile = "$dir/$filename"; > > >> > next unless -f $fullfile and -s $fullfile; > > >> > eval { require $fullfile; }; > > >> > if ($@) { > > >> > MailScanner::Log::WarnLog("Could not use Custom Function code > > %s, " . > >> > "it could not be \"require\"d. Make > > sure " . > >> > "the last line is \"1;\" and the > > module " . > >> > "is correct with perl -wc (Error: > > %s)", > >> > $fullfile, $@); > > >> > } > > >> > > > >> > > > >> > Does this makes sense to anyone? Naturally I've reported this problem > > to > >> > the FreeBSD people as well to see if they can help work out what is > > >> > going on. > > >> > > > >> > Regards, > > >> > mog > > > > > What process did you use to upgrade MailScanner/Perl? If you used > > > > portupgrade, please give the command line you used. > > > >I have the same issue, I did the normal portupgrade perl. > >And did run the perl-after-upgrade > >After that did not work I did a rebuild of perl with -rf portupgrade -rf > .perl, this way all ports relying on perl are rebuild. > >And that did also not work. > >So I grabbed another server, installed FreeBSD 8.0RC1 upgraded the ports > >tree, installed MailScanner, and got the same error. > >It is the same error I got with perl 5.8.9, and with perl 5.8.8 I had no > >problems also. > >Now perl5.10.0_4 and 5.8.8 has no problems, but 5.10.1 and 5.8.9 has, > >anyway on my systems (AMD64 and i386) > > > From Antony.Stone at mailscanner.open.source.it Sat Nov 7 18:01:36 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Sat Nov 7 18:01:54 2009 Subject: MCP doesn't work in 4.74? Message-ID: <200911071801.36411.Antony.Stone@mailscanner.open.source.it> Hi. I'm (still) trying to get MCP to work in MS 4.74.16, and continuing to fail. My requirement is to identify emails which contain any word or phrase from a list of "banned words", and either modify the subject line to warn the recipient before they open the email, or else quarantine the email and bounce a message back to the recipient to tell them it hasn't been delivered. I was advised on this list to use SpamAssassin Rule Actions instead of MCP, however I cannot see that it is possible to get it to do either of the above actions, and therefore SARA doesn't appear to do what I need. I'm also using MailWatch on the machine, which gives a nice summary of MCP matches, whereas it doesn't tell me anything about SA Rule Actions, therefore MCP very much seems to be what I need (even if it is a bit inefficient). I've used MCP before in earlier versions of MailScanner, and I believe I know how to write the appropriate SpamAssassin rule/s to pick up the emails I want to identify. I've eliminated my ineptness at writing SA rules as a cause of the problem by using a slightly modified version of the GTUBE test as one of my "bad word" matches. Putting the rules into a file ending in .cf in /etc/MailScanner/mcp (I've checked that this is the %mcp-dir% on this machine) and turning on MCP Checks (as well as Log MCP) does not work. The log file shows me "MCP Checks: Starting", but that's it. The rules do not appear to be used, the test emails certainly aren't matched, and I cannot see either how/where to debug this further, or what I've missed in trying to get it working. Please can someone either tell me: - MCP is known to be broken in 4.74, so I stand no chance of getting it working - MCP works in 4.74, with an example of how to make it work - how to debug MCP to see where it's falling over in my configuration I'm using 4.74.16 because that's the current Debian package. If I need to install something more recent I can, but it's not such a clean solution for future maintenance, so I'd want to be sure it'll solve my problem before I install from a non-packaged version. I hope someone can help, Antony. -- BASIC is to computer languages what Roman numerals are to arithmetic. Please reply to the list; please don't CC me. From lhaig at haigmail.com Sat Nov 7 23:26:39 2009 From: lhaig at haigmail.com (Lance Haig) Date: Sat Nov 7 23:27:08 2009 Subject: VMware image? In-Reply-To: <8B6E1874AEFB4E47BBB5184243791F8E19A53E@phoenix.gtoffice.local> References: <20091105105459.2F16C88E25@mail.redarmour.co.uk> <8B6E1874AEFB4E47BBB5184243791F8E19A53E@phoenix.gtoffice.local> Message-ID: <4AF6022F.6060607@haigmail.com> Sorry I have been busy with family stuff, So my answers are inline Mark Gregory wrote: > Hi, > > > > I?m having a good morning. I have ESVA installed on my ESX3.x box and it > is working and configured. Well done !!! As long as you followed the instructions on how to configure the the vm you should be ok. They have great forums on the domination site that will help if you get stuck. > > > > I would now like to know how to configure my exchange server to use this > gateway or does it not matter for outgoing mail from the exchange server? > > > > So what I mean is I think my next steps are: > > 1. Tell my firewall to send email to the mailscanner server I would test it with a test domain first just to make sure everything is ok. > > 2. Tell my exchange server to send outgoing mail to the > mailscanner server or is that not necessary? You can do that and it helps the system to learn your HAM which will make it more effective. > > > > Do I really need to setup a user for each domain on mailwatch? This > could take some time. > > Can one user manage all domains through mailwatch? The admin account? Yes one user can manage all the domains on the system. The main admin user will be able to do this from the start. > > > > Also in mailwatch the username should be something like > admin@mydomain.com ? There is no entry for a > mail address so I?m assuming that each user should have a username that > is their email address. I would appreciate help on this because I?m > assuming I need to set the admin username to a real email address for > reports and so on. You should just be able to use one user if you are the only admin. If there are more than one and you want to give them their own logins then you have to create the accounts. The system should behave like any other MailScanner install it has just been made easier by creating a a virtual machine. Hope this helps Lance > > > > Regards > > Mark > > > > > > *From:* Lance Haig [mailto:lhaig@haigmail.com] > *Sent:* Thursday, 5 November 2009 9:55 PM > *To:* Mark Gregory; mailscanner@lists.mailscanner.info > *Subject:* Re: VMware image? > > > > Go to > > www.global-domination.org/ESVA.php > > This is what I have used in the past > > Thanks > > Lance > > > Sent from my HTC > > ----- Reply message ----- > From: "Mark Gregory" > Date: Thu, Nov 5, 2009 10:40 > Subject: VMware image? > To: > > Hi, > > > > I would like to use mailscanner with exchange 2003 and would appreciate > knowing if someone has created a VMWare image of linux + mailscanner. > > > > I'm not trying to be lazy, just don't know enough about linux to do the > install. > > > > Regards > > Mark > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4575 (20091105) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4580 (20091106) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mgregory at agama.com.au Sun Nov 8 01:47:39 2009 From: mgregory at agama.com.au (Mark Gregory) Date: Sun Nov 8 01:47:53 2009 Subject: VMware image? In-Reply-To: <4AF6022F.6060607@haigmail.com> References: <20091105105459.2F16C88E25@mail.redarmour.co.uk> <8B6E1874AEFB4E47BBB5184243791F8E19A53E@phoenix.gtoffice.local> <4AF6022F.6060607@haigmail.com> Message-ID: <8B6E1874AEFB4E47BBB5184243791F8E19A549@phoenix.gtoffice.local> Hi Lance, Thank you for your help. I'm now going to tell my exchange server to use the ESVA box as a smart host and to see what happens for outgoing email. Regards Mark -----Original Message----- From: Lance Haig [mailto:lhaig@haigmail.com] Sent: Sunday, 8 November 2009 10:27 AM To: Mark Gregory Cc: mailscanner@lists.mailscanner.info Subject: Re: VMware image? Sorry I have been busy with family stuff, So my answers are inline Mark Gregory wrote: > Hi, > > > > I?m having a good morning. I have ESVA installed on my ESX3.x box and it > is working and configured. Well done !!! As long as you followed the instructions on how to configure the the vm you should be ok. They have great forums on the domination site that will help if you get stuck. > > > > I would now like to know how to configure my exchange server to use this > gateway or does it not matter for outgoing mail from the exchange server? > > > > So what I mean is I think my next steps are: > > 1. Tell my firewall to send email to the mailscanner server I would test it with a test domain first just to make sure everything is ok. > > 2. Tell my exchange server to send outgoing mail to the > mailscanner server or is that not necessary? You can do that and it helps the system to learn your HAM which will make it more effective. > > > > Do I really need to setup a user for each domain on mailwatch? This > could take some time. > > Can one user manage all domains through mailwatch? The admin account? Yes one user can manage all the domains on the system. The main admin user will be able to do this from the start. > > > > Also in mailwatch the username should be something like > admin@mydomain.com ? There is no entry for a > mail address so I?m assuming that each user should have a username that > is their email address. I would appreciate help on this because I?m > assuming I need to set the admin username to a real email address for > reports and so on. You should just be able to use one user if you are the only admin. If there are more than one and you want to give them their own logins then you have to create the accounts. The system should behave like any other MailScanner install it has just been made easier by creating a a virtual machine. Hope this helps Lance > > > > Regards > > Mark > > > > > > *From:* Lance Haig [mailto:lhaig@haigmail.com] > *Sent:* Thursday, 5 November 2009 9:55 PM > *To:* Mark Gregory; mailscanner@lists.mailscanner.info > *Subject:* Re: VMware image? > > > > Go to > > www.global-domination.org/ESVA.php > > This is what I have used in the past > > Thanks > > Lance > > > Sent from my HTC > > ----- Reply message ----- > From: "Mark Gregory" > Date: Thu, Nov 5, 2009 10:40 > Subject: VMware image? > To: > > Hi, > > > > I would like to use mailscanner with exchange 2003 and would appreciate > knowing if someone has created a VMWare image of linux + mailscanner. > > > > I'm not trying to be lazy, just don't know enough about linux to do the > install. > > > > Regards > > Mark > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4575 (20091105) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4580 (20091106) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message was scanned by ESVA and is believed to be clean. Click here to report this message as spam. http://h0stname/cgi-bin/learn-msg.cgi?id=28C3E27E51.37D2E __________ Information from ESET NOD32 Antivirus, version of virus signature database 4582 (20091107) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4582 (20091107) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com From mmmm82 at gmail.com Sun Nov 8 19:08:09 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 8 19:08:19 2009 Subject: Forward Spam to Junk Message-ID: <837e17ab0911081108t3457531dtdd86471784661e2a@mail.gmail.com> Hi , can anyone help me configure mailscanner to forward mail to user mailboxes but to the Junk folder so users can check their spam messages, note that users retrieve their mail using pop3 , I have more than 300 users and I dont want to go to each user and make a rule stating x-spam-header =yes to be forwareded to junk, Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091108/33eacf1f/attachment.html From MailScanner at ecs.soton.ac.uk Sun Nov 8 19:11:49 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 8 19:12:10 2009 Subject: 4.79.2 released with new HTML-Parser References: <4AF717F5.9070602@ecs.soton.ac.uk> Message-ID: I have updated the HTML::Parser module and released 4.79.2 beta. I sincerely hope to catch up with the list very soon. My day job has been more busy than you can possibly imagine! So in the evenings and stuff I have just been too tired to work on anything at all, I need the rest. Normal service will be resumed shortly, please do not adjust your set. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From roland at inbox4u.de Sun Nov 8 19:44:13 2009 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Nov 8 19:44:27 2009 Subject: AW: 4.79.2 released with new HTML-Parser In-Reply-To: References: <4AF717F5.9070602@ecs.soton.ac.uk> Message-ID: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FDC@ts-dc2.ts-webarts.local> Julian, from my own experience I know to good, that everybody needs some rest, your body is not a machine. So take the time you need and take care for your health. Thanks for the new beta, I will test and come back with a feedback. Regards, Roland -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Jules Field Gesendet: Sonntag, 8. November 2009 20:12 An: MailScanner mailing list Betreff: 4.79.2 released with new HTML-Parser I have updated the HTML::Parser module and released 4.79.2 beta. I sincerely hope to catch up with the list very soon. My day job has been more busy than you can possibly imagine! So in the evenings and stuff I have just been too tired to work on anything at all, I need the rest. Normal service will be resumed shortly, please do not adjust your set. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6203 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091108/ecebba25/smime.bin From roland at inbox4u.de Sun Nov 8 19:47:56 2009 From: roland at inbox4u.de (Ehle, Roland) Date: Sun Nov 8 19:48:08 2009 Subject: AW: Forward Spam to Junk In-Reply-To: <837e17ab0911081108t3457531dtdd86471784661e2a@mail.gmail.com> References: <837e17ab0911081108t3457531dtdd86471784661e2a@mail.gmail.com> Message-ID: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FDD@ts-dc2.ts-webarts.local> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6203 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091108/a5df9df5/smime.bin From alex at rtpty.com Sun Nov 8 21:10:35 2009 From: alex at rtpty.com (Alex Neuman) Date: Sun Nov 8 21:10:49 2009 Subject: AW: Forward Spam to Junk In-Reply-To: <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FDD@ts-dc2.ts-webarts.local> References: <837e17ab0911081108t3457531dtdd86471784661e2a@mail.gmail.com> <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FDD@ts-dc2.ts-webarts.local> Message-ID: <8A9B6DF5-5F59-48CB-A7D2-C344F1611D0B@rtpty.com> True. Otherwise you can cook up a recipe using procmail, i.e.: :0: * ^X-Spam-Status: Yes mail/Junk\ E-mail in the users .procmailrc would do the trick. Problem with your setup is that since they're *still* using POP3, they'd have to check using webmail or IMAP in order to "see" the "Junk E-mail" folder. On Nov 8, 2009, at 2:47 PM, Ehle, Roland wrote: > Hi Monis, > > that?s impossible. If your users retrieve their mail using pop3, > than they have no access to other folders, only the mails in the > inbox is retrieved. > > So, the only chance you have, is to create the rule, export the rule > into a rwz file and send that file including a short guide to your > users. > > Regards, > Roland > > Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] Im Auftrag von Monis Monther > Gesendet: Sonntag, 8. November 2009 20:08 > An: MailScanner discussion > Betreff: Forward Spam to Junk > > Hi , can anyone help me configure mailscanner to forward mail to > user mailboxes but to the Junk folder so users can check their spam > messages, note that users retrieve their mail using pop3 , I have > more than 300 users and I dont want to go to each user and make a > rule stating x-spam-header =yes to be forwareded to junk, Thanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mmmm82 at gmail.com Mon Nov 9 07:29:19 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Mon Nov 9 07:29:27 2009 Subject: AW: Forward Spam to Junk In-Reply-To: <8A9B6DF5-5F59-48CB-A7D2-C344F1611D0B@rtpty.com> References: <837e17ab0911081108t3457531dtdd86471784661e2a@mail.gmail.com> <3DADD2A199CACA458008CE5EADDF2DFD02F1D01FDD@ts-dc2.ts-webarts.local> <8A9B6DF5-5F59-48CB-A7D2-C344F1611D0B@rtpty.com> Message-ID: <837e17ab0911082329hba99066p77e7f4880c2c1526@mail.gmail.com> Thanks everyone for the replies, it helped a lot , thanks for your time On 11/8/09, Alex Neuman wrote: > True. > > Otherwise you can cook up a recipe using procmail, i.e.: > > > :0: > * ^X-Spam-Status: Yes > mail/Junk\ E-mail > > > in the users .procmailrc would do the trick. > > Problem with your setup is that since they're *still* using POP3, > they'd have to check using webmail or IMAP in order to "see" the "Junk > E-mail" folder. > > On Nov 8, 2009, at 2:47 PM, Ehle, Roland wrote: > >> Hi Monis, >> >> that?s impossible. If your users retrieve their mail using pop3, >> than they have no access to other folders, only the mails in the >> inbox is retrieved. >> >> So, the only chance you have, is to create the rule, export the rule >> into a rwz file and send that file including a short guide to your >> users. >> >> Regards, >> Roland >> >> Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] Im Auftrag von Monis Monther >> Gesendet: Sonntag, 8. November 2009 20:08 >> An: MailScanner discussion >> Betreff: Forward Spam to Junk >> >> Hi , can anyone help me configure mailscanner to forward mail to >> user mailboxes but to the Junk folder so users can check their spam >> messages, note that users retrieve their mail using pop3 , I have >> more than 300 users and I dont want to go to each user and make a >> rule stating x-spam-header =yes to be forwareded to junk, Thanks >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Johan at double-l.nl Mon Nov 9 08:13:01 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Mon Nov 9 08:13:11 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) References: <4AF587C5.9000701@elasticmind.net> Message-ID: <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> >So I've upgraded to 7.2 to see if that makes a difference and followed >this upgrade procedure. Still I'm getting this recurring Perl problem >whereby custom functions could not be required :( That is a me too also. Also on a fresh install I have these problems. Could it be something in the config file. Do we (the not working configs) have options set that the working ones do not have or visa versa. regards, Johan Hendriks Jose Amengual M wrote: >> Hi Guys. >> >> I saw some emails about perl 5.10.1 giving errors when running >> mailscanner, I had the same problem and I follow the instructions >> below but it din't work for me, but finally after 2 days of work I >> found the solution!!!. >> >> This is working 7.2 should work on 8.0. >> >> if you have already mailscanner installed don't worry, portupgrade can >> do all the job for you :). >> >> 1.- Remove old perl version : >> pkg_info|grep perl ( copy the exact name of you perl version like >> perl5.10.1 ) >> pkg_delete -f perl5.10.1 >> >> 2.- Install old perl. >> pkg_add -r >> ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-7.2-release/lang/ perl-5.10.0_2.tbz >> >> >> 3.- Clean up any work directory >> portsclean -C >> >> 4.- Update pkgdb add upgrade any perl package >> pkgdb -Ff >> portupgrade -fr perl ( this is going to upgrade everything that uses >> perl including mailscanner). >> perl-after-upgrade && perl-after-upgrade -f >> >> After that the error was gone and everything was working fine. >> >> I was in the process of deciding of going towards mailscanner or >> amavisd-new and I decided to use mailscanner because was easier to >> configure and I expend 2 days fixing a problem with perl that I didn't >> have on amavis :). >> >> I hope this help. >> >> Thanks. >> >> Jose Amengual. >> > No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.425 / Virus Database: 270.14.55/2490 - Release Date: 11/08/09 19:39:00 From alvaro at hostalia.com Mon Nov 9 10:38:02 2009 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon Nov 9 10:38:12 2009 Subject: Postfix and MailScanner logger In-Reply-To: <1213490F1F316842A544A850422BFA9612870A166B@BHLSBS.bhl.local> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> <4AF3F97B.4070504@alexb.ch> <4AF3FC5D.6020609@hostalia.com> <1213490F1F316842A544A850422BFA9612870A166B@BHLSBS.bhl.local> Message-ID: <4AF7F10A.7080307@hostalia.com> Hi, Jason Ede escribi?: > I've been thinking of writing something very similar for use here to bring together from all our mail servers with an additional field of receiving server name... Any chance can post to the list if you manage to do this? > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n >> Sent: 06 November 2009 10:37 >> To: MailScanner discussion >> Subject: Re: Postfix and MailScanner logger >> >> Alex Broens escribi?: >>> On 11/6/2009 11:21 AM, Antony Stone wrote: >>>> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm searching for a logger tool to store in a MySQL table Postfix >> and >>>>> MailScanner's logs. >>>>> The idea is to save in a database values like: >>>>> >>>>> - sender IP >>>>> - sender address >>>>> - destination address >>>>> - if the mail was blocked by RBLs, rate-limit... >>>>> - the result of SpamAssassin test (from MailScanner) >>>>> - the result of MailScanner process (deliver, deliver+header or >> delete) >>>>> Anyone knows a tool like this or I've to do it myself? :) >>>> Have you considered http://mailwatch.sourceforge.net/ ? >>> mailwatch only stores data processed by MailScanner and not MTA data, >>> Sendmail, Postfix,etc data. >>> >>> rsyslog or syslog-ng seem to closer to what Alvaro is looking for. >> Yes, as you've said, Mailwatch is only for MailScanner. >> >> Anyway, I think that I have soo much traffic to have a solution like >> rsyslog/syslog-ng (in real time) or MW. I'm searching for a script that >> parses the logs (each hour, for example) and stores SMTP/MailScanner >> data in MySQL; then a web interface in PHP. >> >> I think that I'll have to program it myself :) >> >> Thanks! >> >> Regards, >> >> -- >> Alvaro Mar?n Illera >> Hostalia Internet >> www.hostalia.com The developer of the project has updated the link: http://white-box.us/wp-content/uploads/2009/06/Maillog_Logger-0.2.0alpha1.zip but I need something with more options. I'll try to do something and if I can, share it. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From steve.freegard at fsl.com Mon Nov 9 12:01:58 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Nov 9 12:02:09 2009 Subject: Postfix and MailScanner logger In-Reply-To: <4AF7F10A.7080307@hostalia.com> References: <4AF3F21D.7060904@hostalia.com> <200911061021.07890.Antony.Stone@mailscanner.open.source.it> <4AF3F97B.4070504@alexb.ch> <4AF3FC5D.6020609@hostalia.com> <1213490F1F316842A544A850422BFA9612870A166B@BHLSBS.bhl.local> <4AF7F10A.7080307@hostalia.com> Message-ID: <4AF804B6.7010401@fsl.com> Alvaro Mar?n wrote: > Hi, > > Jason Ede escribi?: >> I've been thinking of writing something very similar for use here to bring together from all our mail servers with an additional field of receiving server name... Any chance can post to the list if you manage to do this? >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n >>> Sent: 06 November 2009 10:37 >>> To: MailScanner discussion >>> Subject: Re: Postfix and MailScanner logger >>> >>> Alex Broens escribi?: >>>> On 11/6/2009 11:21 AM, Antony Stone wrote: >>>>> On Friday 06 November 2009 09:53, Alvaro Mar?n wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm searching for a logger tool to store in a MySQL table Postfix >>> and >>>>>> MailScanner's logs. >>>>>> The idea is to save in a database values like: >>>>>> >>>>>> - sender IP >>>>>> - sender address >>>>>> - destination address >>>>>> - if the mail was blocked by RBLs, rate-limit... >>>>>> - the result of SpamAssassin test (from MailScanner) >>>>>> - the result of MailScanner process (deliver, deliver+header or >>> delete) >>>>>> Anyone knows a tool like this or I've to do it myself? :) >>>>> Have you considered http://mailwatch.sourceforge.net/ ? >>>> mailwatch only stores data processed by MailScanner and not MTA data, >>>> Sendmail, Postfix,etc data. >>>> >>>> rsyslog or syslog-ng seem to closer to what Alvaro is looking for. >>> Yes, as you've said, Mailwatch is only for MailScanner. >>> >>> Anyway, I think that I have soo much traffic to have a solution like >>> rsyslog/syslog-ng (in real time) or MW. I'm searching for a script that >>> parses the logs (each hour, for example) and stores SMTP/MailScanner >>> data in MySQL; then a web interface in PHP. >>> >>> I think that I'll have to program it myself :) >>> >>> Thanks! >>> >>> Regards, >>> >>> -- >>> Alvaro Mar?n Illera >>> Hostalia Internet >>> www.hostalia.com > > The developer of the project has updated the link: > > http://white-box.us/wp-content/uploads/2009/06/Maillog_Logger-0.2.0alpha1.zip > > but I need something with more options. I'll try to do something and if > I can, share it. > Having written something very similar myself - from experience I can say that PHP + MySQL/PostgreSQL is very limited to scalability; even a low volume system will generate 300,000 records per day from a single server if you record every connection and status. Scaling this for even a medium volume site with 20-30 connections per second over a couple of machines is extremely difficult. My personal recommendation would be to look at Splunk - http://www.splunk.com/ as it's designed with exactly this in mind (it's also free for < 500Mb of index volume per day - so you can try it and see). Simply add a single CustomFunction to MailScanner to log the extra lines that you'll need to syslog and this should be able to do everything you require. Regards, Steve. From dgottsc at emory.edu Mon Nov 9 13:58:14 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Nov 9 13:58:31 2009 Subject: ScamNailer Exception/List Removal Message-ID: This weekend, I installed ScamNailer on one of our machines running MailScanner to help combat all the phishing attacks we receive. In the past, some of our accounts have been compromised and become sources of spam/phishing to other addresses on the Internet. We've resolved these as soon as they appear. I just noticed though, that we have three @emory.edu addresses on the ScamNailer list. These users were trying to send out, but we're being blocked. For the time being I have disabled this. So is there a way to be removed from this list, or create some kind of exception list? Thanks. David Gottschalk Emory University UTS Messaging Team This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From pedro at romehosting.com Mon Nov 9 14:40:32 2009 From: pedro at romehosting.com (Dave Gattis) Date: Mon Nov 9 14:40:55 2009 Subject: ClamAV does not detect EICAR test Message-ID: <118945bfdaa4a08feddf41e08ef2264a.squirrel@mail.romehosting.com> I am setting up a new server. I have the latest MailScanner and the latest ClamAV. When testing with EICAR test files, MailScanner only reports the usual com and zip file errors. I suspected that something may be up with the ClamAV config, so I setup Sophos too. Sophos detects eicar every time. I prefer to use ClamAV. Any ideas of what I can check? Why would Sophos detect while ClamAV does not? Thanks! Dave From rlopezcnm at gmail.com Mon Nov 9 16:08:55 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Nov 9 16:09:06 2009 Subject: Why is this domain spoofing. Message-ID: Yesterday ever member of the honor society at this college had their news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . It is not clear to me why. It appears to me the domain is always ptk.org and elist.ptk.org is simply a mail system within that domain so nothing is spoofed. After they were blocked last month I thought I white listed them: From: 12.230.142.18 OK # elist.ptk.org From: 12.230.142.9 OK # ptk.org are already in /etc/MailScanner/rules/spam.whitelist.rules How can I prevent these from being blocked? Am I misunderstanding how to whitelist SpoofedDomain-s? This is the report: The following e-mails were found to have: Virus Detected Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org IP Address: 12.230.142.18 Recipient: xxxxxx@cnm.edu Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 MessageID: 53BDB10A5.B6931 Quarantine: Report: Clamd: message was infected: Phishing.Heuristics.Email.SpoofedDomain Full headers are: Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 for ; Sat, 7 Nov 2009 10:40:20 -0700 (MST) Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Post: List-Help: List-Unsubscribe: List-Subscribe: X-You-are-Subscribed-As: From: Golden Key News Brief To: GKNB subscribers Mime-Version: 1.0 Content-Type: text/html Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org Date: Fri, 6 Nov 2009 23:41:40 +0000 Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From a.peacock at chime.ucl.ac.uk Mon Nov 9 16:18:14 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Nov 9 16:18:39 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 Message-ID: <4AF840C6.2060504@chime.ucl.ac.uk> Hi, Sorry for the off-topic post, I have exhausted Google and other avenues. I know that Snertsoft Roundhouse has been mentioned/discussed here before and was hoping someone could give me a clue to move on. I have downloaded and built roundhouse, but it fails to run most times. This is very frustrating because it does sometimes run, then will refuse to run after that one time. So, I manage to get it to run listening on port 26, for testing purposes, all seems well. Change things around, so it listens on port 25 and the mta on 26, and it just exits without any error messages. I have looked through the code and there should be all sorts of debug messages sent out, but nothing get into the logs at all. It is as if it exits before any logging is enabled. If anyone can help that would be great, sorry to disturb this list. -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From rlopezcnm at gmail.com Mon Nov 9 16:18:30 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Nov 9 16:18:41 2009 Subject: Fwd: Why is this domain spoofing. In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Robert Lopez Date: Mon, Nov 9, 2009 at 9:08 AM Subject: Why is this domain spoofing. To: MailScanner discussion Yesterday ever member of the honor society at this college had their news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . It is not clear to me why. It appears to me the domain is always ptk.org and elist.ptk.org is simply a mail system within that domain so nothing is spoofed. After they were blocked last month I thought I white listed them: From: ? ? ?12.230.142.18 ?OK ?# elist.ptk.org From: ? ? ?12.230.142.9 ? ?OK ?# ptk.org are already in /etc/MailScanner/rules/spam.whitelist.rules How can I prevent these from being blocked? ?Am I misunderstanding how to whitelist SpoofedDomain-s? This is the report: The following e-mails were found to have: Virus Detected ? ?Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org IP Address: 12.230.142.18 ?Recipient: xxxxxx@cnm.edu ? Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 ?MessageID: 53BDB10A5.B6931 Quarantine: ? ?Report: Clamd: ?message was infected: Phishing.Heuristics.Email.SpoofedDomain Full headers are: ?Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) ? ? ? ?by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 ? ? ? ?for ; Sat, ?7 Nov 2009 10:40:20 -0700 (MST) ?Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 ?Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; run by ezmlm ?Precedence: bulk ?X-No-Archive: yes ?List-Post: ?List-Help: ?List-Unsubscribe: ?List-Subscribe: ?X-You-are-Subscribed-As: ?From: Golden Key News Brief ?To: GKNB subscribers ?Mime-Version: 1.0 ?Content-Type: text/html ?Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org ?Date: Fri, ?6 Nov 2009 23:41:40 +0000 ?Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 ?Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 I should have cut and paste instead of retyping. I actually have "yes" instead of "OK" in spam.whitelist.rules -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From mrm at medicine.wisc.edu Mon Nov 9 16:20:44 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Mon Nov 9 16:21:14 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: <4AF7ECFC020000FC00009099@gwmail.medicine.wisc.edu> It appears to me that Clamd is what's tripping the rule and not spamassassin. I am a couple of versions behind so I'm not running a version capable of using the spam detection stuff within Clam, but I believe there is probably a similar rules file like spam.whitelist.rules for the virus scanners as well that you would need to put them in. Since I'm not actually running a new version of MS I don't know this for sure, but since just about every other option can have a rules file, my guess is that this does too. -Mike >>> On 11/9/2009 at 10:08 AM, in message , Robert Lopez wrote: > Yesterday ever member of the honor society at this college had their > news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . > > It is not clear to me why. It appears to me the domain is always > ptk.org and elist.ptk.org is simply a mail system within that domain > so nothing is spoofed. > > After they were blocked last month I thought I white listed them: > From: 12.230.142.18 OK # elist.ptk.org > From: 12.230.142.9 OK # ptk.org > are already in /etc/MailScanner/rules/spam.whitelist.rules > > How can I prevent these from being blocked? Am I misunderstanding how > to whitelist SpoofedDomain-s? > > This is the report: > The following e-mails were found to have: Virus Detected > > Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org > IP Address: 12.230.142.18 > Recipient: xxxxxx@cnm.edu > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > MessageID: 53BDB10A5.B6931 > Quarantine: > Report: Clamd: message was infected: > Phishing.Heuristics.Email.SpoofedDomain > > Full headers are: > > Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) > by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 > for ; Sat, 7 Nov 2009 10:40:20 -0700 (MST) > Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 > Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; > run by ezmlm > Precedence: bulk > X-No-Archive: yes > List-Post: > List-Help: > List-Unsubscribe: > > List-Subscribe: > X-You-are-Subscribed-As: > From: Golden Key News Brief > To: GKNB subscribers > Mime-Version: 1.0 > Content-Type: text/html > Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org > Date: Fri, 6 Nov 2009 23:41:40 +0000 > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> > > From steveb_clamav at sanesecurity.com Mon Nov 9 16:23:35 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon Nov 9 16:23:55 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: <63347.93.97.28.110.1257783815.squirrel@saturn.dataflame.net> > Quarantine: > Report: Clamd: message was infected: > Phishing.Heuristics.Email.SpoofedDomain It's ClamAv's Heuristics that's "caught" something, for example: http://www.mail-archive.com/clamav-users@lists.clamav.net/msg32419.html If it's an FP, report to (full header/body): http://cgi.clamav.net/sendvirus.cgi Hope it helps, Cheers, Steve Sanesecurity From Hostmaster at computerservicecentre.com Mon Nov 9 16:36:05 2009 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Mon Nov 9 16:36:41 2009 Subject: Snertsoft roundhouse on Solaris 8 In-Reply-To: <4AF840C6.2060504@chime.ucl.ac.uk> References: <4AF840C6.2060504@chime.ucl.ac.uk> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> >I have looked through the code and there should be all sorts of debug >messages sent out, but nothing get into the logs at all. It is as if it >exits before any logging is enabled. >If anyone can help that would be great, sorry to disturb this list. I don't know if it's available on Solaris, but if I had anything like this on a RHEL box I would be debugging it with strace. Hope this helps... Richard -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From ms-list at alexb.ch Mon Nov 9 16:44:45 2009 From: ms-list at alexb.ch (Alex Broens) Date: Mon Nov 9 16:44:54 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <4AF840C6.2060504@chime.ucl.ac.uk> References: <4AF840C6.2060504@chime.ucl.ac.uk> Message-ID: <4AF846FD.3080502@alexb.ch> On 11/9/2009 5:18 PM, Anthony Peacock wrote: > Hi, > > Sorry for the off-topic post, I have exhausted Google and other avenues. > I know that Snertsoft Roundhouse has been mentioned/discussed here > before and was hoping someone could give me a clue to move on. > > I have downloaded and built roundhouse, but it fails to run most times. > > This is very frustrating because it does sometimes run, then will refuse > to run after that one time. So, I manage to get it to run listening on > port 26, for testing purposes, all seems well. Change things around, so > it listens on port 25 and the mta on 26, and it just exits without any > error messages. > > I have looked through the code and there should be all sorts of debug > messages sent out, but nothing get into the logs at all. It is as if it > exits before any logging is enabled. > > If anyone can help that would be great, sorry to disturb this list. have you considered contacting snertsoft? http://www.snertsoft.com/contact.php or their milters milter info ? From alex at rtpty.com Mon Nov 9 16:50:17 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 9 16:50:37 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: Spam is one thing, your antivirus kicking in because your newsletter's overcomplicated, unnecessary HTML-laden format matches a phishing-type message is another. You would have to correct that - since nothing guarantees the other end (the recipient's server) won't think the same thing, even though you whitelist it on your side. Disable virus scanning for those IPs (a bad thing, if you ask me) or modify the signatures in your AV to avoid the false positive, if you want the problem to go away (as opposed to solving it). On Nov 9, 2009, at 11:08 AM, Robert Lopez wrote: > Yesterday ever member of the honor society at this college had their > news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . > > It is not clear to me why. It appears to me the domain is always > ptk.org and elist.ptk.org is simply a mail system within that domain > so nothing is spoofed. > > After they were blocked last month I thought I white listed them: > From: 12.230.142.18 OK # elist.ptk.org > From: 12.230.142.9 OK # ptk.org > are already in /etc/MailScanner/rules/spam.whitelist.rules > > How can I prevent these from being blocked? Am I misunderstanding how > to whitelist SpoofedDomain-s? > > This is the report: > The following e-mails were found to have: Virus Detected > > Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org > IP Address: 12.230.142.18 > Recipient: xxxxxx@cnm.edu > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > MessageID: 53BDB10A5.B6931 > Quarantine: > Report: Clamd: message was infected: > Phishing.Heuristics.Email.SpoofedDomain > > Full headers are: > > Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) > by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 > for ; Sat, 7 Nov 2009 10:40:20 -0700 (MST) > Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 > Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; > run by ezmlm > Precedence: bulk > X-No-Archive: yes > List-Post: > List-Help: > List-Unsubscribe: > > > List-Subscribe: > > X-You-are-Subscribed-As: > From: Golden Key News Brief > To: GKNB subscribers > Mime-Version: 1.0 > Content-Type: text/html > Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org > Date: Fri, 6 Nov 2009 23:41:40 +0000 > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> > > > > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rlopezcnm at gmail.com Mon Nov 9 16:58:09 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Nov 9 16:58:19 2009 Subject: Why is this domain spoofing. In-Reply-To: <4AF7ECFC020000FC00009099@gwmail.medicine.wisc.edu> References: <4AF7ECFC020000FC00009099@gwmail.medicine.wisc.edu> Message-ID: On Mon, Nov 9, 2009 at 9:20 AM, Michael Masse wrote: > It appears to me that Clamd is what's tripping the rule and not spamassassin. ? ?I am a couple of versions behind so I'm not running a version capable of using the spam detection stuff within Clam, but I believe there is probably a similar rules file like spam.whitelist.rules for the virus scanners as well that you would need to put them in. ? Since I'm not actually running a new version of MS I don't know this for sure, but since just about every other option can have a rules file, my guess is that this does too. > > -Mike > > >>>> On 11/9/2009 at 10:08 AM, in message > , Robert Lopez > wrote: >> Yesterday ever member of the honor society at this college had their >> news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . >> >> It is not clear to me why. It appears to me the domain is always >> ptk.org and elist.ptk.org is simply a mail system within that domain >> so nothing is spoofed. >> >> After they were blocked last month I thought I white listed them: >> From: ? ? ?12.230.142.18 ?OK ?# elist.ptk.org >> From: ? ? ?12.230.142.9 ? ?OK ?# ptk.org >> are already in /etc/MailScanner/rules/spam.whitelist.rules >> >> How can I prevent these from being blocked? ?Am I misunderstanding how >> to whitelist SpoofedDomain-s? >> >> This is the report: >> The following e-mails were found to have: Virus Detected >> >> ? ? Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org >> IP Address: 12.230.142.18 >> ?Recipient: xxxxxx@cnm.edu >> ? ?Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 >> ?MessageID: 53BDB10A5.B6931 >> Quarantine: >> ? ? Report: Clamd: ?message was infected: >> Phishing.Heuristics.Email.SpoofedDomain >> >> Full headers are: >> >> ?Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) >> ? ? ? by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 >> ? ? ? for ; Sat, ?7 Nov 2009 10:40:20 -0700 (MST) >> ?Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 >> ?Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; >> run by ezmlm >> ?Precedence: bulk >> ?X-No-Archive: yes >> ?List-Post: >> ?List-Help: >> ?List-Unsubscribe: >> >> ?List-Subscribe: >> ?X-You-are-Subscribed-As: >> ?From: Golden Key News Brief >> ?To: GKNB subscribers >> ?Mime-Version: 1.0 >> ?Content-Type: text/html >> ?Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org >> ?Date: Fri, ?6 Nov 2009 23:41:40 +0000 >> ?Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 >> ?Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Mike, I am running MailScanner version 4.74.16 from Ubuntu distribution. What makes it look like Clamd? I know there is the line "Report: Clamd: message was infected:" but I am not aware of Clam looking to spoofed domains. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From gary at sgluk.com Mon Nov 9 17:28:05 2009 From: gary at sgluk.com (Gary Pentland) Date: Mon Nov 9 17:28:20 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> References: <4AF840C6.2060504@chime.ucl.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> Message-ID: # truss -wall -rall -leaf /opt/local/snertsoft/bin..... Would be the debugging option if you like strace and similar If I read this right, roundhouse works reliably on port 26, normal mta on 25.... Swap the ports around and it doesn't work... Is that correct? If that is the case I'd guess then that there is a config issue in swapping the ports around, does roundhouse run on 25 with no MTA running? Obviously difficult to try if this is your real server but I suspect something is holding port 25 open and that is preventing roundhouse from starting. I assume that you are starting the MTA on 26 first, then roundhouse? Try the other way around, start roundhouse first then the MTA... or simply start the MTA and then the old # netstat -an | grep LISTEN or similar to check 25 is available for roundhouse. I do suspect this will turn out to be something silly/obvious.... Gary -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hostmaster Sent: 09 November 2009 16:36 To: MailScanner discussion Subject: RE: Snertsoft roundhouse on Solaris 8 >I have looked through the code and there should be all sorts of debug >messages sent out, but nothing get into the logs at all. It is as if it >exits before any logging is enabled. >If anyone can help that would be great, sorry to disturb this list. I don't know if it's available on Solaris, but if I had anything like this on a RHEL box I would be debugging it with strace. Hope this helps... Richard -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rlopezcnm at gmail.com Mon Nov 9 17:29:46 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Nov 9 17:29:56 2009 Subject: Why is this domain spoofing. In-Reply-To: <63347.93.97.28.110.1257783815.squirrel@saturn.dataflame.net> References: <63347.93.97.28.110.1257783815.squirrel@saturn.dataflame.net> Message-ID: On Mon, Nov 9, 2009 at 9:23 AM, Steve Basford wrote: >> Quarantine: >> ? ? Report: Clamd: ?message was infected: >> Phishing.Heuristics.Email.SpoofedDomain > > It's ClamAv's Heuristics that's "caught" something, for example: > > http://www.mail-archive.com/clamav-users@lists.clamav.net/msg32419.html > > If it's an FP, report to (full header/body): > > http://cgi.clamav.net/sendvirus.cgi > > Hope it helps, > > Cheers, > > Steve > Sanesecurity > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Steve, Thanks for the reply. None of those messages were quarantined so I have nothing to scan. However, it seems if I properly white list ptk to Mailscanner, then Mailscanner should not send the email to Clamd. Does that seem correct? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From mike at mlrw.com Mon Nov 9 17:33:28 2009 From: mike at mlrw.com (Mike Wallace) Date: Mon Nov 9 17:33:41 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: I've had the same problem and disabled phishing in clam by editing / etc/clamd.conf and added "PhishingSignatures no" after the line "#PhishingSignatures yes". Mike Wallace mike@mlrw.com On Nov 9, 2009, at 11:08 AM, Robert Lopez wrote: > Yesterday ever member of the honor society at this college had their > news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . > > It is not clear to me why. It appears to me the domain is always > ptk.org and elist.ptk.org is simply a mail system within that domain > so nothing is spoofed. > > After they were blocked last month I thought I white listed them: > From: 12.230.142.18 OK # elist.ptk.org > From: 12.230.142.9 OK # ptk.org > are already in /etc/MailScanner/rules/spam.whitelist.rules > > How can I prevent these from being blocked? Am I misunderstanding how > to whitelist SpoofedDomain-s? > > This is the report: > The following e-mails were found to have: Virus Detected > > Sender: golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org > IP Address: 12.230.142.18 > Recipient: xxxxxx@cnm.edu > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > MessageID: 53BDB10A5.B6931 > Quarantine: > Report: Clamd: message was infected: > Phishing.Heuristics.Email.SpoofedDomain > > Full headers are: > > Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) > by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 > for ; Sat, 7 Nov 2009 10:40:20 -0700 (MST) > Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 > Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; > run by ezmlm > Precedence: bulk > X-No-Archive: yes > List-Post: > List-Help: > List-Unsubscribe: > > > List-Subscribe: > > X-You-are-Subscribed-As: > From: Golden Key News Brief > To: GKNB subscribers > Mime-Version: 1.0 > Content-Type: text/html > Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org > Date: Fri, 6 Nov 2009 23:41:40 +0000 > Subject: GOLDEN KEY NEWS BRIEFS FOR November 6, 2009 > Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> > > > > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From alex at rtpty.com Mon Nov 9 18:14:13 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 9 18:14:34 2009 Subject: Why is this domain spoofing. In-Reply-To: References: <4AF7ECFC020000FC00009099@gwmail.medicine.wisc.edu> Message-ID: You don't have to be aware for it to be happening. Clam is now scanning for phishing and other problems. Has been doing it for some time now. Again, you *could* modify your settings in order to let this message through - so it can be blocked by the recipients instead of your server. Or you can fix the HTML from the newsletter - which would fix and prevent the problem. On Nov 9, 2009, at 11:58 AM, Robert Lopez wrote: > am not aware of Clam looking to > spoofed domains. From alex at rtpty.com Mon Nov 9 18:14:35 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 9 18:14:51 2009 Subject: Why is this domain spoofing. In-Reply-To: References: <63347.93.97.28.110.1257783815.squirrel@saturn.dataflame.net> Message-ID: <6B011B53-5799-49C1-8708-88DEE16D3AAF@rtpty.com> No. Whitelisting is for SPAM, not viruses. On Nov 9, 2009, at 12:29 PM, Robert Lopez wrote: > > However, it seems if I properly white list ptk to Mailscanner, then > Mailscanner should not send the email to Clamd. Does that seem > correct? > From alex at rtpty.com Mon Nov 9 18:15:06 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 9 18:15:11 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: Which, again, would make it so that *recipients* will block your mail, not your server. On Nov 9, 2009, at 12:33 PM, Mike Wallace wrote: > I've had the same problem and disabled phishing in clam by editing / > etc/clamd.conf and added "PhishingSignatures no" after the line > "#PhishingSignatures yes". > > Mike Wallace > mike@mlrw.com From rlopezcnm at gmail.com Mon Nov 9 18:18:56 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Nov 9 18:19:07 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: On Mon, Nov 9, 2009 at 9:50 AM, Alex Neuman wrote: > Spam is one thing, your antivirus kicking in because your newsletter's > overcomplicated, unnecessary HTML-laden format matches a phishing-type > message is another. > You would have to correct that - since nothing guarantees the other end (the > recipient's server) won't think the same thing, even though you whitelist it > on your side. > Disable virus scanning for those IPs (a bad thing, if you ask me) or modify > the signatures in your AV to avoid the false positive, if you want the > problem to go away (as opposed to solving it). > > On Nov 9, 2009, at 11:08 AM, Robert Lopez wrote: > >> Yesterday ever member of the honor society at this college had their >> news letter blocked for Phishing.Heuristics.Email.SpoofedDomain . >> >> It is not clear to me why. It appears to me the domain is always >> ptk.org and elist.ptk.org is simply a mail system within that domain >> so nothing is spoofed. >> >> After they were blocked last month I thought I white listed them: >> From: ? ? ?12.230.142.18 ?OK ?# elist.ptk.org >> From: ? ? ?12.230.142.9 ? ?OK ?# ptk.org >> are already in /etc/MailScanner/rules/spam.whitelist.rules >> >> How can I prevent these from being blocked? ?Am I misunderstanding how >> to whitelist SpoofedDomain-s? >> >> This is the report: >> The following e-mails were found to have: Virus Detected >> >> ? Sender: >> golden_key_news_brief_htm-return-296-xxxxxx=cnm.edu@elist.ptk.org >> IP Address: 12.230.142.18 >> Recipient: xxxxxx@cnm.edu >> ?Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 >> MessageID: 53BDB10A5.B6931 >> Quarantine: >> ? Report: Clamd: ?message was infected: >> Phishing.Heuristics.Email.SpoofedDomain >> >> Full headers are: >> >> Received: from elist.ptk.org (elist.ptk.org [12.230.142.18]) >> ? ? ? ?by mg06.cnm.edu (Postfix) with ESMTP id 53BDB10A5 >> ? ? ? ?for ; Sat, ?7 Nov 2009 10:40:20 -0700 (MST) >> Received: (qmail 27695 invoked by alias); 6 Nov 2009 17:41:40 -0600 >> Mailing-List: contact golden_key_news_brief_htm-help@elist.ptk.org; >> run by ezmlm >> Precedence: bulk >> X-No-Archive: yes >> List-Post: >> List-Help: >> List-Unsubscribe: >> >> >> List-Subscribe: >> X-You-are-Subscribed-As: >> From: Golden Key News Brief >> To: GKNB subscribers >> Mime-Version: 1.0 >> Content-Type: text/html >> Delivered-To: mailing list golden_key_news_brief_htm@elist.ptk.org >> Date: Fri, ?6 Nov 2009 23:41:40 +0000 >> Subject: GOLDEN KEY NEWS BRIEFS FOR November ?6, 2009 >> Message-Id: <20091107174020.53BDB10A5@mg06.cnm.edu> >> >> >> >> >> -- >> Robert Lopez >> Unix Systems Administrator >> Central New Mexico Community College (CNM) >> 525 Buena Vista SE >> Albuquerque, New Mexico 87106 >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I had the office of PTK that sent out the news letter send it to me at my Gmail address. The news letter has a lot of URL for addresses not at ptk.org. Perhaps that may be a part of the problem. They then sent to my cnm.edu address the news letter as inline rather than as an attachment. That was delivered to me via one of the same email gateways that blocked all the previous email. That seems to mean the content checking for inline email is different from the content checking for attachments. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From ssilva at sgvwater.com Mon Nov 9 23:51:13 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Nov 9 23:54:09 2009 Subject: RulesEmporium In-Reply-To: <0b7f01ca531b$fe3578a0$faa069e0$@com> References: <0b7f01ca531b$fe3578a0$faa069e0$@com> Message-ID: on 10-22-2009 6:31 AM Logs spake the following: > Is anyone using RulesEmporium anymore? I was using and noticed that the > update script stopped working at some point. I don?t see any reference > to it on Mailcanner ?Getting the Best Out Of Section? > > > > Should I install or not? > > If you go to their website you will see that they have stopped writing rules -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091109/ad17ad87/signature.bin From a.peacock at chime.ucl.ac.uk Tue Nov 10 08:33:19 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Nov 10 08:33:32 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: References: <4AF840C6.2060504@chime.ucl.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> Message-ID: <4AF9254F.9000305@chime.ucl.ac.uk> Hi Gary, Thanks for your message. I decided to spend a little more time looking into the problem this morning, and bizzarely, it worked fine first time. I didn't do anything differently this morning compared to previous occasions, and I am at a loss to explain why it is working now, and not before. I'm going to leave it running (complete with truss output) for a couple of hours to run my tests and then I may never need to run it on Solaris 8 again (with any luck). Gary Pentland wrote: > # truss -wall -rall -leaf /opt/local/snertsoft/bin..... > > Would be the debugging option if you like strace and similar I had been looking into this, hadn't found anything obvious yet. > > If I read this right, roundhouse works reliably on port 26, normal mta on 25.... > > Swap the ports around and it doesn't work... Is that correct? It is not quite that simple, but that is one of the failure patterns. > If that is the case I'd guess then that there is a config issue in swapping the ports around, does roundhouse run on 25 with no MTA running? Obviously difficult to try if this is your real server but I suspect something is holding port 25 open and that is preventing roundhouse from starting. > > I assume that you are starting the MTA on 26 first, then roundhouse? Try the other way around, start roundhouse first then the MTA... or simply start the MTA and then the old # netstat -an | grep LISTEN or similar to check 25 is available for roundhouse. > > I do suspect this will turn out to be something silly/obvious.... Me too! -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From a.peacock at chime.ucl.ac.uk Tue Nov 10 08:33:19 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Nov 10 08:33:33 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: References: <4AF840C6.2060504@chime.ucl.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> Message-ID: <4AF9254F.9000305@chime.ucl.ac.uk> Hi Gary, Thanks for your message. I decided to spend a little more time looking into the problem this morning, and bizzarely, it worked fine first time. I didn't do anything differently this morning compared to previous occasions, and I am at a loss to explain why it is working now, and not before. I'm going to leave it running (complete with truss output) for a couple of hours to run my tests and then I may never need to run it on Solaris 8 again (with any luck). Gary Pentland wrote: > # truss -wall -rall -leaf /opt/local/snertsoft/bin..... > > Would be the debugging option if you like strace and similar I had been looking into this, hadn't found anything obvious yet. > > If I read this right, roundhouse works reliably on port 26, normal mta on 25.... > > Swap the ports around and it doesn't work... Is that correct? It is not quite that simple, but that is one of the failure patterns. > If that is the case I'd guess then that there is a config issue in swapping the ports around, does roundhouse run on 25 with no MTA running? Obviously difficult to try if this is your real server but I suspect something is holding port 25 open and that is preventing roundhouse from starting. > > I assume that you are starting the MTA on 26 first, then roundhouse? Try the other way around, start roundhouse first then the MTA... or simply start the MTA and then the old # netstat -an | grep LISTEN or similar to check 25 is available for roundhouse. > > I do suspect this will turn out to be something silly/obvious.... Me too! -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From a.peacock at chime.ucl.ac.uk Tue Nov 10 08:34:09 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Nov 10 08:34:20 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <4AF846FD.3080502@alexb.ch> References: <4AF840C6.2060504@chime.ucl.ac.uk> <4AF846FD.3080502@alexb.ch> Message-ID: <4AF92581.9090309@chime.ucl.ac.uk> Hi Alex, Alex Broens wrote: > On 11/9/2009 5:18 PM, Anthony Peacock wrote: >> Hi, >> >> Sorry for the off-topic post, I have exhausted Google and other >> avenues. I know that Snertsoft Roundhouse has been >> mentioned/discussed here before and was hoping someone could give me a >> clue to move on. >> >> I have downloaded and built roundhouse, but it fails to run most times. >> >> This is very frustrating because it does sometimes run, then will >> refuse to run after that one time. So, I manage to get it to run >> listening on port 26, for testing purposes, all seems well. Change >> things around, so it listens on port 25 and the mta on 26, and it just >> exits without any error messages. >> >> I have looked through the code and there should be all sorts of debug >> messages sent out, but nothing get into the logs at all. It is as if >> it exits before any logging is enabled. >> >> If anyone can help that would be great, sorry to disturb this list. > > have you considered contacting snertsoft? > > http://www.snertsoft.com/contact.php > > or their milters milter info ? Ummm! No I didn't. Hangs head in shame, and shuffles off to the door... -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From a.peacock at chime.ucl.ac.uk Tue Nov 10 08:34:09 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Tue Nov 10 08:34:24 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <4AF846FD.3080502@alexb.ch> References: <4AF840C6.2060504@chime.ucl.ac.uk> <4AF846FD.3080502@alexb.ch> Message-ID: <4AF92581.9090309@chime.ucl.ac.uk> Hi Alex, Alex Broens wrote: > On 11/9/2009 5:18 PM, Anthony Peacock wrote: >> Hi, >> >> Sorry for the off-topic post, I have exhausted Google and other >> avenues. I know that Snertsoft Roundhouse has been >> mentioned/discussed here before and was hoping someone could give me a >> clue to move on. >> >> I have downloaded and built roundhouse, but it fails to run most times. >> >> This is very frustrating because it does sometimes run, then will >> refuse to run after that one time. So, I manage to get it to run >> listening on port 26, for testing purposes, all seems well. Change >> things around, so it listens on port 25 and the mta on 26, and it just >> exits without any error messages. >> >> I have looked through the code and there should be all sorts of debug >> messages sent out, but nothing get into the logs at all. It is as if >> it exits before any logging is enabled. >> >> If anyone can help that would be great, sorry to disturb this list. > > have you considered contacting snertsoft? > > http://www.snertsoft.com/contact.php > > or their milters milter info ? Ummm! No I didn't. Hangs head in shame, and shuffles off to the door... -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From edward at tdcs.com.au Wed Nov 11 07:01:43 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Wed Nov 11 07:02:03 2009 Subject: MailScanner Looping? Message-ID: Sorry to bug you guys, but in my defence, I haven't needed you for well over a year now. I've run through all messages over the last 6 months to this list and haven't found anything similar so I'm hoping I'm not rehashing an old topic. Now I've got something I don't know how to diagnose. Above are the logs. As you can see, MailScanner seems to be "looping" somehow? I've temporarily disabled mailscanner, and commented out the "HOLD" line in header checks. I've moved the messages in the incoming mailscanner queue to the postfix incoming queue, so I'm actually 100% working fine for now, and haven't lost any mails, however, I'm now running mailscanner-less as it were. Could someone have a quick look at the log and make a suggestion before I enable mailscanner again? This is only a small business server with less than 10 employees, so I have some time to fix it. System is Ubuntu 9.10 server (recently upgraded from 9.04) Mailscanner is from the debian package here: http://debian.intergenia.de/debian/pool/main/m/mailscanner/ (4.74) Installation instructions taken originally from here: http://www.mailscanner.info/ubuntu.html This system has been working fantastically for a REALLY long time. It IS possible the 9.04->9.10 upgrade has messed with something, but re-checking all the settings from the above two resources, everything appears to be OK on the postfix/MailScanner end. Any ideas? Regards, Ed. begin 666 Mailscanner.txt M3F]V(#$Q(#$T.C(R.C$T('5B=6YT=2!-86EL4V-A;FYE7!E(#T@9FQO8VL*3F]V(#$Q(#$T.C(R.C$T('5B=6YT=2!- M86EL4V-A;FYE7,N8V]M+F%U*2!T;R!T9&-S+F-O;2YA=2!I71E2XN M+@I.;W8@,3$@,30Z,C,Z,#D@=6)U;G1U($UA:6Q38V%N;F5R6S$V-#(T73H@ M57-I;F<@;&]C:W1Y<&4@/2!F;&]C:PI.;W8@,3$@,30Z,C,Z,#D@=6)U;G1U M($UA:6Q38V%N;F5R6S$V-#(T73H@3F5W($)A=&-H.B!&;W5N9" Q,# @;65S M71E References: Message-ID: On 11 Nov 2009, at 07:01, Edward Dekkers wrote: > Could someone have a quick look at the log and make a suggestion > before I > enable mailscanner again? I think we will need a bit more than the attached to be able to help. Can you run mailscanner --lint and also mailscanner --debug (With some messages in the hold directory) and see if there is anything a miss. It may well be related to this.. > System is Ubuntu 9.10 server (recently upgraded from 9.04) As I would expect there have been Perl updates. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From bamcomp at yahoo.com Wed Nov 11 17:28:32 2009 From: bamcomp at yahoo.com (Brett Moss) Date: Wed Nov 11 19:39:12 2009 Subject: Problem Messages Message-ID: <269159.12885.qm@web30007.mail.mud.yahoo.com> Hello, I'm having some problems with a few messages recently. I have not turned anything up in my searches and would appreciate some input from the list. I have received two messages that seem to be tripping up MailScanner. Both have the same Subject (Notice of Underreported Income) and look in my maillog. I saw the thread from June of this year, but it appears the details are a bit different. It looks like MailScanner is finding a problem but not knowing what to do next with the message I am running mailscanner-4.78.17-1 on a CentOS release 4.8 machine Here is what shows in the maillog [root@mailgw ~]# cat /var/log/maillog|grep nABBuKZR024867 Nov 11 03:56:33 mailgw sendmail[24867]: nABBuKZR024867: from=, size=2158, class=0, nrcpts=1, msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, proto=ESMTP, daemon=MTA, relay=cable-94-189-200-50.dynamic.sbb.rs [94.189.200.50] Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] ./nABBuKZR024867/msg-20311-2.html Nov 11 04:01:16 mailgw MailScanner[21397]: Making attempt 2 at processing message nABBuKZR024867 Nov 11 04:01:29 mailgw MailScanner[21397]: [Found password stealer] ./nABBuKZR024867/msg-21397-3.html Nov 11 04:03:54 mailgw MailScanner[23223]: Making attempt 3 at processing message nABBuKZR024867 Nov 11 04:04:13 mailgw MailScanner[23223]: [Found password stealer] ./nABBuKZR024867/msg-23223-2.html Nov 11 04:06:48 mailgw MailScanner[24879]: Making attempt 4 at processing message nABBuKZR024867 Nov 11 04:07:02 mailgw MailScanner[24879]: [Found password stealer] ./nABBuKZR024867/msg-24879-4.html Nov 11 04:09:42 mailgw MailScanner[25009]: Making attempt 5 at processing message nABBuKZR024867 Nov 11 04:09:55 mailgw MailScanner[25009]: [Found password stealer] ./nABBuKZR024867/msg-25009-4.html Nov 11 04:14:54 mailgw MailScanner[26221]: Making attempt 6 at processing message nABBuKZR024867 Nov 11 04:15:07 mailgw MailScanner[26221]: [Found password stealer] ./nABBuKZR024867/msg-26221-2.html Nov 11 04:15:07 mailgw MailScanner[26029]: Warning: skipping message nABBuKZR024867 as it has been attempted too many times Nov 11 04:15:07 mailgw MailScanner[26029]: Quarantined message nABBuKZR024867 as it caused MailScanner to crash several times Nov 11 04:15:07 mailgw MailScanner[26029]: Saved entire message to /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867 Nov 11 04:15:08 mailgw MailScanner[26029]: Logging message nABBuKZR024867 to SQL Nov 11 04:15:08 mailgw MailScanner[26224]: nABBuKZR024867: Logged to MailWatch SQL [root@mailgw ~]# cat /var/log/maillog|grep nAAFdkAj028811 Nov 10 07:39:54 mailgw sendmail[28811]: nAAFdkAj028811: from=, size=2271, class=0, nrcpts=1, msgid=<000d01ca621c$0670e9f0$6400a8c0@surtaxedpra>, proto=ESMTP, daemon=MTA, relay=201-65-5-225.poolip.NTL.embratel.net.br [201.65.5.225] Nov 10 07:39:54 mailgw sendmail[28811]: nAAFdkAj028811: to=, delay=00:00:00, mailer=esmtp, pri=32271, stat=queued Nov 10 07:40:09 mailgw MailScanner[28059]: [Found password stealer] ./nAAFdkAj028811/msg-28059-2.html Nov 10 07:45:16 mailgw MailScanner[27511]: Making attempt 2 at processing message nAAFdkAj028811 Nov 10 07:45:29 mailgw MailScanner[27511]: [Found password stealer] ./nAAFdkAj028811/msg-27511-4.html Nov 10 07:49:11 mailgw MailScanner[27361]: Making attempt 3 at processing message nAAFdkAj028811 Nov 10 07:49:24 mailgw MailScanner[27361]: [Found password stealer] ./nAAFdkAj028811/msg-27361-2.html Nov 10 07:53:32 mailgw MailScanner[28931]: Making attempt 4 at processing message nAAFdkAj028811 Nov 10 07:53:45 mailgw MailScanner[28931]: [Found password stealer] ./nAAFdkAj028811/msg-28931-2.html Nov 10 07:58:15 mailgw MailScanner[28999]: Making attempt 5 at processing message nAAFdkAj028811 Nov 10 07:58:28 mailgw MailScanner[28999]: [Found password stealer] ./nAAFdkAj028811/msg-28999-2.html Nov 10 08:02:47 mailgw MailScanner[24840]: Making attempt 6 at processing message nAAFdkAj028811 Nov 10 08:03:00 mailgw MailScanner[24840]: [Found password stealer] ./nAAFdkAj028811/msg-24840-18.html Nov 10 08:03:01 mailgw MailScanner[29174]: Warning: skipping message nAAFdkAj028811 as it has been attempted too many times Nov 10 08:03:01 mailgw MailScanner[29174]: Quarantined message nAAFdkAj028811 as it caused MailScanner to crash several times Nov 10 08:03:01 mailgw MailScanner[29174]: Saved entire message to /var/spool/MailScanner/quarantine/20091110/nAAFdkAj028811 Nov 10 08:03:01 mailgw MailScanner[29174]: Logging message nAAFdkAj028811 to SQL Nov 10 08:03:01 mailgw MailScanner[28062]: nAAFdkAj028811: Logged to MailWatch SQL thank you, Brett From hvdkooij at vanderkooij.org Thu Nov 12 07:04:09 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Nov 12 07:04:18 2009 Subject: Problem Messages In-Reply-To: <269159.12885.qm@web30007.mail.mud.yahoo.com> References: <269159.12885.qm@web30007.mail.mud.yahoo.com> Message-ID: <4AFBB369.7000902@vanderkooij.org> On 11/11/09 18:28, Brett Moss wrote: > [root@mailgw ~]# cat /var/log/maillog|grep nABBuKZR024867 > Nov 11 03:56:33 mailgw sendmail[24867]: nABBuKZR024867: from=, size=2158, class=0, nrcpts=1, msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, proto=ESMTP, daemon=MTA, relay=cable-94-189-200-50.dynamic.sbb.rs [94.189.200.50] > Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] ./nABBuKZR024867/msg-20311-2.html > Nov 11 04:01:16 mailgw MailScanner[21397]: Making attempt 2 at processing message nABBuKZR024867 > Nov 11 04:01:29 mailgw MailScanner[21397]: [Found password stealer] ./nABBuKZR024867/msg-21397-3.html > Nov 11 04:03:54 mailgw MailScanner[23223]: Making attempt 3 at processing message nABBuKZR024867 There may be some relevant log lines in between currently missing. At least an indication which scanner is detecting this. Which scanner is that BTW? Is it the only scanner? What are the other log lines? And given the nature of the message I think you would not mind sharing the content of that message somewhere so others can have a look at it also. I would propably never see these as the sender is using dialup networks and they would most likely be killed before the DATA line. Hugo. From jpete at iinet.net.au Thu Nov 12 07:52:57 2009 From: jpete at iinet.net.au (Pete Russell) Date: Thu Nov 12 07:53:15 2009 Subject: Targeting Malware Message-ID: <4AFBBED9.5060209@iinet.net.au> Hi there, I have a MailScanner machine for outbound mail only - we have a managed/hosted system for inbound. We have clients and staff on site who can sent email. We have plenty of horsepower MailScanner machine and allow all users on the insie of our network to send mail. This works fine, until, you get some one with a new malware. These malware beat anti virus tools for the first 24 hours (at least) and during this time they send HEAPS of the same email. Before i start trying to get too tricky what is the best standard set of tool to combat the type of spam generated by these malwares? I really dont want to be too aggressive, just target this very repetitive emails. We often get 40k of these same email being sent each day, in the past MS and SA just stopped them, now they seem to beat it a little more and we have to create custom rules (not very gracefully). So far i have razor, latest mailscanner, SA, bayes, malwarepatrol rules. Should i go with DCC or pyzor to target these emails, any other suggestions? Ta Pete From Antony.Stone at mailscanner.open.source.it Thu Nov 12 08:17:52 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu Nov 12 08:18:03 2009 Subject: Targeting Malware In-Reply-To: <4AFBBED9.5060209@iinet.net.au> References: <4AFBBED9.5060209@iinet.net.au> Message-ID: <200911120817.52691.Antony.Stone@mailscanner.open.source.it> On Thursday 12 November 2009 07:52, Pete Russell wrote: > This works fine, until, you get some one with a new malware. > We often get 40k of these same email being sent each day, in the past MS > and SA just stopped them, now they seem to beat it a little more and we > have to create custom rules (not very gracefully). > Should i go with DCC or pyzor to target these emails, any other > suggestions? Limit the number of IP connection requests to the mail server from each client to a reasonable value (eg: maximum one email per minute or so)? This could be done with a firewall-type system such as IPtables, or with the connection-rate limits of a recent sendmail (presumably other MTAs as well). Alternatively use a Network IDS to detect massive traffic from isolated IP addresses and raise an alert / throttle back that client until it's been investigated? That's probably a good thing to do anyway, since if you have problems with malware-infected machines sending thousands of emails, you probably get problems with other sorts of malware too, which create local broadcast traffic, traffic to random IPs, port scans etc., and it would be good to pick this up so the machines can be taken off the network too. Regards, Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. Please reply to the list; please don't CC me. From housey at sme-ecom.co.uk Thu Nov 12 09:59:18 2009 From: housey at sme-ecom.co.uk (Paul) Date: Thu Nov 12 10:00:27 2009 Subject: Chinese emails Message-ID: <4AFBDC76.7090400@sme-ecom.co.uk> Hi Ive been down this road before and thought I fixed it, however am getting some complaints from users again that chinese email is being blocked as the filetype rules are saying its a program. When I run just "file" on the message it returns its an executable, however "file -i" returns its text/plain [root@geneva nAB8qd2B008626]# file msg-23153-1986.txt msg-23153-1986.txt: COM executable for DOS [root@geneva nAB8qd2B008626]# file -i msg-23153-1986.txt msg-23153-1986.txt: text/plain; charset=iso-8859-1 I have added allow - text/plain - - To the top of my filetype.rules.conf - however the message is still being blocked with "No Programs Allowed" Im running version 4.74.16. Any idea's? Paul From Antony.Stone at mailscanner.open.source.it Thu Nov 12 10:26:53 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu Nov 12 10:27:04 2009 Subject: Chinese emails In-Reply-To: <4AFBDC76.7090400@sme-ecom.co.uk> References: <4AFBDC76.7090400@sme-ecom.co.uk> Message-ID: <200911121026.53233.Antony.Stone@mailscanner.open.source.it> On Thursday 12 November 2009 09:59, Paul wrote: > Hi > > Ive been down this road before and thought I fixed it, however am > getting some complaints from users again that chinese email is being > blocked as the filetype rules are saying its a program. > > When I run just "file" on the message it returns its an executable, > however "file -i" returns its text/plain > > [root@geneva nAB8qd2B008626]# file msg-23153-1986.txt > msg-23153-1986.txt: COM executable for DOS > [root@geneva nAB8qd2B008626]# file -i msg-23153-1986.txt > msg-23153-1986.txt: text/plain; charset=iso-8859-1 Both of those would seem to be incorrect to me, since you say it isn't an executable, but it can't possibly be ISO-8859-1 if it's in Chinese... > I have added > > allow - text/plain - - > > To the top of my filetype.rules.conf - however the message is still > being blocked with "No Programs Allowed" Have you changed "File Command" in MailScanner.conf to include the -i option? > Im running version 4.74.16. > > Any ideas? "man file" suggests that one of the things the -i option does is tell file to use a different source of magic data (/usr/share/file/magic.mime instead of /usr/share/file/magic on my Debian system) - perhaps you could just rename these files to achieve what you want without needing the -i option? The files look to be compatible in format with each other. Regards, Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. Please reply to the list; please don't CC me. From jpete at iinet.net.au Thu Nov 12 10:27:53 2009 From: jpete at iinet.net.au (Pete Russell) Date: Thu Nov 12 10:28:07 2009 Subject: Targeting Malware In-Reply-To: <51219.93.97.28.110.1258016399.squirrel@saturn.dataflame.net> References: <4AFBBED9.5060209@iinet.net.au> <51219.93.97.28.110.1258016399.squirrel@saturn.dataflame.net> Message-ID: <4AFBE329.30503@iinet.net.au> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/1d4de02c/attachment.html From housey at sme-ecom.co.uk Thu Nov 12 10:47:41 2009 From: housey at sme-ecom.co.uk (Paul) Date: Thu Nov 12 10:48:03 2009 Subject: Chinese emails In-Reply-To: <200911121026.53233.Antony.Stone@mailscanner.open.source.it> References: <4AFBDC76.7090400@sme-ecom.co.uk> <200911121026.53233.Antony.Stone@mailscanner.open.source.it> Message-ID: <4AFBE7CD.7050407@sme-ecom.co.uk> Antony Stone wrote: > On Thursday 12 November 2009 09:59, Paul wrote: > > >> Hi >> >> Ive been down this road before and thought I fixed it, however am >> getting some complaints from users again that chinese email is being >> blocked as the filetype rules are saying its a program. >> >> When I run just "file" on the message it returns its an executable, >> however "file -i" returns its text/plain >> >> [root@geneva nAB8qd2B008626]# file msg-23153-1986.txt >> msg-23153-1986.txt: COM executable for DOS >> [root@geneva nAB8qd2B008626]# file -i msg-23153-1986.txt >> msg-23153-1986.txt: text/plain; charset=iso-8859-1 >> > > Both of those would seem to be incorrect to me, since you say it isn't an > executable, but it can't possibly be ISO-8859-1 if it's in Chinese... > > >> I have added >> >> allow - text/plain - - >> >> To the top of my filetype.rules.conf - however the message is still >> being blocked with "No Programs Allowed" >> > > Have you changed "File Command" in MailScanner.conf to include the -i option? > > >> Im running version 4.74.16. >> >> Any ideas? >> > > "man file" suggests that one of the things the -i option does is tell file to > use a different source of magic data (/usr/share/file/magic.mime instead > of /usr/share/file/magic on my Debian system) - perhaps you could just rename > these files to achieve what you want without needing the -i option? The > files look to be compatible in format with each other. > > > Regards, > > > Antony. > When I release the email it certainly looks like Chinese text - there is no executable attachment. This has been brought up before on the list, I don't think the issue was limited to Chinese characters either. My understanding was you did not need to add the -i option in MailScanner.conf, this is an extract from filetype.rules.conf, # An optional fifth field can also be added before the "log text", which # makes the checked text check against the MIME type of the attachment # as determined by the output of the "file -i" command. I thought if the fifth field is present it will be checked with -i? I'm certain I fixed this some time ago and I cant think of anything I have done to break it! Kind Regards Paul From jpete at iinet.net.au Thu Nov 12 11:28:14 2009 From: jpete at iinet.net.au (Pete Russell) Date: Thu Nov 12 11:28:27 2009 Subject: Targeting Malware In-Reply-To: <4AFBE329.30503@iinet.net.au> References: <4AFBBED9.5060209@iinet.net.au> <51219.93.97.28.110.1258016399.squirrel@saturn.dataflame.net> <4AFBE329.30503@iinet.net.au> Message-ID: <4AFBF14E.8040303@iinet.net.au> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/33fd4062/attachment.html From mmmm82 at gmail.com Thu Nov 12 12:14:48 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Thu Nov 12 12:14:57 2009 Subject: Retrieve from Archive Message-ID: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> Hi everyone: I am using the archive feature of Mailscanner to have a copy of all mails in a dir, this is working fine and lovely, now the problem is if I want to retrieve a certain message , how can I do that in the following cases 1- I dont know where it is in the archive 2- I know where it is and the message ID for example under the archive is D548C6E00BB.27373, how do I send it to the inteded user Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/ae0bcdf6/attachment.html From glenn.steen at gmail.com Thu Nov 12 13:14:47 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 13:14:57 2009 Subject: Why is this domain spoofing. In-Reply-To: References: Message-ID: <223f97700911120514x2288071dr3e41ed8a200c5fc4@mail.gmail.com> 2009/11/9 Robert Lopez : (snip) > I had the office of PTK that sent out the news letter send it to me at > my Gmail address. The news letter has a lot of URL for addresses not > at ptk.org. Perhaps that may be a part of the problem. ?They then sent > to my cnm.edu address the news letter as inline rather than as an > attachment. That was delivered to me via one of the same email > gateways that blocked all the previous email. That seems to mean the > content checking for inline email is different from the content > checking for attachments. > No, it just means you likely have http://www.mailscanner.info/MailScanner.conf.index.html#ClamAV%20Full%20Message%20Scan set to "no". The behavior you see is normal, and possible to handle. Best would be if teh sender cleaned up their HTML, exactly as Alex has been saying. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ilikeuce at bornefeld-ettmann.de Thu Nov 12 13:14:24 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Nov 12 13:15:52 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> Message-ID: Monis Monther schrieb: > Hi everyone: > > I am using the archive feature of Mailscanner to have a copy of all > mails in a dir, this is working fine and lovely, now the problem is if I > want to retrieve a certain message , how can I do that in the following > cases > > 1- I dont know where it is in the archive > > > 2- I know where it is and the message ID for example under the archive > is D548C6E00BB.27373, how do I send it to the inteded user > > Thanks > > > you can find the path in /etc/MailScanner/MailScanner.conf : Archive Mail = if this is empty you possibly find this : Non Spam Actions = store deliver in the latter case you will find archived mails : /var/spool/MailScanner/quarantine//nonspam Cheers Ralph From glenn.steen at gmail.com Thu Nov 12 13:19:48 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 13:19:58 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <4AF9254F.9000305@chime.ucl.ac.uk> References: <4AF840C6.2060504@chime.ucl.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> <4AF9254F.9000305@chime.ucl.ac.uk> Message-ID: <223f97700911120519h4edf2013od310d38ae9dca7f1@mail.gmail.com> 2009/11/10 Anthony Peacock : > Hi Gary, > > Thanks for your message. > > I decided to spend a little more time looking into the problem this morning, > and bizzarely, it worked fine first time. ?I didn't do anything differently > this morning compared to previous occasions, and I am at a loss to explain > why it is working now, and not before. > > I'm going to leave it running (complete with truss output) for a couple of > hours to run my tests and then I may never need to run it on Solaris 8 again > (with any luck). > > Gary Pentland wrote: >> >> # truss -wall -rall -leaf /opt/local/snertsoft/bin..... >> >> Would be the debugging option if you like strace and similar > > I had been looking into this, hadn't found anything obvious yet. > >> >> If I read this right, roundhouse works reliably on port 26, normal mta on >> 25.... >> >> Swap the ports around and it doesn't work... ?Is that correct? > > It is not quite that simple, but that is one of the failure patterns. > >> If that is the case I'd guess then that there is a config issue in >> swapping the ports around, does roundhouse run on 25 with no MTA running? >> ?Obviously difficult to try if this is your real server but I suspect >> something is holding port 25 open and that is preventing roundhouse from >> starting. >> >> I assume that you are starting the MTA on 26 first, then roundhouse? ?Try >> the other way around, start roundhouse first then the MTA... or simply start >> the MTA and then the old # netstat -an | grep LISTEN or similar to check 25 >> is available for roundhouse. >> >> I do suspect this will turn out to be something silly/obvious.... > > Me too! > > Might actually be quite simple... Sendmail might've taken a while to "go away", so kept port 25 for itself, the first time around... And not the second;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ilikeuce at bornefeld-ettmann.de Thu Nov 12 13:25:03 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Nov 12 13:25:56 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> Message-ID: Monis Monther schrieb: > Hi everyone: > > I am using the archive feature of Mailscanner to have a copy of all > mails in a dir, this is working fine and lovely, now the problem is if I > want to retrieve a certain message , how can I do that in the following > cases > > 1- I dont know where it is in the archive > > > 2- I know where it is and the message ID for example under the archive > is D548C6E00BB.27373, how do I send it to the inteded user > > Thanks > > > to resend messages please check this : http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 From mmmm82 at gmail.com Thu Nov 12 13:28:53 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Thu Nov 12 13:29:02 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> Message-ID: <837e17ab0911120528q2133d95cpdec69f20cfe7b570@mail.gmail.com> Hi Ralph First of all , thanks for your reply, my problem is how to get them again, I do know where the messages are and I can see them in the inteded dirs and I can see each message as as filename by its ID, now I want to send it again to someone that has acidently deleted his message. 1- is there an interface/tool 2- How to do it with command line Thanks On Thu, Nov 12, 2009 at 3:14 PM, Ralph Bornefeld-Ettmann < ilikeuce@bornefeld-ettmann.de> wrote: > Monis Monther schrieb: > > Hi everyone: >> I am using the archive feature of Mailscanner to have a copy of all mails >> in a dir, this is working fine and lovely, now the problem is if I want to >> retrieve a certain message , how can I do that in the following cases >> 1- I dont know where it is in the archive >> 2- I know where it is and the message ID for example under the archive >> is D548C6E00BB.27373, how do I send it to the inteded user >> Thanks >> >> > > you can find the path in /etc/MailScanner/MailScanner.conf : > > Archive Mail = > > if this is empty you possibly find this : > > Non Spam Actions = store deliver > > in the latter case you will find archived mails : > /var/spool/MailScanner/quarantine//nonspam > > Cheers > Ralph > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/7f3fc707/attachment.html From glenn.steen at gmail.com Thu Nov 12 13:29:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 13:29:52 2009 Subject: MailScanner Looping? In-Reply-To: References: Message-ID: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> 2009/11/11 Drew Marshall : > > On 11 Nov 2009, at 07:01, Edward Dekkers wrote: > >> Could someone have a quick look at the log and make a suggestion before I >> enable mailscanner again? > > I think we will need a bit more than the attached to be able to help. Can > you run mailscanner --lint and also mailscanner --debug (With some messages > in the hold directory) and see if there is anything a miss. It may well be > related to this.. > >> System is Ubuntu 9.10 server (recently upgraded from 9.04) > > As I would expect there have been Perl updates. > > Drew > What this sounds like ... is some message "killing" MailScanner... I'm not sure (since I haven't looked), but I don't think the version at hand has the processing database thing in place (which is designed just to catch this type of situation, so that "malformed" messages can't take your system down). Without the processing thing, one would have to stop MailScanner (and postfix), move all the messages out of hold, to some place temporary... then move some into hold, run MailScanner --debug, check the logs/what happened ... and repeat until the "bad" message was identified. Hard to be certain, especially since Ed already did away with the "evidence" (the errant queue files:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mmmm82 at gmail.com Thu Nov 12 13:36:28 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Thu Nov 12 13:36:38 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> Message-ID: <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> The link looks informative and would take me some time to read which I will do definitly , Thanks Also how can I do it qiuckly by command line, for example can I sendmail.postfix [options] filename ..etc Note: My MTA is postfix Thanks On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann < ilikeuce@bornefeld-ettmann.de> wrote: > Monis Monther schrieb: > > Hi everyone: >> I am using the archive feature of Mailscanner to have a copy of all mails >> in a dir, this is working fine and lovely, now the problem is if I want to >> retrieve a certain message , how can I do that in the following cases >> 1- I dont know where it is in the archive >> 2- I know where it is and the message ID for example under the archive >> is D548C6E00BB.27373, how do I send it to the inteded user >> Thanks >> >> > to resend messages please check this : > http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/67e06345/attachment.html From glenn.steen at gmail.com Thu Nov 12 13:39:26 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 13:39:35 2009 Subject: Problem Messages In-Reply-To: <4AFBB369.7000902@vanderkooij.org> References: <269159.12885.qm@web30007.mail.mud.yahoo.com> <4AFBB369.7000902@vanderkooij.org> Message-ID: <223f97700911120539t6d75b770v5cab844f53ae36d1@mail.gmail.com> 2009/11/12 Hugo van der Kooij : > On 11/11/09 18:28, Brett Moss wrote: >> >> [root@mailgw ~]# cat /var/log/maillog|grep nABBuKZR024867 >> Nov 11 03:56:33 mailgw sendmail[24867]: nABBuKZR024867: >> from=, size=2158, class=0, nrcpts=1, >> msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, proto=ESMTP, daemon=MTA, >> relay=cable-94-189-200-50.dynamic.sbb.rs [94.189.200.50] >> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password >> stealer] ?./nABBuKZR024867/msg-20311-2.html >> Nov 11 04:01:16 mailgw MailScanner[21397]: Making attempt 2 at processing >> message nABBuKZR024867 >> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found password >> stealer] ?./nABBuKZR024867/msg-21397-3.html >> Nov 11 04:03:54 mailgw MailScanner[23223]: Making attempt 3 at processing >> message nABBuKZR024867 > > There may be some relevant log lines in between currently missing. At least > an indication which scanner is detecting this. Which scanner is that BTW? Is > it the only scanner? What are the other log lines? > > And given the nature of the message I think you would not mind sharing the > content of that message somewhere so others can have a look at it also. > > I would propably never see these as the sender is using dialup networks and > they would most likely be killed before the DATA line. > > Hugo. > Apart from Hugos' excellent notes, one can see that the processing db thing does exactly what it is supposed to. It is handling a situation where a message is responsible for killing MailScanner. You have the message in your quarantine, for further scrutiny (perhaps upload it to Virus Total (or similar site) to see what AV scanners think of it etc). Since it very likely is a baddie, you could lielky pastebin it, so that we can have a look at it/try it on our systems (see if the killing thing is a) something local to your machine, and b) something (bug or not) we (or rather... Jules:-) can handle in the code). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Thu Nov 12 13:44:02 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 12 13:44:28 2009 Subject: Targeting Malware In-Reply-To: <200911120817.52691.Antony.Stone@mailscanner.open.source.it> References: <4AFBBED9.5060209@iinet.net.au> <200911120817.52691.Antony.Stone@mailscanner.open.source.it> Message-ID: <4AFC1122.1040606@USherbrooke.ca> Antony Stone a ?crit : > On Thursday 12 November 2009 07:52, Pete Russell wrote: > > >> This works fine, until, you get some one with a new malware. >> > > >> We often get 40k of these same email being sent each day, in the past MS >> and SA just stopped them, now they seem to beat it a little more and we >> have to create custom rules (not very gracefully). >> > > >> Should i go with DCC or pyzor to target these emails, any other >> suggestions? >> > > Limit the number of IP connection requests to the mail server from each client > to a reasonable value (eg: maximum one email per minute or so)? > > This could be done with a firewall-type system such as IPtables, or with the > connection-rate limits of a recent sendmail (presumably other MTAs as well). > > Alternatively use a Network IDS to detect massive traffic from isolated IP > addresses and raise an alert / throttle back that client until it's been > investigated? That's probably a good thing to do anyway, since if you have > problems with malware-infected machines sending thousands of emails, you > probably get problems with other sorts of malware too, which create local > broadcast traffic, traffic to random IPs, port scans etc., and it would be > good to pick this up so the machines can be taken off the network too. > > > Regards, > > > Antony. > > Pete, Another tool you could use to limit the number of emails is milter-limit. I use it on my outgoing and incoming MailScanner servers and it really does a great job! milter-limit is free. You can find it here: http://www.snertsoft.com/sendmail/milter-limit/ Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From ilikeuce at bornefeld-ettmann.de Thu Nov 12 13:53:57 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Nov 12 13:54:47 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> Message-ID: Monis Monther schrieb: > The link looks informative and would take me some time to read which I > will do definitly , Thanks > > Also how can I do it qiuckly by command line, for example can I > sendmail.postfix [options] filename ..etc > > > Note: My MTA is postfix > > Thanks > > On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann > > > wrote: > > Monis Monther schrieb: > > Hi everyone: > I am using the archive feature of Mailscanner to have a copy of > all mails in a dir, this is working fine and lovely, now the > problem is if I want to retrieve a certain message , how can I > do that in the following cases > 1- I dont know where it is in the archive > 2- I know where it is and the message ID for example under the > archive is D548C6E00BB.27373, how do I send it to the inteded user > Thanks > > > to resend messages please check this : > http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > if you call : /usr/sbin/sendmail.postfix < the mail should be sent to the user From glenn.steen at gmail.com Thu Nov 12 13:59:04 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 13:59:16 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> Message-ID: <223f97700911120559p173768d1q43e0070a30750be7@mail.gmail.com> 2009/11/12 Monis Monther : > The link looks informative and would take me some time to read which I will > do definitly , Thanks > > Also how can I do it qiuckly by command line, for example can I > sendmail.postfix [options] filename ..etc > > > Note: My MTA is postfix > > Thanks > Well, the answer is "it depends"...:-) It sounds like your archive is by queue file, easily checked with the file command (or any paginator, like less). To view the contents, you'd then have to use the postcat command. To resend, simply adapt the instructions for releasing messages from the quarantine as found in the MS Wiki: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail#releasing_mail_from_the_quarantine_-_queue_files Instead of placing the queue file copy into the incoming folder, place it in the hold folder (so that MailScanner icks it up and rescan it)... Why? Because the archive will contain all messages _as is_... So this is a safety thing;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Nov 12 14:00:52 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 14:01:04 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> Message-ID: <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> 2009/11/12 Ralph Bornefeld-Ettmann : > Monis Monther schrieb: >> >> The link looks informative and would take me some time to read which I >> will do definitly , Thanks >> ?Also how can I do it qiuckly by command line, for example can I >> sendmail.postfix [options] filename ..etc >> ??Note: My MTA is postfix >> ?Thanks >> >> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >> > >> wrote: >> >> ? ?Monis Monther schrieb: >> >> ? ? ? ?Hi everyone: >> ? ? ? ? I am using the archive feature of Mailscanner to have a copy of >> ? ? ? ?all mails in a dir, this is working fine and lovely, now the >> ? ? ? ?problem is if I want to retrieve a certain message , how can I >> ? ? ? ?do that in the following cases >> ? ? ? ? 1- I dont know where it is in the archive >> ? ? ? ? ?2- I know where it is and the message ID for example under the >> ? ? ? ?archive is D548C6E00BB.27373, how do I send it to the inteded user >> ? ? ? ? Thanks >> >> ? ?to resend messages please check this : >> ? ?http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> ? ? >> >> >> ? ?-- ? ?MailScanner mailing list >> ? ?mailscanner@lists.mailscanner.info >> ? ? >> ? ?http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> ? ?Before posting, read http://wiki.mailscanner.info/posting >> >> ? ?Support MailScanner development - buy the book off the website! >> >> > > if you call : > > /usr/sbin/sendmail.postfix < > > the mail should be sent to the user > > Only if the message has been decoded to the RFC822/2822/5322 format first... which it likely hasn't...;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ilikeuce at bornefeld-ettmann.de Thu Nov 12 14:17:41 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Nov 12 14:19:15 2009 Subject: Retrieve from Archive In-Reply-To: <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> Message-ID: Glenn Steen schrieb: > 2009/11/12 Ralph Bornefeld-Ettmann : >> Monis Monther schrieb: >>> The link looks informative and would take me some time to read which I >>> will do definitly , Thanks >>> Also how can I do it qiuckly by command line, for example can I >>> sendmail.postfix [options] filename ..etc >>> Note: My MTA is postfix >>> Thanks >>> >>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>> > >>> wrote: >>> >>> Monis Monther schrieb: >>> >>> Hi everyone: >>> I am using the archive feature of Mailscanner to have a copy of >>> all mails in a dir, this is working fine and lovely, now the >>> problem is if I want to retrieve a certain message , how can I >>> do that in the following cases >>> 1- I dont know where it is in the archive >>> 2- I know where it is and the message ID for example under the >>> archive is D548C6E00BB.27373, how do I send it to the inteded user >>> Thanks >>> >>> to resend messages please check this : >>> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>> >>> >>> >>> -- MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> if you call : >> >> /usr/sbin/sendmail.postfix < >> >> the mail should be sent to the user >> >> > Only if the message has been decoded to the RFC822/2822/5322 format > first... which it likely hasn't...;-) > > Cheers [root@localhost nonspam]# file 05B5E28027.4BC43 05B5E28027.4BC43: RFC 822 mail text so it should be correct ... or did I get you wrong? AFAIK only really archived mails are queue file but files in nonspam are RFC 822 files. please correct me if I'm wrong From a.peacock at chime.ucl.ac.uk Thu Nov 12 14:25:46 2009 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Nov 12 14:26:03 2009 Subject: OT: Snertsoft roundhouse on Solaris 8 In-Reply-To: <223f97700911120519h4edf2013od310d38ae9dca7f1@mail.gmail.com> References: <4AF840C6.2060504@chime.ucl.ac.uk> <3D9C92F3075F5144B46AA2C590F48E2ACF9FEA@commssrv01.computerservicecentre.com> <4AF9254F.9000305@chime.ucl.ac.uk> <223f97700911120519h4edf2013od310d38ae9dca7f1@mail.gmail.com> Message-ID: <4AFC1AEA.20308@chime.ucl.ac.uk> Glenn Steen wrote: > 2009/11/10 Anthony Peacock : >> Hi Gary, >> >> Thanks for your message. >> >> I decided to spend a little more time looking into the problem this morning, >> and bizzarely, it worked fine first time. I didn't do anything differently >> this morning compared to previous occasions, and I am at a loss to explain >> why it is working now, and not before. >> >> I'm going to leave it running (complete with truss output) for a couple of >> hours to run my tests and then I may never need to run it on Solaris 8 again >> (with any luck). >> >> Gary Pentland wrote: >>> # truss -wall -rall -leaf /opt/local/snertsoft/bin..... >>> >>> Would be the debugging option if you like strace and similar >> I had been looking into this, hadn't found anything obvious yet. >> >>> If I read this right, roundhouse works reliably on port 26, normal mta on >>> 25.... >>> >>> Swap the ports around and it doesn't work... Is that correct? >> It is not quite that simple, but that is one of the failure patterns. >> >>> If that is the case I'd guess then that there is a config issue in >>> swapping the ports around, does roundhouse run on 25 with no MTA running? >>> Obviously difficult to try if this is your real server but I suspect >>> something is holding port 25 open and that is preventing roundhouse from >>> starting. >>> >>> I assume that you are starting the MTA on 26 first, then roundhouse? Try >>> the other way around, start roundhouse first then the MTA... or simply start >>> the MTA and then the old # netstat -an | grep LISTEN or similar to check 25 >>> is available for roundhouse. >>> >>> I do suspect this will turn out to be something silly/obvious.... >> Me too! >> >> > Might actually be quite simple... Sendmail might've taken a while to > "go away", so kept port 25 for itself, the first time around... And > not the second;-). Yes, this was what I was thinking. Nothing shows up in netstat listening on 25. But I am not sure this is the whole story. I suspect there may be some Solaris 8 funnyness as well. Once I have finished the migration I will be able to ignore Solaris 8 for ever more. Anyway, whilst trying to debug using truss, it started to work in the correct configuration. So I left it running for long enough for the assurance tests I wanted. I am still not 100% certain I understand the full story, but I have completed the task I needed for now. Thanks for all of the suggestions. -- Anthony Peacock Head of Research & Development, FBS Advanced IT Support Centre CHIME, Whittington Campus WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ From glenn.steen at gmail.com Thu Nov 12 14:52:49 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 12 14:53:00 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> Message-ID: <223f97700911120652m77f4be9fm8da2e080251a13c@mail.gmail.com> 2009/11/12 Ralph Bornefeld-Ettmann : > Glenn Steen schrieb: >> >> 2009/11/12 Ralph Bornefeld-Ettmann : >>> >>> Monis Monther schrieb: >>>> >>>> The link looks informative and would take me some time to read which I >>>> will do definitly , Thanks >>>> ?Also how can I do it qiuckly by command line, for example can I >>>> sendmail.postfix [options] filename ..etc >>>> ?Note: My MTA is postfix >>>> ?Thanks >>>> >>>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>>> > >>>> wrote: >>>> >>>> ? Monis Monther schrieb: >>>> >>>> ? ? ? Hi everyone: >>>> ? ? ? ?I am using the archive feature of Mailscanner to have a copy of >>>> ? ? ? all mails in a dir, this is working fine and lovely, now the >>>> ? ? ? problem is if I want to retrieve a certain message , how can I >>>> ? ? ? do that in the following cases >>>> ? ? ? ?1- I dont know where it is in the archive >>>> ? ? ? ? 2- I know where it is and the message ID for example under the >>>> ? ? ? archive is D548C6E00BB.27373, how do I send it to the inteded user >>>> ? ? ? ?Thanks >>>> >>>> ? to resend messages please check this : >>>> ? http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>>> ? >>>> >>>> >>>> ? -- ? ?MailScanner mailing list >>>> ? mailscanner@lists.mailscanner.info >>>> ? >>>> ? http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> ? Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> ? Support MailScanner development - buy the book off the website! >>>> >>>> >>> if you call : >>> >>> /usr/sbin/sendmail.postfix < >>> >>> the mail should be sent to the user >>> >>> >> Only if the message has been decoded to the RFC822/2822/5322 format >> first... which it likely hasn't...;-) >> >> Cheers > > [root@localhost nonspam]# file 05B5E28027.4BC43 > 05B5E28027.4BC43: RFC 822 mail text > > so it should be correct ... or did I get you wrong? > > AFAIK only really archived mails are queue file but files in nonspam are > ?RFC 822 files. please correct me if I'm wrong > AFAIU, this thread is about the Archive... But I might've read it sloppily;-). Personally, I prefer to use the nonspam quarantine as an archive, since it take care of the ... "malware-problem" of the archive. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlopezcnm at gmail.com Thu Nov 12 15:04:41 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Nov 12 15:04:50 2009 Subject: Retrieve from Archive In-Reply-To: <223f97700911120652m77f4be9fm8da2e080251a13c@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <223f97700911120652m77f4be9fm8da2e080251a13c@mail.gmail.com> Message-ID: On Thu, Nov 12, 2009 at 7:52 AM, Glenn Steen wrote: > 2009/11/12 Ralph Bornefeld-Ettmann : >> Glenn Steen schrieb: >>> >>> 2009/11/12 Ralph Bornefeld-Ettmann : >>>> >>>> Monis Monther schrieb: >>>>> >>>>> The link looks informative and would take me some time to read which I >>>>> will do definitly , Thanks >>>>> ?Also how can I do it qiuckly by command line, for example can I >>>>> sendmail.postfix [options] filename ..etc >>>>> ?Note: My MTA is postfix >>>>> ?Thanks >>>>> >>>>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>>>> > >>>>> wrote: >>>>> >>>>> ? Monis Monther schrieb: >>>>> >>>>> ? ? ? Hi everyone: >>>>> ? ? ? ?I am using the archive feature of Mailscanner to have a copy of >>>>> ? ? ? all mails in a dir, this is working fine and lovely, now the >>>>> ? ? ? problem is if I want to retrieve a certain message , how can I >>>>> ? ? ? do that in the following cases >>>>> ? ? ? ?1- I dont know where it is in the archive >>>>> ? ? ? ? 2- I know where it is and the message ID for example under the >>>>> ? ? ? archive is D548C6E00BB.27373, how do I send it to the inteded user >>>>> ? ? ? ?Thanks >>>>> >>>>> ? to resend messages please check this : >>>>> ? http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>>>> ? >>>>> >>>>> >>>>> ? -- ? ?MailScanner mailing list >>>>> ? mailscanner@lists.mailscanner.info >>>>> ? >>>>> ? http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> ? Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> ? Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>> if you call : >>>> >>>> /usr/sbin/sendmail.postfix < >>>> >>>> the mail should be sent to the user >>>> >>>> >>> Only if the message has been decoded to the RFC822/2822/5322 format >>> first... which it likely hasn't...;-) >>> >>> Cheers >> >> [root@localhost nonspam]# file 05B5E28027.4BC43 >> 05B5E28027.4BC43: RFC 822 mail text >> >> so it should be correct ... or did I get you wrong? >> >> AFAIK only really archived mails are queue file but files in nonspam are >> ?RFC 822 files. please correct me if I'm wrong >> > AFAIU, this thread is about the Archive... But I might've read it > sloppily;-). Personally, I prefer to use the nonspam quarantine as an > archive, since it take care of the ... "malware-problem" of the > archive. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > With apologies to Ralph for using his thread... Glenn, what is the "'malware-problem"'of the archive"? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From bamcomp at yahoo.com Thu Nov 12 15:55:12 2009 From: bamcomp at yahoo.com (Brett Moss) Date: Thu Nov 12 15:55:23 2009 Subject: Problem Messages Message-ID: <706463.69143.qm@web30006.mail.mud.yahoo.com> --- On Thu, 11/12/09, Glenn Steen wrote: > From: Glenn Steen > Subject: Re: Problem Messages > To: "MailScanner discussion" > Date: Thursday, November 12, 2009, 5:39 AM > 2009/11/12 Hugo van der Kooij : > > On 11/11/09 18:28, Brett Moss wrote: > >> > >> [root@mailgw ~]# cat /var/log/maillog|grep > nABBuKZR024867 > >> Nov 11 03:56:33 mailgw sendmail[24867]: > nABBuKZR024867: > >> from=, > size=2158, class=0, nrcpts=1, > >> > msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, > proto=ESMTP, daemon=MTA, > >> relay=cable-94-189-200-50.dynamic.sbb.rs > [94.189.200.50] > >> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found > password > >> stealer] > ?./nABBuKZR024867/msg-20311-2.html > >> Nov 11 04:01:16 mailgw MailScanner[21397]: Making > attempt 2 at processing > >> message nABBuKZR024867 > >> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found > password > >> stealer] > ?./nABBuKZR024867/msg-21397-3.html > >> Nov 11 04:03:54 mailgw MailScanner[23223]: Making > attempt 3 at processing > >> message nABBuKZR024867 > > > > There may be some relevant log lines in between > currently missing. At least > > an indication which scanner is detecting this. Which > scanner is that BTW? Is > > it the only scanner? What are the other log lines? > > > > And given the nature of the message I think you would > not mind sharing the > > content of that message somewhere so others can have a > look at it also. > > > > I would propably never see these as the sender is > using dialup networks and > > they would most likely be killed before the DATA > line. > > > > Hugo. > > > Apart from Hugos' excellent notes, one can see that the > processing db > thing does exactly what it is supposed to. It is handling a > situation > where a message is responsible for killing MailScanner. You > have the > message in your quarantine, for further scrutiny (perhaps > upload it to > Virus Total (or similar site) to see what AV scanners think > of it > etc). Since it very likely is a baddie, you could lielky > pastebin it, > so that we can have a look at it/try it on our systems (see > if the > killing thing is a) something local to your machine, and b) > something > (bug or not) we (or rather... Jules:-) can handle in the > code). > > Cheers > -- > -- Glenn Hello Hugo, Glenn, all I looked into the logs again and did find the following line. It is the second line that I think I failed to post. Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] ./nABBuKZR024867/msg-20311-2.html Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus in This line is repeated each time MailScanner tries to process the message. I am unsure which scanner is catching it, the logs show nothing. I am running clam, mcafee, and f-prot-6 I have loaded to pastebin http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing. Thank you, Brett From ramiblanco at gmail.com Thu Nov 12 21:44:39 2009 From: ramiblanco at gmail.com (Ramiro Blanco) Date: Thu Nov 12 21:44:50 2009 Subject: OOM due to .xls files Message-ID: <713aecdf0911121344w5c6ff836u1087857814974dfc@mail.gmail.com> Hi, the last few days i've been having trouble with my mailscanner setup. The symptom was that mail was sucking on the hold queue so i proceeded to check: #MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 10 messages. Out of memory! MailScanner -V showed nothing wierd, or at least no missing base module. Running 'strace MailScanner --debug' showed me that MailScanner got stuck everytime with the same file: somefile.xls right before the OOM Given the number of mails that was already on hold i proceeded to move that message of the way: #postsuper -H 6F8094AE271 from that moment on, everything ran smoothly, at least until a day after when the same holding-mails-symptom and OOM appeared again, and by running strace 'strace MailScanner --debug' i realized that the problem was, again, another .xls file. Care to note that both .xls files where < 40kb and free memory is not an issue on the server. Is this any known bug or something? Cheers, -- Ramiro Blanco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091112/6e906173/attachment.html From ilikeuce at bornefeld-ettmann.de Fri Nov 13 01:44:52 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Fri Nov 13 01:45:42 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <223f97700911120652m77f4be9fm8da2e080251a13c@mail.gmail.com> Message-ID: Robert Lopez schrieb: > On Thu, Nov 12, 2009 at 7:52 AM, Glenn Steen wrote: >> 2009/11/12 Ralph Bornefeld-Ettmann : >>> Glenn Steen schrieb: >>>> 2009/11/12 Ralph Bornefeld-Ettmann : >>>>> Monis Monther schrieb: >>>>>> The link looks informative and would take me some time to read which I >>>>>> will do definitly , Thanks >>>>>> Also how can I do it qiuckly by command line, for example can I >>>>>> sendmail.postfix [options] filename ..etc >>>>>> Note: My MTA is postfix >>>>>> Thanks >>>>>> >>>>>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>>>>> > >>>>>> wrote: >>>>>> >>>>>> Monis Monther schrieb: >>>>>> >>>>>> Hi everyone: >>>>>> I am using the archive feature of Mailscanner to have a copy of >>>>>> all mails in a dir, this is working fine and lovely, now the >>>>>> problem is if I want to retrieve a certain message , how can I >>>>>> do that in the following cases >>>>>> 1- I dont know where it is in the archive >>>>>> 2- I know where it is and the message ID for example under the >>>>>> archive is D548C6E00BB.27373, how do I send it to the inteded user >>>>>> Thanks >>>>>> >>>>>> to resend messages please check this : >>>>>> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>>>>> >>>>>> >>>>>> >>>>>> -- MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>> if you call : >>>>> >>>>> /usr/sbin/sendmail.postfix < >>>>> >>>>> the mail should be sent to the user >>>>> >>>>> >>>> Only if the message has been decoded to the RFC822/2822/5322 format >>>> first... which it likely hasn't...;-) >>>> >>>> Cheers >>> [root@localhost nonspam]# file 05B5E28027.4BC43 >>> 05B5E28027.4BC43: RFC 822 mail text >>> >>> so it should be correct ... or did I get you wrong? >>> >>> AFAIK only really archived mails are queue file but files in nonspam are >>> RFC 822 files. please correct me if I'm wrong >>> >> AFAIU, this thread is about the Archive... But I might've read it >> sloppily;-). Personally, I prefer to use the nonspam quarantine as an >> archive, since it take care of the ... "malware-problem" of the >> archive. >> >> Cheers >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > With apologies to Ralph for using his thread... > > Glenn, what is the "'malware-problem"'of the archive"? > Thanks for asking .... I would have asked too .... I only can imagine that the archive would archive also malware and possibly also spam (as it has to arcive incoming mail) where the nonspam quarantine only archives non-spam .... but it is only a shot in the dark .... Cheers Ralph From edward at tdcs.com.au Fri Nov 13 03:02:34 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Fri Nov 13 03:03:27 2009 Subject: MailScanner Looping? In-Reply-To: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: Thursday, 12 November 2009 9:30 PM > To: MailScanner discussion > Subject: Re: MailScanner Looping? > > 2009/11/11 Drew Marshall : > > > > On 11 Nov 2009, at 07:01, Edward Dekkers wrote: > > > >> Could someone have a quick look at the log and make a suggestion > before I > >> enable mailscanner again? > > > > I think we will need a bit more than the attached to be able to help. > Can > > you run mailscanner --lint and also mailscanner --debug (With some > messages > > in the hold directory) and see if there is anything a miss. It may > well be > > related to this.. > > > >> System is Ubuntu 9.10 server (recently upgraded from 9.04) > > > > As I would expect there have been Perl updates. > > > > Drew > > > What this sounds like ... is some message "killing" MailScanner... I'm > not sure (since I haven't looked), but I don't think the version at > hand has the processing database thing in place (which is designed > just to catch this type of situation, so that "malformed" messages > can't take your system down). > > Without the processing thing, one would have to stop MailScanner (and > postfix), move all the messages out of hold, to some place > temporary... then move some into hold, run MailScanner --debug, check > the logs/what happened ... and repeat until the "bad" message was > identified. > > Hard to be certain, especially since Ed already did away with the > "evidence" (the errant queue files:-). Whoops. Sorry, Glenn. I guess a COPY to the postfix "in" queue would have been smarter than a move for diagnostic purposes. I've re-enabled mailscanner now and it seems so be doing it's thing (although with all my messing around re-installing etc. I get an insecure warning about the "file -T" command - problem for later). I'll keep an eye on it and get back to you if it does it again. It IS processing mail correctly at the moment, which may mean it's not a perl update, however, this has never happened before so it would seem it COULD be a perl update problem as well. As for mailscanner --lint and mailscanner --debug, I'm assuming I just run them when the problem arises? Do I need to stop (/etc/init.d/mailscanner stop) mailscanner first or one has nothing to do with the other? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Nov 13 08:45:08 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 13 08:45:17 2009 Subject: MailScanner Looping? In-Reply-To: References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> Message-ID: <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> 2009/11/13 Edward Dekkers : > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Glenn Steen >> Sent: Thursday, 12 November 2009 9:30 PM >> To: MailScanner discussion >> Subject: Re: MailScanner Looping? >> >> 2009/11/11 Drew Marshall : >> > >> > On 11 Nov 2009, at 07:01, Edward Dekkers wrote: >> > >> >> Could someone have a quick look at the log and make a suggestion >> before I >> >> enable mailscanner again? >> > >> > I think we will need a bit more than the attached to be able to help. >> Can >> > you run mailscanner --lint and also mailscanner --debug (With some >> messages >> > in the hold directory) and see if there is anything a miss. It may >> well be >> > related to this.. >> > >> >> System is Ubuntu 9.10 server (recently upgraded from 9.04) >> > >> > As I would expect there have been Perl updates. >> > >> > Drew >> > >> What this sounds like ... is some message "killing" MailScanner... I'm >> not sure (since I haven't looked), but I don't think the version at >> hand has the processing database thing in place (which is designed >> just to catch this type of situation, so that "malformed" messages >> can't take your system down). >> >> Without the processing thing, one would have to stop MailScanner (and >> postfix), move all the messages out of hold, to some place >> temporary... then move some into hold, run MailScanner --debug, check >> the logs/what happened ... and repeat until the "bad" message was >> identified. >> >> Hard to be certain, especially since Ed already did away with the >> "evidence" (the errant queue files:-). > > Whoops. Sorry, Glenn. I guess a COPY to the postfix "in" queue would have > been smarter than a move for diagnostic purposes. > :-) > I've re-enabled mailscanner now and it seems so be doing it's thing > (although with all my messing around re-installing etc. I get an insecure > warning about the "file -T" command - problem for later). > > I'll keep an eye on it and get back to you if it does it again. It IS > processing mail correctly at the moment, which may mean it's not a perl > update, however, this has never happened before so it would seem it COULD be > a perl update problem as well. > > As for mailscanner --lint and mailscanner --debug, I'm assuming I just run > them when the problem arises? Do I need to stop (/etc/init.d/mailscanner > stop) mailscanner first or one has nothing to do with the other? > The lint can be done with MailScanner live, but the debug is better run with the system "quiscent"... That way you have better control and can inspect the queue files in the "incoming" (PF "out";-) directory... If any. The debug will take one batch from hold, so if one want to check one message at a time... ;-) > Regards, > Ed. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 13 08:55:16 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 13 08:55:25 2009 Subject: Problem Messages In-Reply-To: <706463.69143.qm@web30006.mail.mud.yahoo.com> References: <706463.69143.qm@web30006.mail.mud.yahoo.com> Message-ID: <223f97700911130055l2ee54db9heeecf45c13f1c404@mail.gmail.com> 2009/11/12 Brett Moss : > --- On Thu, 11/12/09, Glenn Steen wrote: > >> From: Glenn Steen >> Subject: Re: Problem Messages >> To: "MailScanner discussion" >> Date: Thursday, November 12, 2009, 5:39 AM >> 2009/11/12 Hugo van der Kooij : >> > On 11/11/09 18:28, Brett Moss wrote: >> >> >> >> [root@mailgw ~]# cat /var/log/maillog|grep >> nABBuKZR024867 >> >> Nov 11 03:56:33 mailgw sendmail[24867]: >> nABBuKZR024867: >> >> from=, >> size=2158, class=0, nrcpts=1, >> >> >> msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, >> proto=ESMTP, daemon=MTA, >> >> relay=cable-94-189-200-50.dynamic.sbb.rs >> [94.189.200.50] >> >> Nov 11 03:56:46 mailgw MailScanner[20311]: [Found >> password >> >> stealer] >> ?./nABBuKZR024867/msg-20311-2.html >> >> Nov 11 04:01:16 mailgw MailScanner[21397]: Making >> attempt 2 at processing >> >> message nABBuKZR024867 >> >> Nov 11 04:01:29 mailgw MailScanner[21397]: [Found >> password >> >> stealer] >> ?./nABBuKZR024867/msg-21397-3.html >> >> Nov 11 04:03:54 mailgw MailScanner[23223]: Making >> attempt 3 at processing >> >> message nABBuKZR024867 >> > >> > There may be some relevant log lines in between >> currently missing. At least >> > an indication which scanner is detecting this. Which >> scanner is that BTW? Is >> > it the only scanner? What are the other log lines? >> > >> > And given the nature of the message I think you would >> not mind sharing the >> > content of that message somewhere so others can have a >> look at it also. >> > >> > I would propably never see these as the sender is >> using dialup networks and >> > they would most likely be killed before the DATA >> line. >> > >> > Hugo. >> > >> Apart from Hugos' excellent notes, one can see that the >> processing db >> thing does exactly what it is supposed to. It is handling a >> situation >> where a message is responsible for killing MailScanner. You >> have the >> message in your quarantine, for further scrutiny (perhaps >> upload it to >> Virus Total (or similar site) to see what AV scanners think >> of it >> etc). Since it very likely is a baddie, you could lielky >> pastebin it, >> so that we can have a look at it/try it on our systems (see >> if the >> killing thing is a) something local to your machine, and b) >> something >> (bug or not) we (or rather... Jules:-) can handle in the >> code). >> >> Cheers >> -- >> -- Glenn > > > Hello Hugo, Glenn, all > > I looked into the logs again and did find the following line. ?It is the second line that I think I failed to post. > > Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] ./nABBuKZR024867/msg-20311-2.html > Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus ?in > > This line is repeated each time MailScanner tries to process the message. > I am unsure which scanner is catching it, the logs show nothing. ?I am running clam, mcafee, and f-prot-6 > Looks like f-prot to me (well... not any mcafee or clamd thing, at least:-). Could you run the wrapper on the directory? You might need copy the quarantine dir for it into a tmp folder, to mimic how the situation looks when MS calls the wrapper ... You also need look in SweepVirus.pm to see what, if any, options you should pass to it. > I have loaded to pastebin ?http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing. > But that's not the complete message. Nor is it the unpacked attachments. This is why you should check what actually triggers the AV, as well as which AV gets it. If nothing else, you should run the commandline tool for each scanner (clamdscan, uvscan ...) on the directory containing the quarantined item(s). Exactloy what files do you have there? > Thank you, > Brett > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Nov 13 09:08:49 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Nov 13 09:08:58 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <223f97700911120652m77f4be9fm8da2e080251a13c@mail.gmail.com> Message-ID: <223f97700911130108y675d1a70l18df37bc8ea4eb88@mail.gmail.com> 2009/11/13 Ralph Bornefeld-Ettmann : > Robert Lopez schrieb: >> >> On Thu, Nov 12, 2009 at 7:52 AM, Glenn Steen >> wrote: >>> >>> 2009/11/12 Ralph Bornefeld-Ettmann : >>>> >>>> Glenn Steen schrieb: >>>>> >>>>> 2009/11/12 Ralph Bornefeld-Ettmann : >>>>>> >>>>>> Monis Monther schrieb: >>>>>>> >>>>>>> The link looks informative and would take me some time to read which >>>>>>> I >>>>>>> will do definitly , Thanks >>>>>>> ?Also how can I do it qiuckly by command line, for example can I >>>>>>> sendmail.postfix [options] filename ..etc >>>>>>> ?Note: My MTA is postfix >>>>>>> ?Thanks >>>>>>> >>>>>>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>>>>>> >>>>>> > >>>>>>> wrote: >>>>>>> >>>>>>> ?Monis Monther schrieb: >>>>>>> >>>>>>> ? ? ?Hi everyone: >>>>>>> ? ? ? I am using the archive feature of Mailscanner to have a copy of >>>>>>> ? ? ?all mails in a dir, this is working fine and lovely, now the >>>>>>> ? ? ?problem is if I want to retrieve a certain message , how can I >>>>>>> ? ? ?do that in the following cases >>>>>>> ? ? ? 1- I dont know where it is in the archive >>>>>>> ? ? ? ?2- I know where it is and the message ID for example under the >>>>>>> ? ? ?archive is D548C6E00BB.27373, how do I send it to the inteded >>>>>>> user >>>>>>> ? ? ? Thanks >>>>>>> >>>>>>> ?to resend messages please check this : >>>>>>> ?http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>>>>>> ? >>>>>>> >>>>>>> >>>>>>> ?-- ? ?MailScanner mailing list >>>>>>> ?mailscanner@lists.mailscanner.info >>>>>>> ? >>>>>>> ?http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> ?Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> ?Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>> if you call : >>>>>> >>>>>> /usr/sbin/sendmail.postfix < >>>>>> >>>>>> the mail should be sent to the user >>>>>> >>>>>> >>>>> Only if the message has been decoded to the RFC822/2822/5322 format >>>>> first... which it likely hasn't...;-) >>>>> >>>>> Cheers >>>> >>>> [root@localhost nonspam]# file 05B5E28027.4BC43 >>>> 05B5E28027.4BC43: RFC 822 mail text >>>> >>>> so it should be correct ... or did I get you wrong? >>>> >>>> AFAIK only really archived mails are queue file but files in nonspam are >>>> ?RFC 822 files. please correct me if I'm wrong >>>> >>> AFAIU, this thread is about the Archive... But I might've read it >>> sloppily;-). Personally, I prefer to use the nonspam quarantine as an >>> archive, since it take care of the ... "malware-problem" of the >>> archive. >>> >>> Cheers >>> -- >>> -- Glenn >>> email: glenn < dot > steen < at > gmail < dot > com >>> work: glenn < dot > steen < at > ap1 < dot > se >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> With apologies to Ralph for using his thread... >> :-) ... Monis Monther started the thread, but I'm sure it's OK for you to ask...:-) >> Glenn, what is the ?"'malware-problem"'of the archive"? >> > Thanks for asking .... I would have asked too .... > I only can imagine that the archive would archive also malware and possibly > also spam (as it has to arcive incoming mail) where the nonspam quarantine > only archives non-spam .... but it is only a shot in the dark .... Good shooting;-). That is exactly it. The archive feature of MailScanner takes pains to happen first, beforwe _any_ scanning has taken place. So it will contain all messages actually accepted by your MTA... which isn't the most wholesome brew one could imagine;-). For an archive, this is good, but ... it _is_ something one has to be aware of, and act accordingly when releasing stuff from it. Some have asked for at least a virus scan to be performed, but ... that would partly defeat the purpose of the archive... and since one has the option to set "store" for the Non Spam Action, and thus create a "clean" archive (easily managed from MailWatch, if one don't have a too large volume of mail), there really is no need to "solve" the archive-malware problem... Just take care/be aware;) > Cheers > Ralph Cheers to you too (after all... It's friday ... the 13:th:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlopezcnm at gmail.com Fri Nov 13 15:38:37 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Nov 13 15:38:48 2009 Subject: OOM due to .xls files In-Reply-To: <713aecdf0911121344w5c6ff836u1087857814974dfc@mail.gmail.com> References: <713aecdf0911121344w5c6ff836u1087857814974dfc@mail.gmail.com> Message-ID: Disclaimer: I am no Mailscanner expert... On Thu, Nov 12, 2009 at 2:44 PM, Ramiro Blanco wrote: > Hi, > ?the last few days i've been having trouble with my mailscanner setup. The > symptom was that mail was sucking on the hold queue so i proceeded to check: > > #MailScanner --debug > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 10 messages. > Out of memory! > We are running 3 gateways with MailScanner. I have seen that from time to time, whereupon I begin looking and watching. Each time vmstat, free, etc show memory is not at any crisis; no swapping problem. Each time it has gone away on it's own. > > MailScanner -V showed nothing wierd, or at least no missing base module. > > Running 'strace MailScanner --debug' showed me that MailScanner got stuck > everytime with the same file: somefile.xls right before the OOM > > Given the number of mails that was already on hold i proceeded to move that > message of the way: > #postsuper -H 6F8094AE271 > > from that moment on, everything ran smoothly, at least until a day after > when the same holding-mails-symptom and OOM appeared again, and? by running > strace 'strace MailScanner --debug' i realized that the problem was, again, > another .xls file. > Care to note that both .xls files where < 40kb and free memory is not an > issue on the server. > > Is this any known bug or something? I have no idea if there is a known bug. At this college there are a lot of .xls files mailed through our servers. I have not noticed any of them getting stuck. So I do not there there is a problem with .xls in general. There could be a problem with some instances possibly. > > > Cheers, > > > > -- > Ramiro Blanco > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From dcurtis at sbschools.net Fri Nov 13 15:55:06 2009 From: dcurtis at sbschools.net (dcurtis@sbschools.net) Date: Fri Nov 13 15:55:46 2009 Subject: Sanesecurity clam 64bit 9.5.2 Message-ID: <73461DFCD2207F44A16F136A461955450F0B2F@exchange2.sbschools.net> We just has one of our server stop working. We run Centos 5.3. We had been working fine until the latest sanesecurity update. The strange thing was we have a second server. The only difference is the other server is Centos 5.3 32bit. Once we did some trouble shooting we could not find why the 64bit server was having problems. We finally updated clam to 9.5.3 and it works fine with the new sigs, the same sigs that caused the problem. ______________________________________________________________ ______________________________________________________________ This email may contain information protected under the Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act (HIPAA). If this email contains confidential and/or privileged health or student information and you are not entitled to access such information under FERPA or HIPAA, federal regulations require that you destroy this email without reviewing it and you may not forward it to anyone. -- This message has been scanned for viruses and dangerous content by MailScanner, ClamAV and Bitdefender and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091113/bf441084/attachment.html From mark at msapiro.net Fri Nov 13 16:00:05 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Nov 13 16:00:14 2009 Subject: Problem Messages In-Reply-To: <706463.69143.qm@web30006.mail.mud.yahoo.com> References: <706463.69143.qm@web30006.mail.mud.yahoo.com> Message-ID: <20091113160005.GA1464@msapiro> On Thu, Nov 12, 2009 at 07:55:12AM -0800, Brett Moss wrote: > > I looked into the logs again and did find the following line. It is the second line that I think I failed to post. > > Nov 11 03:56:46 mailgw MailScanner[20311]: [Found password stealer] ./nABBuKZR024867/msg-20311-2.html > Nov 11 03:56:46 mailgw MailScanner[20311]: Found spam-virus in > > This line is repeated each time MailScanner tries to process the message. > I am unsure which scanner is catching it, the logs show nothing. I am running clam, mcafee, and f-prot-6 > > I have loaded to pastebin http://pastebin.com/m47f98b75 and I uploaded to virustotal, and it came up with nothing. Found spam-virus means one of your virus scanners got a hit with a name that matched the pattern in MailScanner's configuration setting Virus Names Which Are Spam = These are intended to by clam hits on Sanesecurity spam signatures. Your message on the pastebin hits winnow.botnet.ff.trojans.4190.UNOFFICIAL on my system. This sig is winnow.botnet.ff.trojans.4190 from the winnow_malware_links.ndb database. See . This sig decodes to (2e|2f|40|20|3c)mikkuo.me.uk(27|22|20|2f|3d|3e|0a|0d) and hits on the /www.irs.gov.mikkuo.me.uk/ URL in the message. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From bamcomp at yahoo.com Fri Nov 13 16:04:41 2009 From: bamcomp at yahoo.com (Brett Moss) Date: Fri Nov 13 16:04:52 2009 Subject: Problem Messages In-Reply-To: <223f97700911130055l2ee54db9heeecf45c13f1c404@mail.gmail.com> Message-ID: <460086.5708.qm@web30003.mail.mud.yahoo.com> --- On Fri, 11/13/09, Glenn Steen wrote: > From: Glenn Steen > Subject: Re: Problem Messages > To: "MailScanner discussion" > Date: Friday, November 13, 2009, 12:55 AM > 2009/11/12 Brett Moss : > > --- On Thu, 11/12/09, Glenn Steen > wrote: > > > >> From: Glenn Steen > >> Subject: Re: Problem Messages > >> To: "MailScanner discussion" > >> Date: Thursday, November 12, 2009, 5:39 AM > >> 2009/11/12 Hugo van der Kooij : > >> > On 11/11/09 18:28, Brett Moss wrote: > >> >> > >> >> [root@mailgw ~]# cat > /var/log/maillog|grep > >> nABBuKZR024867 > >> >> Nov 11 03:56:33 mailgw sendmail[24867]: > >> nABBuKZR024867: > >> >> from=, > >> size=2158, class=0, nrcpts=1, > >> >> > >> > msgid=<000d01ca62c5$f6f7e140$6400a8c0@kristieamn4>, > >> proto=ESMTP, daemon=MTA, > >> >> relay=cable-94-189-200-50.dynamic.sbb.rs > >> [94.189.200.50] > >> >> Nov 11 03:56:46 mailgw > MailScanner[20311]: [Found > >> password > >> >> stealer] > >> ?./nABBuKZR024867/msg-20311-2.html > >> >> Nov 11 04:01:16 mailgw > MailScanner[21397]: Making > >> attempt 2 at processing > >> >> message nABBuKZR024867 > >> >> Nov 11 04:01:29 mailgw > MailScanner[21397]: [Found > >> password > >> >> stealer] > >> ?./nABBuKZR024867/msg-21397-3.html > >> >> Nov 11 04:03:54 mailgw > MailScanner[23223]: Making > >> attempt 3 at processing > >> >> message nABBuKZR024867 > >> > > >> > There may be some relevant log lines in > between > >> currently missing. At least > >> > an indication which scanner is detecting > this. Which > >> scanner is that BTW? Is > >> > it the only scanner? What are the other log > lines? > >> > > >> > And given the nature of the message I think > you would > >> not mind sharing the > >> > content of that message somewhere so others > can have a > >> look at it also. > >> > > >> > I would propably never see these as the > sender is > >> using dialup networks and > >> > they would most likely be killed before the > DATA > >> line. > >> > > >> > Hugo. > >> > > >> Apart from Hugos' excellent notes, one can see > that the > >> processing db > >> thing does exactly what it is supposed to. It is > handling a > >> situation > >> where a message is responsible for killing > MailScanner. You > >> have the > >> message in your quarantine, for further scrutiny > (perhaps > >> upload it to > >> Virus Total (or similar site) to see what AV > scanners think > >> of it > >> etc). Since it very likely is a baddie, you could > lielky > >> pastebin it, > >> so that we can have a look at it/try it on our > systems (see > >> if the > >> killing thing is a) something local to your > machine, and b) > >> something > >> (bug or not) we (or rather... Jules:-) can handle > in the > >> code). > >> > >> Cheers > >> -- > >> -- Glenn > > > > > > Hello Hugo, Glenn, all > > > > I looked into the logs again and did find the > following line. ?It is the second line that I think I > failed to post. > > > > Nov 11 03:56:46 mailgw MailScanner[20311]: [Found > password stealer] > ./nABBuKZR024867/msg-20311-2.html > > Nov 11 03:56:46 mailgw MailScanner[20311]: Found > spam-virus ?in > > > > This line is repeated each time MailScanner tries to > process the message. > > I am unsure which scanner is catching it, the logs > show nothing. ?I am running clam, mcafee, and f-prot-6 > > > Looks like f-prot to me (well... not any mcafee or clamd > thing, at least:-). > Could you run the wrapper on the directory? You might need > copy the > quarantine dir for it into a tmp folder, to mimic how the > situation > looks when MS calls the wrapper ... You also need look in > SweepVirus.pm to see what, if any, options you should pass > to it. > > > I have loaded to pastebin ?http://pastebin.com/m47f98b75 and I uploaded to > virustotal, and it came up with nothing. > > > But that's not the complete message. Nor is it the > unpacked > attachments. This is why you should check what actually > triggers the > AV, as well as which AV gets it. > If nothing else, you should run the commandline tool for > each scanner > (clamdscan, uvscan ...) on the directory containing the > quarantined > item(s). > Exactloy what files do you have there? > Hello, You are correct it was f-prot-6 that was finding the infection. Clam also finds it to be infected, but outputs a different message. Below is the result of the scan. What I posted to pastebin is the full contects of the mail, or all I can find. It is the same single file that I scanned with similar results anyhow. The nABBuKZR024867 directory only contains the file named message. Does this indicate I have something misconfigured in the spam-virus portion of my MailScanner.conf? [root@mailgw MailScanner]# fpscan --report /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/ F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-44-10) FRISK Software International (C) Copyright 1989-2007 Engine version: 4.4.4.56 Virus signatures: 200911131256952f24af491f0f0c22b2ab197902aa5e (/opt/f-prot/antivir.def) [Found password stealer] /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/message->(qp) [Contains infected objects] /var/spool/MailScanner/quarantine/20091111/nABBuKZR024867/message Results: Files: 1 Skipped files: 0 MBR/boot sectors checked: 0 Objects scanned: 3 Infected objects: 1 Files with errors: 0 Disinfected: 0 Running time: 00:02 Thank you, Brett From steveb_clamav at sanesecurity.com Fri Nov 13 18:53:28 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Fri Nov 13 18:53:41 2009 Subject: Sanesecurity clam 64bit 9.5.2 In-Reply-To: <73461DFCD2207F44A16F136A461955450F0B2F@exchange2.sbschools.net> References: <73461DFCD2207F44A16F136A461955450F0B2F@exchange2.sbschools.net> Message-ID: <4AFDAB28.9060603@sanesecurity.com> dcurtis@sbschools.net wrote: > > We just has one of our server stop working. We run Centos 5.3. We had > been working fine until the latest sanesecurity update. The strange > thing was we have a second server. The only difference is the other > server is Centos 5.3 32bit. Once we did some trouble shooting we could > not find why the 64bit server was having problems. We finally updated > clam to 9.5.3 and it works fine with the new sigs, the same sigs that > caused the problem. > > Hi, That sounds about the same issues that were announced on the announce list a while back: http://www.freelists.org/post/sanesecurity_announce/x86-64-users-possible-malformed-database-problems,1 You can join the mailing lists here: http://www.sanesecurity.com/clamav/mailinglist.htm Cheers, Steve Sanesecurity From dcurtis at sbschools.net Fri Nov 13 20:06:36 2009 From: dcurtis at sbschools.net (dcurtis@sbschools.net) Date: Fri Nov 13 20:10:47 2009 Subject: Sanesecurity clam 64bit 9.5.2 In-Reply-To: <4AFDAB28.9060603@sanesecurity.com> References: <73461DFCD2207F44A16F136A461955450F0B2F@exchange2.sbschools.net> <4AFDAB28.9060603@sanesecurity.com> Message-ID: <73461DFCD2207F44A16F136A461955450F0B42@exchange2.sbschools.net> You are right I believe that is exactly what was going on and why our 32bit server had no issue. I am assuming that the devel version is the release version now. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Basford Sent: Friday, November 13, 2009 1:53 PM To: MailScanner discussion Subject: Re: Sanesecurity clam 64bit 9.5.2 dcurtis@sbschools.net wrote: > > We just has one of our server stop working. We run Centos 5.3. We had > been working fine until the latest sanesecurity update. The strange > thing was we have a second server. The only difference is the other > server is Centos 5.3 32bit. Once we did some trouble shooting we could > not find why the 64bit server was having problems. We finally updated > clam to 9.5.3 and it works fine with the new sigs, the same sigs that > caused the problem. > > Hi, That sounds about the same issues that were announced on the announce list a while back: http://www.freelists.org/post/sanesecurity_announce/x86-64-users-possibl e-malformed-database-problems,1 You can join the mailing lists here: http://www.sanesecurity.com/clamav/mailinglist.htm Cheers, Steve Sanesecurity -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ______________________________________________________________ ______________________________________________________________ This email may contain information protected under the Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act (HIPAA). If this email contains confidential and/or privileged health or student information and you are not entitled to access such information under FERPA or HIPAA, federal regulations require that you destroy this email without reviewing it and you may not forward it to anyone. -- This message has been scanned for viruses and dangerous content by MailScanner, ClamAV and Bitdefender and is believed to be clean. From pepe at rdc.cl Sun Nov 15 04:11:18 2009 From: pepe at rdc.cl (Jose Amengual M) Date: Sun Nov 15 04:11:34 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> Message-ID: <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> This worked for me in a non fresh install and in a fresh install. you need to make sure that after you remove pearl you are installing pearl perl-5.10.0_2.tbz need to be exctly this one. if you don't run this : >>> perl-after-upgrade && perl-after-upgrade -f everything will be broken again.... and is not something in the config file is the version of pearl and all th pearld dependencies. let me know how goes... On 2009-11-09, at 12:13 AM, Johan Hendriks wrote: > > >> So I've upgraded to 7.2 to see if that makes a difference and followed >> this upgrade procedure. Still I'm getting this recurring Perl problem >> whereby custom functions could not be required :( > > That is a me too also. > Also on a fresh install I have these problems. > > Could it be something in the config file. > Do we (the not working configs) have options set that the working ones > do not have or visa versa. > > regards, > Johan Hendriks > > > Jose Amengual M wrote: >>> Hi Guys. >>> >>> I saw some emails about perl 5.10.1 giving errors when running >>> mailscanner, I had the same problem and I follow the instructions >>> below but it din't work for me, but finally after 2 days of work I >>> found the solution!!!. >>> >>> This is working 7.2 should work on 8.0. >>> >>> if you have already mailscanner installed don't worry, portupgrade > can >>> do all the job for you :). >>> >>> 1.- Remove old perl version : >>> pkg_info|grep perl ( copy the exact name of you perl version like >>> perl5.10.1 ) >>> pkg_delete -f perl5.10.1 >>> >>> 2.- Install old perl. >>> pkg_add -r >>> > ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-7.2-release/lang/ > perl-5.10.0_2.tbz >>> >>> >>> 3.- Clean up any work directory >>> portsclean -C >>> >>> 4.- Update pkgdb add upgrade any perl package >>> pkgdb -Ff >>> portupgrade -fr perl ( this is going to upgrade everything that uses >>> perl including mailscanner). >>> perl-after-upgrade && perl-after-upgrade -f >>> >>> After that the error was gone and everything was working fine. >>> >>> I was in the process of deciding of going towards mailscanner or >>> amavisd-new and I decided to use mailscanner because was easier to >>> configure and I expend 2 days fixing a problem with perl that I > didn't >>> have on amavis :). >>> >>> I hope this help. >>> >>> Thanks. >>> >>> Jose Amengual. >>> >> > > No virus found in this outgoing message. > Checked by AVG - www.avg.com > Version: 8.5.425 / Virus Database: 270.14.55/2490 - Release Date: > 11/08/09 19:39:00 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mmmm82 at gmail.com Sun Nov 15 08:47:02 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 15 08:47:11 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> Message-ID: <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> Hi everyone I tried /usr/sbin/sendmail.postfix recipient msgid But did not work Any other suggestions to release a message from the command line And for everyone participating, I am using the Archive option to archive all incoming mail to a folder this is an example message C91066E03A4.E9CD0 On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann < ilikeuce@bornefeld-ettmann.de> wrote: > Glenn Steen schrieb: > >> 2009/11/12 Ralph Bornefeld-Ettmann : >> >> Monis Monther schrieb: >>> >>>> The link looks informative and would take me some time to read which I >>>> will do definitly , Thanks >>>> Also how can I do it qiuckly by command line, for example can I >>>> sendmail.postfix [options] filename ..etc >>>> Note: My MTA is postfix >>>> Thanks >>>> >>>> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >>>> > >>>> wrote: >>>> >>>> Monis Monther schrieb: >>>> >>>> Hi everyone: >>>> I am using the archive feature of Mailscanner to have a copy of >>>> all mails in a dir, this is working fine and lovely, now the >>>> problem is if I want to retrieve a certain message , how can I >>>> do that in the following cases >>>> 1- I dont know where it is in the archive >>>> 2- I know where it is and the message ID for example under the >>>> archive is D548C6E00BB.27373, how do I send it to the inteded user >>>> Thanks >>>> >>>> to resend messages please check this : >>>> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >>>> >>>> >>>> >>>> -- MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> if you call : >>> >>> /usr/sbin/sendmail.postfix < >>> >>> the mail should be sent to the user >>> >>> >>> Only if the message has been decoded to the RFC822/2822/5322 format >> first... which it likely hasn't...;-) >> >> Cheers >> > > [root@localhost nonspam]# file 05B5E28027.4BC43 > 05B5E28027.4BC43: RFC 822 mail text > > so it should be correct ... or did I get you wrong? > > AFAIK only really archived mails are queue file but files in nonspam are > RFC 822 files. please correct me if I'm wrong > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091115/e873d651/attachment.html From ilikeuce at bornefeld-ettmann.de Sun Nov 15 09:24:59 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Sun Nov 15 09:25:50 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> Message-ID: Monis Monther schrieb: > Hi everyone > > > I tried > > > /usr/sbin/sendmail.postfix recipient msgid > > But did not work > > Any other suggestions to release a message from the command line > > And for everyone participating, I am using the Archive option to archive > all incoming mail to a folder this is an example message > > C91066E03A4.E9CD0 > > > > > > > On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann > > > wrote: > > Glenn Steen schrieb: > > 2009/11/12 Ralph Bornefeld-Ettmann > >: > > Monis Monther schrieb: > > The link looks informative and would take me some time > to read which I > will do definitly , Thanks > Also how can I do it qiuckly by command line, for > example can I > sendmail.postfix [options] filename ..etc > Note: My MTA is postfix > Thanks > > On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann > > >> > wrote: > > Monis Monther schrieb: > > Hi everyone: > I am using the archive feature of Mailscanner to > have a copy of > all mails in a dir, this is working fine and > lovely, now the > problem is if I want to retrieve a certain message > , how can I > do that in the following cases > 1- I dont know where it is in the archive > 2- I know where it is and the message ID for > example under the > archive is D548C6E00BB.27373, how do I send it to > the inteded user > Thanks > > to resend messages please check this : > > http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 > > > > > > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > if you call : > > /usr/sbin/sendmail.postfix < > > the mail should be sent to the user > > > Only if the message has been decoded to the RFC822/2822/5322 format > first... which it likely hasn't...;-) > > Cheers > > > [root@localhost nonspam]# file 05B5E28027.4BC43 > 05B5E28027.4BC43: RFC 822 mail text > > so it should be correct ... or did I get you wrong? > > AFAIK only really archived mails are queue file but files in nonspam > are RFC 822 files. please correct me if I'm wrong > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > you have to convert real archived mails as Glen stated above: postcat |/usr/sbin/sendmail.postfix cheers Ralph From mmmm82 at gmail.com Sun Nov 15 09:48:43 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 15 09:48:53 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> Message-ID: <837e17ab0911150148r12c97c88k30191fb0300b3941@mail.gmail.com> Hi , I tried the postcat command and I managed to send the message but it is recieved as shown below, I only posted part of a the message , as you can see it contains an attachment and it is sent as it is not encoded , how can I receive the message normally?? I also did another experiment , I resent a message that was held in the spam folder which is an RFC 822 message (made sure by using the file command) cat 79FA76E0392.B1D73 | sendmail.postfix someone@somedomain And it reached the mailbox as a normal email with no problems. So now I think what we want to do is convert the message in the archive from whatever it is to a RFC 822 message, I dont think the postcat command did the trick. P.S: I highly appreciate all the posts and help in this forum, thank you everyone *** ENVELOPE RECORDS 8ACBB6E03A4.763AF *** message_size: 20071 542 1 0 message_arrival_time: Sun Nov 15 12:28:39 2009 create_time: Sun Nov 15 12:28:39 2009 named_attribute: rewrite_context=remote sender: monis.monther@mediaintl.net named_attribute: log_client_address=192.168.111.130 named_attribute: log_message_origin=unknown[192.168.111.130] named_attribute: log_helo_name=eg30.iolteam.net named_attribute: log_protocol_name=ESMTP named_attribute: client_name=unknown named_attribute: reverse_client_name=unknown named_attribute: client_address=192.168.111.130 named_attribute: helo_name=eg30.iolteam.net named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;monis.monther@mediaintl.net original_recipient: monis.monther@mediaintl.net recipient: monis.monther@mediaintl.net *** MESSAGE CONTENTS 8ACBB6E03A4.763AF *** Received: from eg30.iolteam.net (unknown [192.168.111.130]) by mailscanner.localdomain (Postfix) with ESMTP id 8ACBB6E03A4 for ; Sun, 15 Nov 2009 12:28:39 +0200 (EET) Received: from lp125 (lp-125.iolteam.net [192.168.10.37]) by eg30.iolteam.net (Postfix) with ESMTP id BE47744DB77 for ; Sun, 15 Nov 2009 07:09:40 +0200 (EET) From: To: Subject: test2 Date: Sun, 15 Nov 2009 11:15:48 +0200 Message-ID: <005d01ca65d4$386621d0$a9326570$@monther@mediaintl.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005E_01CA65E4.FBEEF1D0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acpl1DZgGVUVmgfETEOKVRx4hz47zA== Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_005F_01CA65E4.FBEEF1D0" ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Test with attachmnet ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Test with attachmnet

------=_NextPart_001_005F_01CA65E4.FBEEF1D0-- ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="Monis Monther.docx" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Monis Monther.docx" UEsDBBQABgAIAAAAIQDd/JU3ZgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 VMtuwjAQvFfqP0S+Vomhh6qqCBz6OLZIpR9g7A1Y9Uv28vr7bgJEVQtBKuUSKVnvzOzsxIPR On Sun, Nov 15, 2009 at 11:24 AM, Ralph Bornefeld-Ettmann < ilikeuce@bornefeld-ettmann.de> wrote: > Monis Monther schrieb: > >> Hi everyone >> >> >> I tried >> >> >> /usr/sbin/sendmail.postfix recipient msgid >> >> But did not work >> >> Any other suggestions to release a message from the command line >> >> And for everyone participating, I am using the Archive option to archive >> all incoming mail to a folder this is an example message >> >> C91066E03A4.E9CD0 >> >> >> >> >> >> >> On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann < >> ilikeuce@bornefeld-ettmann.de > >> wrote: >> >> Glenn Steen schrieb: >> >> 2009/11/12 Ralph Bornefeld-Ettmann >> > >: >> >> >> Monis Monther schrieb: >> >> The link looks informative and would take me some time >> to read which I >> will do definitly , Thanks >> Also how can I do it qiuckly by command line, for >> example can I >> sendmail.postfix [options] filename ..etc >> Note: My MTA is postfix >> Thanks >> >> On Thu, Nov 12, 2009 at 3:25 PM, Ralph Bornefeld-Ettmann >> > >> > >> >> wrote: >> >> Monis Monther schrieb: >> >> Hi everyone: >> I am using the archive feature of Mailscanner to >> have a copy of >> all mails in a dir, this is working fine and >> lovely, now the >> problem is if I want to retrieve a certain message >> , how can I >> do that in the following cases >> 1- I dont know where it is in the archive >> 2- I know where it is and the message ID for >> example under the >> archive is D548C6E00BB.27373, how do I send it to >> the inteded user >> Thanks >> >> to resend messages please check this : >> >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806> >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806>> >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> > > >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> >> >> if you call : >> >> /usr/sbin/sendmail.postfix < >> >> the mail should be sent to the user >> >> >> Only if the message has been decoded to the RFC822/2822/5322 format >> first... which it likely hasn't...;-) >> >> Cheers >> >> >> [root@localhost nonspam]# file 05B5E28027.4BC43 >> 05B5E28027.4BC43: RFC 822 mail text >> >> so it should be correct ... or did I get you wrong? >> >> AFAIK only really archived mails are queue file but files in nonspam >> are RFC 822 files. please correct me if I'm wrong >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > you have to convert real archived mails as Glen stated above: > > postcat |/usr/sbin/sendmail.postfix > > > cheers > Ralph > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091115/b2229761/attachment.html From ilikeuce at bornefeld-ettmann.de Sun Nov 15 10:25:10 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Sun Nov 15 10:26:07 2009 Subject: Retrieve from Archive In-Reply-To: <837e17ab0911150148r12c97c88k30191fb0300b3941@mail.gmail.com> References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> <837e17ab0911150148r12c97c88k30191fb0300b3941@mail.gmail.com> Message-ID: Monis Monther schrieb: > Hi , I tried the postcat command and I managed to send the message but > it is recieved as shown below, I only posted part of a the message , as > you can see it contains an attachment and it is sent as it is not > encoded , how can I receive the message normally?? > > > I also did another experiment , I resent a message that was held in the > spam folder which is an RFC 822 message (made sure by using the file > command) > > cat 79FA76E0392.B1D73 | sendmail.postfix someone@somedomain > > And it reached the mailbox as a normal email with no problems. > > > So now I think what we want to do is convert the message in the archive > from whatever it is to a RFC 822 message, I dont think the postcat > command did the trick. > > > P.S: I highly appreciate all the posts and help in this forum, thank you > everyone > > > > > *** ENVELOPE RECORDS 8ACBB6E03A4.763AF *** > > message_size: 20071 542 > 1 0 > > message_arrival_time: Sun Nov 15 12:28:39 2009 > > create_time: Sun Nov 15 12:28:39 2009 > > named_attribute: rewrite_context=remote > > sender: monis.monther@mediaintl.net > > named_attribute: log_client_address=192.168.111.130 > > named_attribute: log_message_origin=unknown[192.168.111.130] > > named_attribute: log_helo_name=eg30.iolteam.net > > named_attribute: log_protocol_name=ESMTP > > named_attribute: client_name=unknown > > named_attribute: reverse_client_name=unknown > > named_attribute: client_address=192.168.111.130 > > named_attribute: helo_name=eg30.iolteam.net > > named_attribute: client_address_type=2 > > named_attribute: dsn_orig_rcpt=rfc822;monis.monther@mediaintl.net > > > original_recipient: monis.monther@mediaintl.net > > > recipient: monis.monther@mediaintl.net > > *** MESSAGE CONTENTS 8ACBB6E03A4.763AF *** > > Received: from eg30.iolteam.net (unknown > [192.168.111.130]) > > by mailscanner.localdomain (Postfix) with ESMTP id 8ACBB6E03A4 > > for >; Sun, 15 Nov 2009 12:28:39 +0200 (EET) > > Received: from lp125 (lp-125.iolteam.net > [192.168.10.37]) > > by eg30.iolteam.net (Postfix) with ESMTP > id BE47744DB77 > > for >; Sun, 15 Nov 2009 07:09:40 +0200 (EET) > > From: > > > To: > > > Subject: test2 > > Date: Sun, 15 Nov 2009 11:15:48 +0200 > > Message-ID: <005d01ca65d4$386621d0$a9326570$@monther@mediaintl.net > > > > MIME-Version: 1.0 > > Content-Type: multipart/mixed; > > boundary="----=_NextPart_000_005E_01CA65E4.FBEEF1D0" > > X-Mailer: Microsoft Office Outlook 12.0 > > Thread-Index: Acpl1DZgGVUVmgfETEOKVRx4hz47zA== > > Content-Language: en-us > > > > This is a multipart message in MIME format. > > > > ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 > > Content-Type: multipart/alternative; > > boundary="----=_NextPart_001_005F_01CA65E4.FBEEF1D0" > > > > > > ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 > > Content-Type: text/plain; > > charset="us-ascii" > > Content-Transfer-Encoding: 7bit > > > > Test with attachmnet > > > > > > ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 > > Content-Type: text/html; > > charset="us-ascii" > > Content-Transfer-Encoding: quoted-printable > > > > xmlns:o=3D"urn:schemas-microsoft-com:office:office" = > xmlns:w=3D"urn:schemas-microsoft-com:office:word" = > xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = > xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" = > xmlns:a=3D"urn:schemas-microsoft-com:office:access" = > xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" = > xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" = > xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" > = xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" = > xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" = > xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" = > xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" = > xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" = > xmlns:html=3D"http://www.w3.org/TR/REC-html40" = > xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" = > xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" = > xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" = > xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" = > xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" = > xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" = > xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" = > xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" = > xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" = > xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" = > xmlns:udc=3D"http://schemas.microsoft.com/data/udc" = > xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" = > xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"= > > xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" = > xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" = > xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" = > xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" = > xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" = > xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" = > xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" = > xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" = > xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" = > xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" = > xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig= > > nature" = > > xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006= > > " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = > xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi= > > ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" = > xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"= > > = > > xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag= > > es" = > > xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/= > > " = > > xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub= > > lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" = > xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"> > > > > > > charset=3Dus-ascii"> (filtered medium)"> > > > > > > > > > > > >
> > > >

Test with attachmnet

> > > >
> > > > > > > > > > > > ------=_NextPart_001_005F_01CA65E4.FBEEF1D0-- > > > > ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 > > Content-Type: > application/vnd.openxmlformats-officedocument.wordprocessingml.document; > > name="Monis Monther.docx" > > Content-Transfer-Encoding: base64 > > Content-Disposition: attachment; > > filename="Monis Monther.docx" > > > > UEsDBBQABgAIAAAAIQDd/JU3ZgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 > > VMtuwjAQvFfqP0S+Vomhh6qqCBz6OLZIpR9g7A1Y9Uv28vr7bgJEVQtBKuUSKVnvzOzsxIPR > > > > > On Sun, Nov 15, 2009 at 11:24 AM, Ralph Bornefeld-Ettmann > > > wrote: > > Monis Monther schrieb: > > Hi everyone > > > I tried > > > /usr/sbin/sendmail.postfix recipient msgid > > But did not work > > Any other suggestions to release a message from the command line > > And for everyone participating, I am using the Archive option to > archive all incoming mail to a folder this is an example message > > C91066E03A4.E9CD0 > > > > > > > On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann > > >> wrote: > > Glenn Steen schrieb: > > 2009/11/12 Ralph Bornefeld-Ettmann > > >>: > > > Monis Monther schrieb: > > The link looks informative and would take me some > time > to read which I > will do definitly , Thanks > Also how can I do it qiuckly by command line, for > example can I > sendmail.postfix [options] filename ..etc > Note: My MTA is postfix > Thanks > > On Thu, Nov 12, 2009 at 3:25 PM, Ralph > Bornefeld-Ettmann > > > > > >>> > wrote: > > Monis Monther schrieb: > > Hi everyone: > I am using the archive feature of > Mailscanner to > have a copy of > all mails in a dir, this is working fine and > lovely, now the > problem is if I want to retrieve a certain > message > , how can I > do that in the following cases > 1- I dont know where it is in the archive > 2- I know where it is and the message ID for > example under the > archive is D548C6E00BB.27373, how do I send > it to > the inteded user > Thanks > > to resend messages please check this : > > http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 > > > > > > > > >> > > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > > >> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book > off the > website! > > > if you call : > > /usr/sbin/sendmail.postfix < > > the mail should be sent to the user > > > Only if the message has been decoded to the > RFC822/2822/5322 format > first... which it likely hasn't...;-) > > Cheers > > > [root@localhost nonspam]# file 05B5E28027.4BC43 > 05B5E28027.4BC43: RFC 822 mail text > > so it should be correct ... or did I get you wrong? > > AFAIK only really archived mails are queue file but files in > nonspam > are RFC 822 files. please correct me if I'm wrong > > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > you have to convert real archived mails as Glen stated above: > > postcat |/usr/sbin/sendmail.postfix > > > cheers > Ralph > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I am not using queue files so I asked good old aunt google : http://support.netrack.hu/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=15 have a look at this. It shows you how to manually release mails quarantined with MailScanner as queue files .... so it might also work with archived queue files. A little different as my previous approach but still something to use on the console. Cheers Ralph From chris at clh.org.uk Sun Nov 15 10:31:01 2009 From: chris at clh.org.uk (Chris Hardy) Date: Sun Nov 15 10:31:13 2009 Subject: Blacklist problem Message-ID: <4AFFD865.7070609@clh.org.uk> Hi All, I've been using the black and whitelists features of MailScanner, but can't seem to find the option to stop people being alerted that the mail has been blacklisted. eg.. in blacklist rules: From: qvaej@domain.com yes the mail gets marked as blacklisted, but postmaster then sends a mail saying it's been blacklisted to the user the mail was to Where should i be looking please? Thanks Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mmmm82 at gmail.com Sun Nov 15 11:13:20 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 15 11:13:43 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> <837e17ab0911150148r12c97c88k30191fb0300b3941@mail.gmail.com> Message-ID: <837e17ab0911150313l6152daddq869d78f875833e99@mail.gmail.com> SOLVED, PERFECT The link you posted is exactly what I wanted, not only that but it explains a lot of info of how things work, Thanks a lot I tried the following tests for the benefit that anyone would read these threads 1- text message released from quarantine after changing quarantine store option to queue files (You dont need to do this ,I did it only for testing purposes you can keep them as normal rfc 822 files ) 2- text message released from archive folder (which turned out to be queue files) 3- message with attached MicroSoft .docx file from archive folder (same as number 2 test but with attachment) All were delivered to the inbox as normal messages. All I need to do now is play around creating some scripts to do any task I want. Special thanks for Ralph for his dedication to solve this problem and for everyone who helped Best Regards On Sun, Nov 15, 2009 at 12:25 PM, Ralph Bornefeld-Ettmann < ilikeuce@bornefeld-ettmann.de> wrote: > Monis Monther schrieb: > >> Hi , I tried the postcat command and I managed to send the message but it >> is recieved as shown below, I only posted part of a the message , as you can >> see it contains an attachment and it is sent as it is not encoded , how can >> I receive the message normally?? >> >> >> I also did another experiment , I resent a message that was held in the >> spam folder which is an RFC 822 message (made sure by using the file >> command) >> >> cat 79FA76E0392.B1D73 | sendmail.postfix someone@somedomain >> >> And it reached the mailbox as a normal email with no problems. >> >> >> So now I think what we want to do is convert the message in the archive >> from whatever it is to a RFC 822 message, I dont think the postcat command >> did the trick. >> >> >> P.S: I highly appreciate all the posts and help in this forum, thank you >> everyone >> >> >> >> >> *** ENVELOPE RECORDS 8ACBB6E03A4.763AF *** >> >> message_size: 20071 542 1 >> 0 >> >> message_arrival_time: Sun Nov 15 12:28:39 2009 >> >> create_time: Sun Nov 15 12:28:39 2009 >> >> named_attribute: rewrite_context=remote >> >> sender: monis.monther@mediaintl.net >> >> >> named_attribute: log_client_address=192.168.111.130 >> >> named_attribute: log_message_origin=unknown[192.168.111.130] >> >> named_attribute: log_helo_name=eg30.iolteam.net >> >> >> named_attribute: log_protocol_name=ESMTP >> >> named_attribute: client_name=unknown >> >> named_attribute: reverse_client_name=unknown >> >> named_attribute: client_address=192.168.111.130 >> >> named_attribute: helo_name=eg30.iolteam.net >> >> >> named_attribute: client_address_type=2 >> >> named_attribute: dsn_orig_rcpt=rfc822;monis.monther@mediaintl.net> rfc822%3Bmonis.monther@mediaintl.net >> > >> >> original_recipient: monis.monther@mediaintl.net > monis.monther@mediaintl.net> >> >> recipient: monis.monther@mediaintl.net > monis.monther@mediaintl.net> >> >> *** MESSAGE CONTENTS 8ACBB6E03A4.763AF *** >> >> Received: from eg30.iolteam.net (unknown >> [192.168.111.130]) >> >> >> by mailscanner.localdomain (Postfix) with ESMTP id 8ACBB6E03A4 >> >> for >; >> Sun, 15 Nov 2009 12:28:39 +0200 (EET) >> >> Received: from lp125 (lp-125.iolteam.net >> [192.168.10.37]) >> >> by eg30.iolteam.net (Postfix) with ESMTP >> id BE47744DB77 >> >> for >; >> Sun, 15 Nov 2009 07:09:40 +0200 (EET) >> >> From: > >> >> To: > >> >> >> Subject: test2 >> >> Date: Sun, 15 Nov 2009 11:15:48 +0200 >> >> Message-ID: <005d01ca65d4$386621d0$a9326570$@monther@mediaintl.net> monther@mediaintl.net>> >> >> >> MIME-Version: 1.0 >> >> Content-Type: multipart/mixed; >> >> boundary="----=_NextPart_000_005E_01CA65E4.FBEEF1D0" >> >> X-Mailer: Microsoft Office Outlook 12.0 >> >> Thread-Index: Acpl1DZgGVUVmgfETEOKVRx4hz47zA== >> >> Content-Language: en-us >> >> >> This is a multipart message in MIME format. >> >> >> ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 >> >> Content-Type: multipart/alternative; >> >> boundary="----=_NextPart_001_005F_01CA65E4.FBEEF1D0" >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 >> >> Content-Type: text/plain; >> >> charset="us-ascii" >> >> Content-Transfer-Encoding: 7bit >> >> >> Test with attachmnet >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 >> >> Content-Type: text/html; >> >> charset="us-ascii" >> >> Content-Transfer-Encoding: quoted-printable >> >> >> > xmlns:o=3D"urn:schemas-microsoft-com:office:office" = >> xmlns:w=3D"urn:schemas-microsoft-com:office:word" = >> xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = >> xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" = >> xmlns:a=3D"urn:schemas-microsoft-com:office:access" = >> xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" = >> xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" = >> xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" = >> xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" = >> xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" = >> xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" = >> xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" = >> xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" = xmlns:html=3D" >> http://www.w3.org/TR/REC-html40" = xmlns:q=3D" >> http://schemas.xmlsoap.org/soap/envelope/" = xmlns:rtc=3D" >> http://microsoft.com/officenet/conferencing" = xmlns:D=3D"DAV:" >> xmlns:Repl=3D"http://schemas.microsoft.com/repl/" = xmlns:mt=3D" >> http://schemas.microsoft.com/sharepoint/soap/meetings/" = xmlns:x2=3D" >> http://schemas.microsoft.com/office/excel/2003/xml" = xmlns:ppda=3D" >> http://www.passport.com/NameSpace.xsd" = xmlns:ois=3D" >> http://schemas.microsoft.com/sharepoint/soap/ois/" = xmlns:dir=3D" >> http://schemas.microsoft.com/sharepoint/soap/directory/" = xmlns:ds=3D" >> http://www.w3.org/2000/09/xmldsig#" = xmlns:dsp=3D" >> http://schemas.microsoft.com/sharepoint/dsp" = xmlns:udc=3D" >> http://schemas.microsoft.com/data/udc" = xmlns:xsd=3D" >> http://www.w3.org/2001/XMLSchema" = xmlns:sub=3D" >> http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"= >> >> xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" = xmlns:sp=3D" >> http://schemas.microsoft.com/sharepoint/" = xmlns:sps=3D" >> http://schemas.microsoft.com/sharepoint/soap/" = xmlns:xsi=3D" >> http://www.w3.org/2001/XMLSchema-instance" = xmlns:udcs=3D" >> http://schemas.microsoft.com/data/udc/soap" = xmlns:udcxf=3D" >> http://schemas.microsoft.com/data/udc/xmlfile" = xmlns:udcp2p=3D" >> http://schemas.microsoft.com/data/udc/parttopart" = xmlns:wf=3D" >> http://schemas.microsoft.com/sharepoint/soap/workflow/" = xmlns:dsss=3D" >> http://schemas.microsoft.com/office/2006/digsig-setup" = xmlns:dssi=3D" >> http://schemas.microsoft.com/office/2006/digsig" = xmlns:mdssi=3D" >> http://schemas.openxmlformats.org/package/2006/digital-sig= >> >> nature" = >> >> xmlns:mver=3D" >> http://schemas.openxmlformats.org/markup-compatibility/2006= >> >> " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = >> xmlns:mrels=3D" >> http://schemas.openxmlformats.org/package/2006/relationshi= >> >> ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" = >> xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types >> "= >> >> = >> >> xmlns:ex12m=3D" >> http://schemas.microsoft.com/exchange/services/2006/messag= >> >> es" = >> >> xmlns:pptsl=3D" >> http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/= >> >> " = >> >> xmlns:spsl=3D" >> http://microsoft.com/webservices/SharePointPortalServer/Pub= >> >> lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" = >> xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"> >> >> >> >> >> > charset=3Dus-ascii"> > (filtered medium)"> >> >> >> >> >> >> >> >> >> >>
>> >> >>

Test with attachmnet

>> >> >>
>> >> >> >> >> >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0-- >> >> >> ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 >> >> Content-Type: >> application/vnd.openxmlformats-officedocument.wordprocessingml.document; >> >> name="Monis Monther.docx" >> >> Content-Transfer-Encoding: base64 >> >> Content-Disposition: attachment; >> >> filename="Monis Monther.docx" >> >> >> >> UEsDBBQABgAIAAAAIQDd/JU3ZgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 >> >> VMtuwjAQvFfqP0S+Vomhh6qqCBz6OLZIpR9g7A1Y9Uv28vr7bgJEVQtBKuUSKVnvzOzsxIPR >> >> >> >> >> On Sun, Nov 15, 2009 at 11:24 AM, Ralph Bornefeld-Ettmann < >> ilikeuce@bornefeld-ettmann.de > >> wrote: >> >> Monis Monther schrieb: >> >> Hi everyone >> >> >> I tried >> >> >> /usr/sbin/sendmail.postfix recipient msgid >> >> But did not work >> >> Any other suggestions to release a message from the command line >> >> And for everyone participating, I am using the Archive option to >> archive all incoming mail to a folder this is an example message >> >> C91066E03A4.E9CD0 >> >> >> >> >> >> >> On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann >> > >> > >> wrote: >> >> Glenn Steen schrieb: >> >> 2009/11/12 Ralph Bornefeld-Ettmann >> > >> > >>: >> >> >> Monis Monther schrieb: >> >> The link looks informative and would take me some >> time >> to read which I >> will do definitly , Thanks >> Also how can I do it qiuckly by command line, for >> example can I >> sendmail.postfix [options] filename ..etc >> Note: My MTA is postfix >> Thanks >> >> On Thu, Nov 12, 2009 at 3:25 PM, Ralph >> Bornefeld-Ettmann >> > >> > > >> > >> > >>> >> wrote: >> >> Monis Monther schrieb: >> >> Hi everyone: >> I am using the archive feature of >> Mailscanner to >> have a copy of >> all mails in a dir, this is working fine and >> lovely, now the >> problem is if I want to retrieve a certain >> message >> , how can I >> do that in the following cases >> 1- I dont know where it is in the archive >> 2- I know where it is and the message ID for >> example under the >> archive is D548C6E00BB.27373, how do I send >> it to >> the inteded user >> Thanks >> >> to resend messages please check this : >> >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> > >> >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> >> < >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> > >>> >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> > > >> > >> > >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book >> off the >> website! >> >> >> if you call : >> >> /usr/sbin/sendmail.postfix < >> >> the mail should be sent to the user >> >> >> Only if the message has been decoded to the >> RFC822/2822/5322 format >> first... which it likely hasn't...;-) >> >> Cheers >> >> >> [root@localhost nonspam]# file 05B5E28027.4BC43 >> 05B5E28027.4BC43: RFC 822 mail text >> >> so it should be correct ... or did I get you wrong? >> >> AFAIK only really archived mails are queue file but files in >> nonspam >> are RFC 822 files. please correct me if I'm wrong >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> you have to convert real archived mails as Glen stated above: >> >> postcat |/usr/sbin/sendmail.postfix >> >> >> cheers >> Ralph >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > I am not using queue files so I asked good old aunt google : > > > http://support.netrack.hu/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=15 > have a look at this. It shows you how to manually release mails quarantined > with MailScanner as queue files .... so it might also work with archived > queue files. A little different as my previous approach but still something > to use on the console. > > > Cheers > Ralph > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091115/f5c8e8fe/attachment-0001.html From glenn.steen at gmail.com Sun Nov 15 11:29:50 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 15 11:30:05 2009 Subject: Retrieve from Archive In-Reply-To: References: <837e17ab0911120414k2b9f3674x64248b3d6f5a4955@mail.gmail.com> <837e17ab0911120536y64a490cfw952a7904f13afd5a@mail.gmail.com> <223f97700911120600ve2e5649ga04db62d4eb885f5@mail.gmail.com> <837e17ab0911150047s1c1cd851s2af44f0b044150b5@mail.gmail.com> <837e17ab0911150148r12c97c88k30191fb0300b3941@mail.gmail.com> Message-ID: <223f97700911150329hfeb0646ya395731d1c66a43d@mail.gmail.com> As mentioned before, there is an excellent article in the wiki on how to release queue files from the quarantine. To adapt this to releasing from the archive, one has to put the copy of the file into the hold directory, then make it owned by the postfix user and chmod 0700. This is so that it'll pass through MS once more. Be aware that some mailstores will have problems with the same message ID being used... Think I mentioned this all before;-) Cheers 2009/11/15, Ralph Bornefeld-Ettmann : > Monis Monther schrieb: >> Hi , I tried the postcat command and I managed to send the message but >> it is recieved as shown below, I only posted part of a the message , as >> you can see it contains an attachment and it is sent as it is not >> encoded , how can I receive the message normally?? >> >> >> I also did another experiment , I resent a message that was held in the >> spam folder which is an RFC 822 message (made sure by using the file >> command) >> >> cat 79FA76E0392.B1D73 | sendmail.postfix someone@somedomain >> >> And it reached the mailbox as a normal email with no problems. >> >> >> So now I think what we want to do is convert the message in the archive >> from whatever it is to a RFC 822 message, I dont think the postcat >> command did the trick. >> >> >> P.S: I highly appreciate all the posts and help in this forum, thank you >> everyone >> >> >> >> >> *** ENVELOPE RECORDS 8ACBB6E03A4.763AF *** >> >> message_size: 20071 542 >> 1 0 >> >> message_arrival_time: Sun Nov 15 12:28:39 2009 >> >> create_time: Sun Nov 15 12:28:39 2009 >> >> named_attribute: rewrite_context=remote >> >> sender: monis.monther@mediaintl.net >> >> named_attribute: log_client_address=192.168.111.130 >> >> named_attribute: log_message_origin=unknown[192.168.111.130] >> >> named_attribute: log_helo_name=eg30.iolteam.net >> >> named_attribute: log_protocol_name=ESMTP >> >> named_attribute: client_name=unknown >> >> named_attribute: reverse_client_name=unknown >> >> named_attribute: client_address=192.168.111.130 >> >> named_attribute: helo_name=eg30.iolteam.net >> >> named_attribute: client_address_type=2 >> >> named_attribute: dsn_orig_rcpt=rfc822;monis.monther@mediaintl.net >> >> >> original_recipient: monis.monther@mediaintl.net >> >> >> recipient: monis.monther@mediaintl.net >> >> >> *** MESSAGE CONTENTS 8ACBB6E03A4.763AF *** >> >> Received: from eg30.iolteam.net (unknown >> [192.168.111.130]) >> >> by mailscanner.localdomain (Postfix) with ESMTP id 8ACBB6E03A4 >> >> for > >; Sun, 15 Nov 2009 12:28:39 +0200 >> (EET) >> >> Received: from lp125 (lp-125.iolteam.net >> [192.168.10.37]) >> >> by eg30.iolteam.net (Postfix) with ESMTP >> id BE47744DB77 >> >> for > >; Sun, 15 Nov 2009 07:09:40 +0200 >> (EET) >> >> From: > >> >> To: > >> >> Subject: test2 >> >> Date: Sun, 15 Nov 2009 11:15:48 +0200 >> >> Message-ID: <005d01ca65d4$386621d0$a9326570$@monther@mediaintl.net >> > >> >> MIME-Version: 1.0 >> >> Content-Type: multipart/mixed; >> >> boundary="----=_NextPart_000_005E_01CA65E4.FBEEF1D0" >> >> X-Mailer: Microsoft Office Outlook 12.0 >> >> Thread-Index: Acpl1DZgGVUVmgfETEOKVRx4hz47zA== >> >> Content-Language: en-us >> >> >> >> This is a multipart message in MIME format. >> >> >> >> ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 >> >> Content-Type: multipart/alternative; >> >> boundary="----=_NextPart_001_005F_01CA65E4.FBEEF1D0" >> >> >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 >> >> Content-Type: text/plain; >> >> charset="us-ascii" >> >> Content-Transfer-Encoding: 7bit >> >> >> >> Test with attachmnet >> >> >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0 >> >> Content-Type: text/html; >> >> charset="us-ascii" >> >> Content-Transfer-Encoding: quoted-printable >> >> >> >> > xmlns:o=3D"urn:schemas-microsoft-com:office:office" = >> xmlns:w=3D"urn:schemas-microsoft-com:office:word" = >> xmlns:x=3D"urn:schemas-microsoft-com:office:excel" = >> xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" = >> xmlns:a=3D"urn:schemas-microsoft-com:office:access" = >> xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" = >> xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" = >> xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" >> = xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" = >> xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" = >> xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" = >> xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" = >> xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" = >> xmlns:html=3D"http://www.w3.org/TR/REC-html40" = >> xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" = >> xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" = >> xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" = >> xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" = >> xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" = >> xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" = >> xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" = >> xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" = >> xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" = >> xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" = >> xmlns:udc=3D"http://schemas.microsoft.com/data/udc" = >> xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" = >> xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"= >> >> xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" = >> xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" = >> xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" = >> xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" = >> xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" = >> xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" = >> xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" = >> xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" = >> xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" = >> xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" = >> xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig= >> >> nature" = >> >> xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006= >> >> " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = >> xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi= >> >> ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" = >> xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"= >> >> = >> >> xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag= >> >> es" = >> >> xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/= >> >> " = >> >> xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub= >> >> lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" = >> xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40"> >> >> >> >> >> >> > charset=3Dus-ascii"> > (filtered medium)"> >> >> >> >> >> >> >> >> >> >> >> >>
>> >> >> >>

Test with attachmnet

>> >> >> >>
>> >> >> >> >> >> >> >> >> >> >> >> ------=_NextPart_001_005F_01CA65E4.FBEEF1D0-- >> >> >> >> ------=_NextPart_000_005E_01CA65E4.FBEEF1D0 >> >> Content-Type: >> application/vnd.openxmlformats-officedocument.wordprocessingml.document; >> >> name="Monis Monther.docx" >> >> Content-Transfer-Encoding: base64 >> >> Content-Disposition: attachment; >> >> filename="Monis Monther.docx" >> >> >> >> UEsDBBQABgAIAAAAIQDd/JU3ZgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 >> >> VMtuwjAQvFfqP0S+Vomhh6qqCBz6OLZIpR9g7A1Y9Uv28vr7bgJEVQtBKuUSKVnvzOzsxIPR >> >> >> >> >> On Sun, Nov 15, 2009 at 11:24 AM, Ralph Bornefeld-Ettmann >> > >> wrote: >> >> Monis Monther schrieb: >> >> Hi everyone >> >> >> I tried >> >> >> /usr/sbin/sendmail.postfix recipient msgid >> >> But did not work >> >> Any other suggestions to release a message from the command line >> >> And for everyone participating, I am using the Archive option to >> archive all incoming mail to a folder this is an example message >> >> C91066E03A4.E9CD0 >> >> >> >> >> >> >> On Thu, Nov 12, 2009 at 4:17 PM, Ralph Bornefeld-Ettmann >> > >> > >> wrote: >> >> Glenn Steen schrieb: >> >> 2009/11/12 Ralph Bornefeld-Ettmann >> > >> > >>: >> >> >> Monis Monther schrieb: >> >> The link looks informative and would take me some >> time >> to read which I >> will do definitly , Thanks >> Also how can I do it qiuckly by command line, for >> example can I >> sendmail.postfix [options] filename ..etc >> Note: My MTA is postfix >> Thanks >> >> On Thu, Nov 12, 2009 at 3:25 PM, Ralph >> Bornefeld-Ettmann >> > >> > > >> > >> > >>> >> wrote: >> >> Monis Monther schrieb: >> >> Hi everyone: >> I am using the archive feature of >> Mailscanner to >> have a copy of >> all mails in a dir, this is working fine and >> lovely, now the >> problem is if I want to retrieve a certain >> message >> , how can I >> do that in the following cases >> 1- I dont know where it is in the archive >> 2- I know where it is and the message ID >> for >> example under the >> archive is D548C6E00BB.27373, how do I send >> it to >> the inteded user >> Thanks >> >> to resend messages please check this : >> >> http://www.global-domination.org/forum/viewtopic.php?f=15&t=1806 >> >> >> > >> > >> >> > >> >> > >> >> >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> > > >> > >> > >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read >> http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book >> off the >> website! >> >> >> if you call : >> >> /usr/sbin/sendmail.postfix < >> >> the mail should be sent to the user >> >> >> Only if the message has been decoded to the >> RFC822/2822/5322 format >> first... which it likely hasn't...;-) >> >> Cheers >> >> >> [root@localhost nonspam]# file 05B5E28027.4BC43 >> 05B5E28027.4BC43: RFC 822 mail text >> >> so it should be correct ... or did I get you wrong? >> >> AFAIK only really archived mails are queue file but files in >> nonspam >> are RFC 822 files. please correct me if I'm wrong >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> > > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> you have to convert real archived mails as Glen stated above: >> >> postcat |/usr/sbin/sendmail.postfix >> >> >> cheers >> Ralph >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > I am not using queue files so I asked good old aunt google : > > http://support.netrack.hu/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=15 > have a look at this. It shows you how to manually release mails > quarantined with MailScanner as queue files .... so it might also work > with archived queue files. A little different as my previous approach > but still something to use on the console. > > Cheers > Ralph > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Nov 15 11:35:46 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 15 11:35:56 2009 Subject: Blacklist problem In-Reply-To: <4AFFD865.7070609@clh.org.uk> References: <4AFFD865.7070609@clh.org.uk> Message-ID: <223f97700911150335g200d2564x54913314372dc36a@mail.gmail.com> There's a setting for sending notifications of blocked content, that should only be set to yes while testing, that you need change;-) 2009/11/15, Chris Hardy : > Hi All, > > I've been using the black and whitelists features of MailScanner, but > can't seem to find the option to stop people being alerted that the mail > has been blacklisted. > > eg.. in blacklist rules: > > From: qvaej@domain.com yes > > the mail gets marked as blacklisted, but postmaster then sends a mail > saying it's been blacklisted to the user the mail was to > > Where should i be looking please? > > Thanks > > Chris > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From chris at clh.org.uk Sun Nov 15 11:42:09 2009 From: chris at clh.org.uk (Chris Hardy) Date: Sun Nov 15 11:42:21 2009 Subject: Blacklist problem In-Reply-To: <223f97700911150335g200d2564x54913314372dc36a@mail.gmail.com> References: <4AFFD865.7070609@clh.org.uk> <223f97700911150335g200d2564x54913314372dc36a@mail.gmail.com> Message-ID: <4AFFE911.6040306@clh.org.uk> Thanks Glenn, found that one - was already set to no Chris Glenn Steen wrote: > There's a setting for sending notifications of blocked content, that > should only be set to yes while testing, that you need change;-) > > 2009/11/15, Chris Hardy : > >> Hi All, >> >> I've been using the black and whitelists features of MailScanner, but >> can't seem to find the option to stop people being alerted that the mail >> has been blacklisted. >> >> eg.. in blacklist rules: >> >> From: qvaej@domain.com yes >> >> the mail gets marked as blacklisted, but postmaster then sends a mail >> saying it's been blacklisted to the user the mail was to >> >> Where should i be looking please? >> >> Thanks >> >> Chris >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at elasticmind.net Sun Nov 15 14:03:34 2009 From: lists at elasticmind.net (Mog) Date: Sun Nov 15 14:04:08 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> Message-ID: <4B000A36.9040006@elasticmind.net> Hi, I followed the procedure you described exactly. I'm guessing the other people who are experiencing the same problem did the same thing as well (as mentioned on the ports mailing list). I'm using that exact version of perl you mentioned and used the perl-after-upgrade call as always. As it turns out, to get the mail server back up and running again I had to revert to the packaged version perl-5.10.0_2.tbz and ignore the upgrade (like last time this happened). I can only assume that either you did something extra we haven't to make it work, or ... Actually there is no or, I'm out of ideas. I have no idea why it should work for a few people but not dozens of others (unless you're using portmaster and we're using portupgrade or something). Nor do I know what actually is the cause of the problem. I can't see any logical reason why every so often a perl upgrade will cause MailScanner to break. Presumably either it's a recurring problem with the FreeBSD port, the upgrade process, or within perl itself. Regards, mog Jose Amengual M wrote: > This worked for me in a non fresh install and in a fresh install. > > you need to make sure that after you remove pearl you are installing pearl perl-5.10.0_2.tbz need to be exctly this one. > > > From drew.marshall at trunknetworks.com Sun Nov 15 18:18:54 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Sun Nov 15 18:19:28 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <4B000A36.9040006@elasticmind.net> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> Message-ID: On 15 Nov 2009, at 14:03, Mog wrote: > Hi, > > I followed the procedure you described exactly. I'm guessing the > other people who are experiencing the same problem did the same > thing as well (as mentioned on the ports mailing list). I'm using > that exact version of perl you mentioned and used the perl-after- > upgrade call as always. As it turns out, to get the mail server back > up and running again I had to revert to the packaged version > perl-5.10.0_2.tbz and ignore the upgrade (like last time this > happened). Yup, same here. Make sure you continue to be vigilant when running portupgrade again or else you will be right back again. > > I can only assume that either you did something extra we haven't to > make it work, or ... Actually there is no or, I'm out of ideas. I > have no idea why it should work for a few people but not dozens of > others (unless you're using portmaster and we're using portupgrade > or something). Nor do I know what actually is the cause of the > problem. I have upgraded to 5.10.1 and had to roll back too. I have no idea what could be causing the issue but it's a right pain. > > I can't see any logical reason why every so often a perl upgrade > will cause MailScanner to break. Presumably either it's a recurring > problem with the FreeBSD port, the upgrade process, or within perl > itself. It's not a problem within the same version but every so often a new version pops out and having gone through the upgrade, then reinstalling all the p5-* ports (portupgrade -f p5-* I always do that as I don't find the the perl-after-upgrade script does the job fully but then I have never run it with the -f option so I'll try that next time) to find that something borks MS and then you have to downgrade again is a right pain :-( I really like FreeBSD but I just can't see what is causing this to happen. Surely perl is perl and therefore it should work for everyone or no one? Or have I missed something (Probably!)? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From sanderson4 at gmail.com Sun Nov 15 19:59:01 2009 From: sanderson4 at gmail.com (Sanderson4) Date: Sun Nov 15 19:59:15 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> Message-ID: <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> Unfortunately, the issue is MailScanner and not Perl. When a user sets "Run As Users" and "Run As Group" in MailScanner, it forces Perl to run in taint mode because Perl was directed by MailScanner to run as a different user. For security reasons this causes Perl to be very sceptical as to what tasks the assigned user can perform. MailScanner has not been updated to resolve these tainted tasks (ie load custom function files or chown). The reason you don't see the Linux community compain about Perl is because they use a packaging system that doesn't force a user to upgrade to the latest version of Perl each time they upgrade MailScanner. FreeBSD's portmaster and portupgrade check each dependancy of MailScanner and will upgrade any dependancy that has a newer version available. I know with portmaster you can include the -x argument to "avoid building or updating ports that match this pattern." Unfortunately I don't use portupgrade so I don't know how to exclude an upgrade. Please refer to the man page for a solution. With that said, we as a FreeBSD community need to submit bug requests to Jules so he can resolve these programming constraints that newer versions of Perl produce. Cheers, Sanderson4 On Sun, Nov 15, 2009 at 12:18 PM, Drew Marshall < drew.marshall@trunknetworks.com> wrote: > > On 15 Nov 2009, at 14:03, Mog wrote: > > Hi, >> >> I followed the procedure you described exactly. I'm guessing the other >> people who are experiencing the same problem did the same thing as well (as >> mentioned on the ports mailing list). I'm using that exact version of perl >> you mentioned and used the perl-after-upgrade call as always. As it turns >> out, to get the mail server back up and running again I had to revert to the >> packaged version perl-5.10.0_2.tbz and ignore the upgrade (like last time >> this happened). >> > > Yup, same here. Make sure you continue to be vigilant when running > portupgrade again or else you will be right back again. > > > >> I can only assume that either you did something extra we haven't to make >> it work, or ... Actually there is no or, I'm out of ideas. I have no idea >> why it should work for a few people but not dozens of others (unless you're >> using portmaster and we're using portupgrade or something). Nor do I know >> what actually is the cause of the problem. >> > > I have upgraded to 5.10.1 and had to roll back too. I have no idea what > could be causing the issue but it's a right pain. > > > >> I can't see any logical reason why every so often a perl upgrade will >> cause MailScanner to break. Presumably either it's a recurring problem with >> the FreeBSD port, the upgrade process, or within perl itself. >> > > It's not a problem within the same version but every so often a new version > pops out and having gone through the upgrade, then reinstalling all the p5-* > ports (portupgrade -f p5-* I always do that as I don't find the the > perl-after-upgrade script does the job fully but then I have never run it > with the -f option so I'll try that next time) to find that something borks > MS and then you have to downgrade again is a right pain :-( > > I really like FreeBSD but I just can't see what is causing this to happen. > Surely perl is perl and therefore it should work for everyone or no one? Or > have I missed something (Probably!)? > > Drew > -- > In line with our policy, this message has been scanned for viruses and > dangerous content. > Our email policy can be found at www.trunknetworks.com/policy > > Trunk Networks Limited is registered in Scotland with registration number: > SC351063 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091115/e5806c2a/attachment.html From chris at clh.org.uk Sun Nov 15 20:09:19 2009 From: chris at clh.org.uk (Chris Hardy) Date: Sun Nov 15 20:09:34 2009 Subject: Blacklist problem In-Reply-To: <4AFFE911.6040306@clh.org.uk> References: <4AFFD865.7070609@clh.org.uk> <223f97700911150335g200d2564x54913314372dc36a@mail.gmail.com> <4AFFE911.6040306@clh.org.uk> Message-ID: <4B005FEF.4090407@clh.org.uk> Still sending alerts out though :( c Chris Hardy wrote: > Thanks Glenn, > > found that one - was already set to no > > Chris > > > Glenn Steen wrote: >> There's a setting for sending notifications of blocked content, that >> should only be set to yes while testing, that you need change;-) >> >> 2009/11/15, Chris Hardy : >> >>> Hi All, >>> >>> I've been using the black and whitelists features of MailScanner, but >>> can't seem to find the option to stop people being alerted that the >>> mail >>> has been blacklisted. >>> >>> eg.. in blacklist rules: >>> >>> From: qvaej@domain.com yes >>> >>> the mail gets marked as blacklisted, but postmaster then sends a mail >>> saying it's been blacklisted to the user the mail was to >>> >>> Where should i be looking please? >>> >>> Thanks >>> >>> Chris >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sanderson4 at gmail.com Sun Nov 15 20:53:39 2009 From: sanderson4 at gmail.com (Sanderson4) Date: Sun Nov 15 20:53:49 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> Message-ID: <1dff82c40911151253m70e0170cy12f21bbc65d9f853@mail.gmail.com> To follow up on my previous post, Perl 5.10.1 resolved bugs in taint that MailScanner got around in 5.8 and 5.10. Now that taint has been fixed in 5.10.1, MailScanner doesn't run. Sanderson4 On Sun, Nov 15, 2009 at 1:59 PM, Sanderson4 wrote: > Unfortunately, the issue is MailScanner and not Perl. When a user sets > "Run As Users" and "Run As Group" in MailScanner, it forces Perl to run in > taint mode because Perl was directed by MailScanner to run as a different > user. For security reasons this causes Perl to be very sceptical as to what > tasks the assigned user can perform. MailScanner has not been updated to > resolve these tainted tasks (ie load custom function files or chown). > > The reason you don't see the Linux community compain about Perl is because > they use a packaging system that doesn't force a user to upgrade to the > latest version of Perl each time they upgrade MailScanner. FreeBSD's > portmaster and portupgrade check each dependancy of MailScanner and will > upgrade any dependancy that has a newer version available. I know with > portmaster you can include the -x argument to "avoid building or updating > ports that match this pattern." Unfortunately I don't use portupgrade so I > don't know how to exclude an upgrade. Please refer to the man page for a > solution. > > With that said, we as a FreeBSD community need to submit bug requests to > Jules so he can resolve these programming constraints that newer versions of > Perl produce. > > Cheers, > > Sanderson4 > > > On Sun, Nov 15, 2009 at 12:18 PM, Drew Marshall < > drew.marshall@trunknetworks.com> wrote: > >> >> On 15 Nov 2009, at 14:03, Mog wrote: >> >> Hi, >>> >>> I followed the procedure you described exactly. I'm guessing the other >>> people who are experiencing the same problem did the same thing as well (as >>> mentioned on the ports mailing list). I'm using that exact version of perl >>> you mentioned and used the perl-after-upgrade call as always. As it turns >>> out, to get the mail server back up and running again I had to revert to the >>> packaged version perl-5.10.0_2.tbz and ignore the upgrade (like last time >>> this happened). >>> >> >> Yup, same here. Make sure you continue to be vigilant when running >> portupgrade again or else you will be right back again. >> >> >> >>> I can only assume that either you did something extra we haven't to make >>> it work, or ... Actually there is no or, I'm out of ideas. I have no idea >>> why it should work for a few people but not dozens of others (unless you're >>> using portmaster and we're using portupgrade or something). Nor do I know >>> what actually is the cause of the problem. >>> >> >> I have upgraded to 5.10.1 and had to roll back too. I have no idea what >> could be causing the issue but it's a right pain. >> >> >> >>> I can't see any logical reason why every so often a perl upgrade will >>> cause MailScanner to break. Presumably either it's a recurring problem with >>> the FreeBSD port, the upgrade process, or within perl itself. >>> >> >> It's not a problem within the same version but every so often a new >> version pops out and having gone through the upgrade, then reinstalling all >> the p5-* ports (portupgrade -f p5-* I always do that as I don't find the the >> perl-after-upgrade script does the job fully but then I have never run it >> with the -f option so I'll try that next time) to find that something borks >> MS and then you have to downgrade again is a right pain :-( >> >> I really like FreeBSD but I just can't see what is causing this to happen. >> Surely perl is perl and therefore it should work for everyone or no one? Or >> have I missed something (Probably!)? >> >> Drew >> -- >> In line with our policy, this message has been scanned for viruses and >> dangerous content. >> Our email policy can be found at www.trunknetworks.com/policy >> >> Trunk Networks Limited is registered in Scotland with registration number: >> SC351063 >> Registered Office 55-57 West High Street Inverurie AB51 3QQ >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091115/741ae096/attachment.html From mark at msapiro.net Sun Nov 15 21:53:31 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Nov 15 21:53:37 2009 Subject: Blacklist problem In-Reply-To: <4AFFD865.7070609@clh.org.uk> References: <4AFFD865.7070609@clh.org.uk> Message-ID: <20091115215331.GA2572@msapiro> On Sun, Nov 15, 2009 at 10:31:01AM +0000, Chris Hardy wrote: > Hi All, > > I've been using the black and whitelists features of MailScanner, but > can't seem to find the option to stop people being alerted that the mail > has been blacklisted. > > eg.. in blacklist rules: > > From: qvaej@domain.com yes > > the mail gets marked as blacklisted, but postmaster then sends a mail > saying it's been blacklisted to the user the mail was to > > Where should i be looking please? See the settings Definite Spam Is High Scoring Spam Actions High Scoring Spam Actions -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pepe at rdc.cl Mon Nov 16 20:19:23 2009 From: pepe at rdc.cl (Jose Amengual M) Date: Mon Nov 16 20:19:48 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> Message-ID: <637E7A0B-3108-4224-84F5-7EB8C12BBA7E@rdc.cl> I'm running Mailscanner with user postfix, I don't know if acctually makes a difference. On 2009-11-15, at 10:18 AM, Drew Marshall wrote: > > On 15 Nov 2009, at 14:03, Mog wrote: > >> Hi, >> >> I followed the procedure you described exactly. I'm guessing the other people who are experiencing the same problem did the same thing as well (as mentioned on the ports mailing list). I'm using that exact version of perl you mentioned and used the perl-after-upgrade call as always. As it turns out, to get the mail server back up and running again I had to revert to the packaged version perl-5.10.0_2.tbz and ignore the upgrade (like last time this happened). > > Yup, same here. Make sure you continue to be vigilant when running portupgrade again or else you will be right back again. > >> >> I can only assume that either you did something extra we haven't to make it work, or ... Actually there is no or, I'm out of ideas. I have no idea why it should work for a few people but not dozens of others (unless you're using portmaster and we're using portupgrade or something). Nor do I know what actually is the cause of the problem. > > I have upgraded to 5.10.1 and had to roll back too. I have no idea what could be causing the issue but it's a right pain. > >> >> I can't see any logical reason why every so often a perl upgrade will cause MailScanner to break. Presumably either it's a recurring problem with the FreeBSD port, the upgrade process, or within perl itself. > > It's not a problem within the same version but every so often a new version pops out and having gone through the upgrade, then reinstalling all the p5-* ports (portupgrade -f p5-* I always do that as I don't find the the perl-after-upgrade script does the job fully but then I have never run it with the -f option so I'll try that next time) to find that something borks MS and then you have to downgrade again is a right pain :-( > > I really like FreeBSD but I just can't see what is causing this to happen. Surely perl is perl and therefore it should work for everyone or no one? Or have I missed something (Probably!)? > > Drew > -- > In line with our policy, this message has been scanned for viruses and dangerous content. > Our email policy can be found at www.trunknetworks.com/policy > > Trunk Networks Limited is registered in Scotland with registration number: SC351063 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que está limpio. For all your IT requirements visit: http://www.transtec.co.uk From mikael at syska.dk Mon Nov 16 20:40:16 2009 From: mikael at syska.dk (Mikael Syska) Date: Mon Nov 16 20:40:32 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <637E7A0B-3108-4224-84F5-7EB8C12BBA7E@rdc.cl> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> <637E7A0B-3108-4224-84F5-7EB8C12BBA7E@rdc.cl> Message-ID: <6beca9db0911161240j64d55699h7ea6f31a6857ad@mail.gmail.com> Hi, I has some kind of similar problem .... also running FreeBSD 7.2 ... and the taint problem. I changed the top line in: /usr/local/sbin/MailScanner to look like this: #!/usr/bin/perl -U -I/usr/local/lib/MailScanner It gives me alot of warnings ... but MailScanner runs and have been doing so for about 5-6 weeks now ... So this solved my problem ... :-) But I will happily used a better solution instead of this little quirk. best regards Mikael Syska On Mon, Nov 16, 2009 at 9:19 PM, Jose Amengual M wrote: > I'm running Mailscanner with user postfix, I don't know if acctually makes a difference. > > > On 2009-11-15, at 10:18 AM, Drew Marshall wrote: > >> >> On 15 Nov 2009, at 14:03, Mog wrote: >> >>> Hi, >>> >>> I followed the procedure you described exactly. I'm guessing the other people who are experiencing the same problem did the same thing as well (as mentioned on the ports mailing list). I'm using that exact version of perl you mentioned and used the perl-after-upgrade call as always. As it turns out, to get the mail server back up and running again I had to revert to the packaged version perl-5.10.0_2.tbz and ignore the upgrade (like last time this happened). >> >> Yup, same here. Make sure you continue to be vigilant when running portupgrade again or else you will be right back again. >> >>> >>> I can only assume that either you did something extra we haven't to make it work, or ... Actually there is no or, I'm out of ideas. I have no idea why it should work for a few people but not dozens of others (unless you're using portmaster and we're using portupgrade or something). Nor do I know what actually is the cause of the problem. >> >> I have upgraded to 5.10.1 and had to roll back too. I have no idea what could be causing the issue but it's a right pain. >> >>> >>> I can't see any logical reason why every so often a perl upgrade will cause MailScanner to break. Presumably either it's a recurring problem with the FreeBSD port, the upgrade process, or within perl itself. >> >> It's not a problem within the same version but every so often a new version pops out and having gone through the upgrade, then reinstalling all the p5-* ports (portupgrade -f p5-* I always do that as I don't find the the perl-after-upgrade script does the job fully but then I have never run it with the -f option so I'll try that next time) to find that something borks MS and then you have to downgrade again is a right pain :-( >> >> I really like FreeBSD but I just can't see what is causing this to happen. Surely perl is perl and therefore it should work for everyone or no one? Or have I missed something (Probably!)? >> >> Drew >> -- >> In line with our policy, this message has been scanned for viruses and dangerous content. >> Our email policy can be found at www.trunknetworks.com/policy >> >> Trunk Networks Limited is registered in Scotland with registration number: SC351063 >> Registered Office 55-57 West High Street Inverurie AB51 3QQ >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > Este mensaje ha sido analizado por MailScanner > en busca de virus y otros contenidos peligrosos, > y se considera que est? limpio. > For all your IT requirements visit: http://www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From lists at rheel.co.nz Mon Nov 16 21:21:24 2009 From: lists at rheel.co.nz (Lists) Date: Mon Nov 16 21:21:50 2009 Subject: Query before upgrade Message-ID: <4B01C254.5020908@rheel.co.nz> Hi all, I am about to upgrade my MailScanner and I was wondering if someone could clarify for me what it means by "manage the .rmpnew files" - exactly what do I do here? (apologies I am still fairly new/inexperienced with linux) Also on the official download page for the RedHat, CentOS version the PGP signature download link goes to Not Found - is this a problem? Thanks Kate From gandalf at shopzeus.com Tue Nov 17 08:34:21 2009 From: gandalf at shopzeus.com (Laszlo Nagy) Date: Tue Nov 17 08:34:33 2009 Subject: Whitelist and disarming Message-ID: <4B02600D.8060205@shopzeus.com> Hi All, I would like to have Mailscanner do not change some emails, in any way. I have added the source email address to whitelist.rules: # pwd /usr/local/etc/MailScanner/rules # grep @ spam.whitelist.rules From: *@some_domain.com yes My problem is that these emails are disarmed. Their subject and content is changed. It is a big problem beacuse these emails contain product stock info updates from our partner, and we have programs that process these emails. However, they cannot process the disarmed emails. I was looking at the documentation but I could not find a way to do this. E.g. configure mailscanner so that mails from "*@some_domain.com" are not disarmed, subject, headers and body not changed. It would be ideal to run virus scanning and spam filtering at the same time (and quarantine spam/virus emails). How can I do this? My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9 Thanks, Laszlo From ilikeuce at bornefeld-ettmann.de Tue Nov 17 10:42:30 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Nov 17 10:43:26 2009 Subject: Whitelist and disarming In-Reply-To: <4B02600D.8060205@shopzeus.com> References: <4B02600D.8060205@shopzeus.com> Message-ID: Laszlo Nagy schrieb: > > Hi All, > > I would like to have Mailscanner do not change some emails, in any way. > I have added the source email address to whitelist.rules: > > # pwd > /usr/local/etc/MailScanner/rules > # grep @ spam.whitelist.rules > From: *@some_domain.com yes > > > My problem is that these emails are disarmed. Their subject and content > is changed. It is a big problem beacuse these emails contain product > stock info updates from our partner, and we have programs that process > these emails. However, they cannot process the disarmed emails. I was > looking at the documentation but I could not find a way to do this. E.g. > configure mailscanner so that mails from "*@some_domain.com" are not > disarmed, subject, headers and body not changed. It would be ideal to > run virus scanning and spam filtering at the same time (and quarantine > spam/virus emails). How can I do this? > > My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9 > > Thanks, > > Laszlo > I would handle it slightly different : create /etc/MailScanner/rules/disarm.rules : From: *@some_domain.com yes FromOrTo: default disarm replace "disarm" in /etc/MailScanner/MailScanner.conf with "%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame Tags, Allow Form Tags ....) restart MailScanner So mails is getting scanned and Spam and Virii will be detected but header and body will not get disarmed. HTH Cheers Ralph From glenn.steen at gmail.com Tue Nov 17 11:09:50 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 17 11:09:59 2009 Subject: Query before upgrade In-Reply-To: <4B01C254.5020908@rheel.co.nz> References: <4B01C254.5020908@rheel.co.nz> Message-ID: <223f97700911170309v4ac665d1re23e513478e4283a@mail.gmail.com> 2009/11/16 Lists : > Hi all, > > I am about to upgrade my MailScanner and I was wondering if someone could > clarify for me what it means by > "manage the .rmpnew files" - exactly what do I do here? (apologies I am > still fairly new/inexperienced with linux) > It means you have to look through any .rpmnew (configuration) file and "do the right thing"... Usually merge in new settings or update defaults that may have changed. For MailScanner.conf you (of course) use the update_MailScanner_conf utility to do this, but the upgrade may have created others. Do a find to see what you've got. > Also on the official download page for the RedHat, CentOS version the PGP > signature download link goes to Not Found - is this a problem? > Only if you want to check the signature of the archive...;-). > Thanks > Kate Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Nov 17 11:30:23 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Nov 17 11:30:32 2009 Subject: Whitelist and disarming In-Reply-To: References: <4B02600D.8060205@shopzeus.com> Message-ID: <223f97700911170330u1c11a931l68d756de1455f24b@mail.gmail.com> 2009/11/17 Ralph Bornefeld-Ettmann : > Laszlo Nagy schrieb: >> >> ?Hi All, >> >> I would like ?to have Mailscanner do not change some emails, in any way. I >> have added the source email address to whitelist.rules: >> >> # pwd >> /usr/local/etc/MailScanner/rules >> # grep @ spam.whitelist.rules >> From: ? ?*@some_domain.com ? ?yes >> >> >> My problem is that these emails are disarmed. Their subject and content is >> changed. It is a big problem beacuse these emails contain product stock info >> updates from our partner, and we have programs that process these emails. >> However, they cannot process the disarmed emails. I was looking at the >> documentation but I could not find a way to do this. E.g. configure >> mailscanner so that mails from "*@some_domain.com" are not disarmed, >> subject, headers and body not changed. It would be ideal to run virus >> scanning and spam filtering at the same time (and quarantine spam/virus >> emails). How can I do this? >> >> My system is FreeBSD 7 amd64. Mailscanner version is 4.78.9 >> >> Thanks, >> >> ?Laszlo >> > > I would handle it slightly different : > > create /etc/MailScanner/rules/disarm.rules : > > From: ? *@some_domain.com ? ? ? yes > FromOrTo: ? ? ? default ? ? ? ? disarm > > replace "disarm" in /etc/MailScanner/MailScanner.conf with > "%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame Tags, > Allow Form Tags ....) > > restart MailScanner > > So mails is getting scanned and Spam and Virii will be detected but header > and body will not get disarmed. > > HTH > > Cheers > Ralph > A couple of notes: - Lets be clear about why adding the stansa to spam.whitelist.rules didn't work... It is only concerned with spam handling, not any other (dangerous content) scanning at all... Hence the need for something like what Ralph suggests. - Use the sending servers IP address instead of a domain glob pattern... Relying on something that easily forgeable (iow spoofable) is not good. You should be able to find out which IPs are used and use that for your whitelist. - It isn't the brightest idea possible to build an automated system like that, depending/relying on something that is inherently not that reliable...;-). Although all messages are guaranteed to be handled, either by a delivery or a rejection (leading to some type of bounce/NDN/DSN/whatever), you have no guarantees about _when_ it will happen. "Within the next few days" might not be good enough;-). If it is something like index pricing information (MSCI has been known to use this), it is a really _bad_ idea, since the info is likely not that ... valid... after a few days delay. "Ok", you might be thinking, "We'll solve it by setting 'High Priority', so it is guaranteed to go through fast..." -> Nope. Only thing that does is to make it fail/give up faster (and decorate your mail with a ghastly exclamation mark, or similar). So that would only aggravate any problem, not solve it. We've had this type of setup and are moving away from it as fast as possible... To more sane things like FTP or, even better, SFTP. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Tue Nov 17 12:05:40 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Nov 17 12:05:58 2009 Subject: Whitelist and disarming In-Reply-To: <4B02600D.8060205@shopzeus.com> References: <4B02600D.8060205@shopzeus.com> Message-ID: <4B029194.9040004@vanderkooij.org> On 17/11/09 09:34, Laszlo Nagy wrote: > I would like to have Mailscanner do not change some emails, in any way. > I have added the source email address to whitelist.rules: > > # pwd > /usr/local/etc/MailScanner/rules > # grep @ spam.whitelist.rules > From: *@some_domain.com yes I suggest you bypass mailscanner completely for these addresses. But how you do that is up to the MTA you use. But if you use postfix + the gold option you might learn a trick from: http://hugo.vanderkooij.org/email/mailscanner.htm?lang=en#HOLD Hugo. From gandalf at shopzeus.com Tue Nov 17 12:32:03 2009 From: gandalf at shopzeus.com (Laszlo Nagy) Date: Tue Nov 17 12:32:15 2009 Subject: Whitelist and disarming In-Reply-To: <223f97700911170330u1c11a931l68d756de1455f24b@mail.gmail.com> References: <4B02600D.8060205@shopzeus.com> <223f97700911170330u1c11a931l68d756de1455f24b@mail.gmail.com> Message-ID: <4B0297C3.7050409@shopzeus.com> >> I would handle it slightly different : >> >> create /etc/MailScanner/rules/disarm.rules : >> >> From: *@some_domain.com yes >> FromOrTo: default disarm >> >> replace "disarm" in /etc/MailScanner/MailScanner.conf with >> "%rules-dir%/disarm.rules" where "disarm" is set (e.g. Allow IFrame Tags, >> Allow Form Tags ....) >> >> restart MailScanner >> >> So mails is getting scanned and Spam and Virii will be detected but header >> and body will not get disarmed. >> >> Thank you, I dit it. I hope it will work. > A couple of notes: > - Lets be clear about why adding the stansa to spam.whitelist.rules > didn't work... It is only concerned with spam handling, not any other > (dangerous content) scanning at all... Hence the need for something > like what Ralph suggests. > I see. Thanks. :-) > - Use the sending servers IP address instead of a domain glob > pattern... Relying on something that easily forgeable (iow spoofable) > is not good. You should be able to find out which IPs are used and use > that for your whitelist. > I'm affraid that this company uses a widely used ISP to send out emails. I guess I have to use the From: header. Or maybe both: From + sender ip, but I'm not sure how to do that. > - It isn't the brightest idea possible to build an automated system > like that, depending/relying on something that is inherently not that > reliable...;-). Although all messages are guaranteed to be handled, > either by a delivery or a rejection (leading to some type of > bounce/NDN/DSN/whatever), you have no guarantees about _when_ it will > happen. Yes, I know. But these companies have their own systems. They send out automatic emails, and we cannot ask them to send data feeds on FTP or anything else. They insist on sending XLS and CSV files in emails. (Even worse, some of them are sending PDF and word doc files...) > "Within the next few days" might not be good enough;-). But much better than never. In most cases, these emails actually arrive within one minute, so in 99% of the cases, it works. > If it > is something like index pricing information (MSCI has been known to > use this), it is a really _bad_ idea, since the info is likely not > that ... valid... after a few days delay. "Ok", you might be thinking, > "We'll solve it by setting 'High Priority', so it is guaranteed to go > through fast..." -> Nope. Only thing that does is to make it fail/give > up faster (and decorate your mail with a ghastly exclamation mark, or > similar). So that would only aggravate any problem, not solve it. > We've had this type of setup and are moving away from it as fast as > possible... To more sane things like FTP or, even better, SFTP. > Yes, that would be fabolous. But we cannot do that. Thank you for the detailed explanation. It was a big help! Laszlo From Andrew.Chester at ukuvuma.co.za Tue Nov 17 14:01:15 2009 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Tue Nov 17 13:45:48 2009 Subject: AUTO: Andrew Chester is out of the office. (returning 2009/11/19) Message-ID: I am out of the office until 2009/11/19. I will respond to your message when I return. In case of emergency, please contact Dawid Van Heerden on +27 82 770 7919. Note: This is an automated response to your message "Whitelist and disarming" sent on 11/17/09 10:34:21. This is the only notification you will receive while this person is away. CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. From jaearick at colby.edu Tue Nov 17 16:06:50 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Nov 17 16:07:05 2009 Subject: lint/debug no work, why? Message-ID: Julian, I was chasing some SpamAssassin issues, so I wanted to run version 4.78.17 in debug mode on Solaris 10. So I shut down the normal MailScanner (which runs fine), and did: /opt/MailScanner/bin/MailScanner --debug --lint Trying to setlogsock(native) Reading configuration file /opt/MailScanner/etc/MailScanner.conf Reading configuration file /opt/MailScanner/etc/conf.d/README Read 856 hostnames from the phishing whitelist Read 7938 hostnames from the phishing blacklists Config: calling custom init function IPBlock Initialising IP blocking Read 147 IP blocking entries from /etc/MailScanner/IPBlock.conf Checking version numbers... Version number in MailScanner.conf (4.78.17) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database (just sits there forever) So I removed /var/spool/MailScanner/incoming/SpamAssassin.cache.db and tried again, still nothing. Any suggestions? My underlying problem is that the MISSING_SUBJECT and NO_RECEIVED rules always seemed to fire in SA, and I was tryting to figure out why (googled, others have noted this). Interestingly, removing the cache.db file maybe seems to have fixed this problem. I wonder if SpamAssassin.cache.db should be nuked at the beginning of MailScanner startup, to start fresh? Jeff Earickson Colby College From mmmm82 at gmail.com Tue Nov 17 18:01:38 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Tue Nov 17 18:01:47 2009 Subject: Store viruses only Message-ID: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> Hi everyone: We just started to use MailScanner in our environment, had some problems with some featues but this list has been of great help, anyway we have a policy of deliver everything for the time being until we get to know our spam better then change the rules. So at this point I have set both spam and high score spam = deliver header "bla bla bla" What I noticed is that even messages containing viruses get delivered and dont get quarantined. How can I seperate the spam from virus actions ?? Thanks Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091117/19f44310/attachment.html From glenn.steen at gmail.com Wed Nov 18 08:26:03 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Nov 18 08:26:13 2009 Subject: lint/debug no work, why? In-Reply-To: References: Message-ID: <223f97700911180026l4107fe43o9264fc8adfda5864@mail.gmail.com> 2009/11/17 Jeff A. Earickson : > Julian, > > I was chasing some SpamAssassin issues, so I wanted to run version > 4.78.17 in debug mode on Solaris 10. ?So I shut down the normal MailScanner > (which runs fine), and did: > > ?/opt/MailScanner/bin/MailScanner --debug --lint But those are not "compatible" options Jeff... The --lint simply doesn't happen... So it would be the same as just saying --debug, which in turn needs a message on the incoming queue... Did you have one/generate one? Probably not;-). Remeber: - lint == syntax checking - debug == function checking (snip) > ?Connected to SpamAssassin cache database > ?(just sits there forever) Probably as expected;-). > > So I removed /var/spool/MailScanner/incoming/SpamAssassin.cache.db > and tried again, still nothing. ?Any suggestions? > > My underlying problem is that the MISSING_SUBJECT and NO_RECEIVED rules > always seemed to fire in SA, and I was tryting to figure out why (googled, --debug --debug-sa would perhaps have been more relevant? > others have noted this). ?Interestingly, removing the cache.db file > maybe seems to have fixed this problem. ?I wonder if SpamAssassin.cache.db > should be nuked at the beginning of MailScanner startup, to start fresh? > Might've been some problem with the cache, yes. Did you try the analyze_SpamAssassin_cache command, just to see if it seems valid/viable? > Jeff Earickson > Colby College Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From aney at blueacacia.com Wed Nov 18 12:07:50 2009 From: aney at blueacacia.com (Alexandre NEY) Date: Wed Nov 18 12:10:52 2009 Subject: Greylisting problem Message-ID: <5CAEB8BBAA547445AB29477045F2F5331A26475A8C@srvadi01> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 5374 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091118/00276186/image001.jpg From support-lists at petdoctors.co.uk Wed Nov 18 15:26:57 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Nov 18 15:37:07 2009 Subject: bitdefender-autoupdate grabbing lots of RAM Message-ID: <4C2997B933944A49934733ABFC7D5160@SUPPORT01V> Hi, Just had a look at a mail server (MS 4.77.9) that was running slowly all of a sudden and it was paging like the clappers, with bitdefender-autoupdate hogging 800MB RAM and nearly 1GB of virtual. What should I check, hit, delete, kill or update etc..!? Thanks Nigel Kendrick IT Associate Pet Doctors Ltd Pet Doctors House Drayton Lane, Merston Chichester, West Sussex PO20 1EL Tel (direct): 01555 708 601 Fax: 01243 782 584 General IT support issues should be sent to support@petdoctors.co.uk DISCLAIMER This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Pet Doctors Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Pet Doctors Limited is a company registered in England and Wales, company number 03769799. Registered office is Pet Doctors House, Drayton Lane, Merston, Chichester, West Sussex PO20 1EL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091118/11f341b9/attachment.html From seven at seven.dorksville.net Wed Nov 18 16:59:32 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Wed Nov 18 16:59:50 2009 Subject: How do you release quarantined items from mailwatch In-Reply-To: <4AE95C3D.4060605@fsl.com> References: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> <4A09477D575C2C4B86497161427DD94C126BA5C52A@city-exchange07><60629.125.168.254.15.1256781444.squirrel@seven.dorksville.net> <4AE95C3D.4060605@fsl.com> Message-ID: > > FAQ.... > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#i_can_t_get_mai > lwatch_to_see_my_quarantined_e-mail > Finally had a chance to check this out and all my permissions look correct but I still don't get those options, so I started reading the mailwatch forums on sourceforge which suggested running the fix_quarantine_permissions script which fixed the issue. Thanks for everyones help Cheers, Anthony From alex at rtpty.com Wed Nov 18 18:28:31 2009 From: alex at rtpty.com (Alex Neuman) Date: Wed Nov 18 18:28:47 2009 Subject: How do you release quarantined items from mailwatch In-Reply-To: References: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> <4A09477D575C2C4B86497161427DD94C126BA5C52A@city-exchange07><60629.125.168.254.15.1256781444.squirrel@seven.dorksville.net> <4AE95C3D.4060605@fsl.com> Message-ID: <719238D1-7AD1-4A78-B0E9-EB09EE7E3113@rtpty.com> What's "look correct" like, anyhow? Just curious. On Nov 18, 2009, at 11:59 AM, Anthony Giggins wrote: > look correct From seven at seven.dorksville.net Thu Nov 19 01:33:46 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Thu Nov 19 01:34:19 2009 Subject: How do you release quarantined items from mailwatch In-Reply-To: <719238D1-7AD1-4A78-B0E9-EB09EE7E3113@rtpty.com> References: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> <4A09477D575C2C4B86497161427DD94C126BA5C52A@city-exchange07><60629.125.168.254.15.1256781444.squirrel@seven.dorksville.net> <4AE95C3D.4060605@fsl.com> <719238D1-7AD1-4A78-B0E9-EB09EE7E3113@rtpty.com> Message-ID: <340E4AE7-BEC2-432F-AD5B-1FD3D3DEF1AA@seven.dorksville.net> According to the mailwatch FAQ Sent from my iPhone On 19/11/2009, at 5:28 AM, Alex Neuman wrote: > What's "look correct" like, anyhow? Just curious. > On Nov 18, 2009, at 11:59 AM, Anthony Giggins wrote: > >> look correct > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mmmm82 at gmail.com Thu Nov 19 06:48:27 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Thu Nov 19 06:48:36 2009 Subject: Fwd: Store viruses only In-Reply-To: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> Message-ID: <837e17ab0911182248gcfe13ccp5e2b58cdeaa96d74@mail.gmail.com> Does anyone have a clue ???? ---------- Forwarded message ---------- From: Monis Monther Date: Tue, Nov 17, 2009 at 8:01 PM Subject: Store viruses only To: MailScanner discussion Hi everyone: We just started to use MailScanner in our environment, had some problems with some featues but this list has been of great help, anyway we have a policy of deliver everything for the time being until we get to know our spam better then change the rules. So at this point I have set both spam and high score spam = deliver header "bla bla bla" What I noticed is that even messages containing viruses get delivered and dont get quarantined. How can I seperate the spam from virus actions ?? Thanks Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091119/c554d666/attachment.html From Antony.Stone at mailscanner.open.source.it Thu Nov 19 08:42:54 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu Nov 19 08:42:23 2009 Subject: Fwd: Store viruses only In-Reply-To: <837e17ab0911182248gcfe13ccp5e2b58cdeaa96d74@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <837e17ab0911182248gcfe13ccp5e2b58cdeaa96d74@mail.gmail.com> Message-ID: <200911190942.55181.Antony.Stone@mailscanner.open.source.it> On Thursday 19 November 2009, Monis Monther wrote: > Does anyone have a clue ???? > > ---------- Forwarded message ---------- > How can I seperate the spam from virus actions ?? The MailScanner.conf file has entirely separate sections for what to do with virus-infected files, and what do to with spam. What do you have for the following config lines? Virus Scanning = Virus Scanners = Deliver Disinfected Files = Silent Viruses = Still Deliver Silent Viruses = Also, which anti-virus scanning engine/s do you have installed on the MailScanner machine? Regards, Antony. -- "The problem with television is that the people must sit and keep their eyes glued on a screen; the average American family hasn't time for it." - New York Times, following a demonstration at the 1939 World's Fair. Please reply to the list; please don't CC me. From mmmm82 at gmail.com Thu Nov 19 09:13:30 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Thu Nov 19 09:13:39 2009 Subject: Fwd: Store viruses only In-Reply-To: <200911190942.55181.Antony.Stone@mailscanner.open.source.it> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <837e17ab0911182248gcfe13ccp5e2b58cdeaa96d74@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> Message-ID: <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> Hi Antony I have the following Virus Scanning = yes Virus Scanners = clamavmodule Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no I have the calmavmodule and its working fine , and when I set HighScore spam = store it started to quarantine virus that get a high score spam and still delivers viruses that come with low spam messages For example I get the Trojan-Agent 128597 in a lot of messages and they all get delivered, while it quarantined some a few messages , when looking the quarantine I found that all quarantined virus messages were also high score spam messages while delivered ones are low spam score in which I have set to delver spam = deliver header ( bla bla ) Thanks On Thu, Nov 19, 2009 at 10:42 AM, Antony Stone < Antony.Stone@mailscanner.open.source.it> wrote: > On Thursday 19 November 2009, Monis Monther wrote: > > > Does anyone have a clue ???? > > > > ---------- Forwarded message ---------- > > > How can I seperate the spam from virus actions ?? > > The MailScanner.conf file has entirely separate sections for what to do > with > virus-infected files, and what do to with spam. > > What do you have for the following config lines? > > Virus Scanning = > Virus Scanners = > Deliver Disinfected Files = > Silent Viruses = > Still Deliver Silent Viruses = > > Also, which anti-virus scanning engine/s do you have installed on the > MailScanner machine? > > > Regards, > > > Antony. > > -- > "The problem with television is that the people must sit and keep their > eyes > glued on a screen; the average American family hasn't time for it." > > - New York Times, following a demonstration at the 1939 World's Fair. > > Please reply to the > list; > please don't CC > me. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091119/27cc809e/attachment.html From chris at clh.org.uk Thu Nov 19 10:42:50 2009 From: chris at clh.org.uk (Chris Hardy) Date: Thu Nov 19 10:43:05 2009 Subject: Blacklist problem In-Reply-To: <20091115215331.GA2572@msapiro> References: <4AFFD865.7070609@clh.org.uk> <20091115215331.GA2572@msapiro> Message-ID: <4B05212A.3020105@clh.org.uk> Thanks Mark, that seems to have worked (setting definite spam as high scoring = yes) thanks c Mark Sapiro wrote: > On Sun, Nov 15, 2009 at 10:31:01AM +0000, Chris Hardy wrote: > >> Hi All, >> >> I've been using the black and whitelists features of MailScanner, but >> can't seem to find the option to stop people being alerted that the mail >> has been blacklisted. >> >> eg.. in blacklist rules: >> >> From: qvaej@domain.com yes >> >> the mail gets marked as blacklisted, but postmaster then sends a mail >> saying it's been blacklisted to the user the mail was to >> >> Where should i be looking please? >> > > > See the settings > > Definite Spam Is High Scoring > Spam Actions > High Scoring Spam Actions > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Antony.Stone at mailscanner.open.source.it Thu Nov 19 12:26:33 2009 From: Antony.Stone at mailscanner.open.source.it (Antony Stone) Date: Thu Nov 19 12:25:42 2009 Subject: Fwd: Store viruses only In-Reply-To: <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> Message-ID: <200911191326.33289.Antony.Stone@mailscanner.open.source.it> On Thursday 19 November 2009, Monis Monther wrote: > I have the following > > Virus Scanning = yes > Virus Scanners = clamavmodule > Deliver Disinfected Files = no > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > > I have the clamavmodule and its working fine How do you know this? > and when I set HighScore spam = store it started to quarantine virus that > get a high score spam and still delivers viruses that come with low spam > messages Are you saying that the quarantined messages (quarantined because they are detected as spam) still contain the virus attachments, or have these been cleaned? Try sending an email through the machine with the EICAR attachment (http://www.eicar.org/anti_virus_test_file.htm), and check: a) the mail system logs, to see whether MailScanner thinks it's detected a virus b) the headers of the (presumably) received message, to see whether it tells you that anti-virus scanning was performed (X-OrganisationName-Viruscheck) c) the output of /path/to/MailScanner --lint (to see whether it thinks the antivirus engine is correctly installed and available) Antony. -- "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defence Please reply to the list; please don't CC me. From mark at msapiro.net Thu Nov 19 15:46:34 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Nov 19 15:46:45 2009 Subject: Greylisting problem In-Reply-To: <5CAEB8BBAA547445AB29477045F2F5331A26475A8C@srvadi01> References: <5CAEB8BBAA547445AB29477045F2F5331A26475A8C@srvadi01> Message-ID: <20091119154634.GA1728@msapiro> On Wed, Nov 18, 2009 at 01:07:50PM +0100, Alexandre NEY wrote: > > I am having some problems with some email adresses that are behind a greylisting system. > > 2009-11-18 12:34:43 1NAio6-00052q-VN <= aney@blueacacia.com H=localhost (mailgw.blueacacia.com) [127.0.0.1] P=esmtpa A=fixed_login:aney@blueacacia.com S=672 id=1a6ca05b0c8ca432d9efbbfd8fbe4d2e@blueacacia.com > 2009-11-18 12:34:53 1NAio6-00052q-VN SMTP error from remote mail server after RCPT TO:: host 114-154.206-83.static-ip.oleane.fr [83.206.154.114]: 450 4.7.1 : Sender address rejected: Greylisted, see http://isg.ee.ethz.ch/tools/postgrey/help/cr-mip.fr.html > 2009-11-18 12:34:58 1NAio6-00052q-VN => brigitte.taffin@cr-mip.fr R=lookuphost T=remote_smtp H=mail3.systonic.fr [212.234.39.14] > 2009-11-18 12:34:58 1NAio6-00052q-VN Completed > > As you can see, exim does not try to resend the mail. I am using a cPanel installation but they won't support my installation because I have added mailscanner so I thought I would try here and in the exim ML First, this has nothing to do with MailScanner. Second, I can't at all see that exim doesn't try to resend the mail. cr-mip.fr publishes 3 MX records 10 114-154.206-83.static-ip.oleane.fr. 20 mail3.systonic.fr. 30 mail2.systonic.fr. exim tried the highest priority MX 114-154.206-83.static-ip.oleane.fr and got the 450 (greylisting) reply. It then tried the second priority MX mail3.systonic.fr) which accepted the mail. The problem, if any is in the mail configuration for the cr-mip.fr domain which publishes 3 MX records and only applies greylisting on one of the MXs, and possibly doesn't properly deliver mail sent to the backup MXs. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From jaearick at colby.edu Thu Nov 19 19:58:48 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Nov 19 19:59:10 2009 Subject: lint/debug no work, why? In-Reply-To: <223f97700911180026l4107fe43o9264fc8adfda5864@mail.gmail.com> References: <223f97700911180026l4107fe43o9264fc8adfda5864@mail.gmail.com> Message-ID: On Wed, 18 Nov 2009, Glenn Steen wrote: >> My underlying problem is that the MISSING_SUBJECT and NO_RECEIVED rules >> always seemed to fire in SA, and I was tryting to figure out why (googled, > --debug --debug-sa would perhaps have been more relevant? Glenn, thanks. I had a brain cramp here. My normal method (which I had forgotten) of testing MailScanner is to turn on the "Debug" and "Debug SpamAssassin" options in MailScanner.conf. Thats what I needed. Doh! Jeff Earickson From Johan at double-l.nl Thu Nov 19 22:28:24 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Thu Nov 19 22:28:36 2009 Subject: MailScanner hates Microsoft office References: <4AF15BE90200008E00011943@10.1.0.206> Message-ID: <57200BF94E69E54880C9BB1AF714BBCBA57213@w2003s01.double-l.local> >For some reason a lot of our office files are being held hostage by MailScanner by the filetype filter for various reasons which to me dont make any sense. >These range from the file being identified as an executable to AVI movies. >When I do 'file -i' on it, it'll always show 'application/msword; charset=binary' > >So far i've tried setting 'unpack microsoft documents' to no and removed 'ole' from the 'Archives Are' setting, but that did not change anything. >Am I overlooking anything ? > >- >Arjan I have the same issue now, in my case i needed to add -i to the file command in the mailscanner.conf file. his solved it for me. regards Johan Hendriks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091119/80730f9d/attachment.html From glenn.steen at gmail.com Thu Nov 19 23:11:01 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Nov 19 23:11:10 2009 Subject: lint/debug no work, why? In-Reply-To: References: <223f97700911180026l4107fe43o9264fc8adfda5864@mail.gmail.com> Message-ID: <223f97700911191511y53054b30y1f54774341e76673@mail.gmail.com> Thought as much... Happens to us all, now and then:-D Cheers 2009/11/19, Jeff A. Earickson : > On Wed, 18 Nov 2009, Glenn Steen wrote: > >>> My underlying problem is that the MISSING_SUBJECT and NO_RECEIVED rules >>> always seemed to fire in SA, and I was tryting to figure out why >>> (googled, >> --debug --debug-sa would perhaps have been more relevant? > > Glenn, thanks. I had a brain cramp here. My normal method (which I had > forgotten) of testing MailScanner is to turn on the "Debug" and > "Debug SpamAssassin" options in MailScanner.conf. Thats what I needed. > Doh! > > Jeff Earickson > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Nov 20 12:28:05 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 20 12:28:29 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: <1dff82c40911151253m70e0170cy12f21bbc65d9f853@mail.gmail.com> References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> <1dff82c40911151253m70e0170cy12f21bbc65d9f853@mail.gmail.com> <4B068B55.1060906@ecs.soton.ac.uk> Message-ID: Can you tell me what the changes are, and give me any hints or tips on what changes I need to make to my code to work with these new changes? It'll take me hours to find out exactly what I need to change, and I simply don't have that much time right now. But I would like to get the problem fixed as soon as poss. Jules. On 15/11/2009 20:53, Sanderson4 wrote: > To follow up on my previous post, Perl 5.10.1 resolved bugs in taint > that MailScanner got around in 5.8 and 5.10. Now that taint has been > fixed in 5.10.1, MailScanner doesn't run. > Sanderson4 > > On Sun, Nov 15, 2009 at 1:59 PM, Sanderson4 > wrote: > > Unfortunately, the issue is MailScanner and not Perl. When a user > sets "Run As Users" and "Run As Group" in MailScanner, it forces > Perl to run in taint mode because Perl was directed by > MailScanner to run as a different user. For security reasons this > causes Perl to be very sceptical as to what tasks the assigned > user can perform. MailScanner has not been updated to resolve > these tainted tasks (ie load custom function files or chown). > The reason you don't see the Linux community compain about Perl is > because they use a packaging system that doesn't force a user to > upgrade to the latest version of Perl each time they upgrade > MailScanner. FreeBSD's portmaster and portupgrade check each > dependancy of MailScanner and will upgrade any dependancy that has > a newer version available. I know with portmaster you can include > the -x argument to "avoid building or updating ports that match > this pattern." Unfortunately I don't use portupgrade so I don't > know how to exclude an upgrade. Please refer to the man page for > a solution. > With that said, we as a FreeBSD community need to submit bug > requests to Jules so he can resolve these programming constraints > that newer versions of Perl produce. > Cheers, > Sanderson4 > On Sun, Nov 15, 2009 at 12:18 PM, Drew Marshall > > wrote: > > > On 15 Nov 2009, at 14:03, Mog wrote: > > Hi, > > I followed the procedure you described exactly. I'm > guessing the other people who are experiencing the same > problem did the same thing as well (as mentioned on the > ports mailing list). I'm using that exact version of perl > you mentioned and used the perl-after-upgrade call as > always. As it turns out, to get the mail server back up > and running again I had to revert to the packaged version > perl-5.10.0_2.tbz and ignore the upgrade (like last time > this happened). > > > Yup, same here. Make sure you continue to be vigilant when > running portupgrade again or else you will be right back again. > > > > I can only assume that either you did something extra we > haven't to make it work, or ... Actually there is no or, > I'm out of ideas. I have no idea why it should work for a > few people but not dozens of others (unless you're using > portmaster and we're using portupgrade or something). Nor > do I know what actually is the cause of the problem. > > > I have upgraded to 5.10.1 and had to roll back too. I have no > idea what could be causing the issue but it's a right pain. > > > > I can't see any logical reason why every so often a perl > upgrade will cause MailScanner to break. Presumably either > it's a recurring problem with the FreeBSD port, the > upgrade process, or within perl itself. > > > It's not a problem within the same version but every so often > a new version pops out and having gone through the upgrade, > then reinstalling all the p5-* ports (portupgrade -f p5-* I > always do that as I don't find the the perl-after-upgrade > script does the job fully but then I have never run it with > the -f option so I'll try that next time) to find that > something borks MS and then you have to downgrade again is a > right pain :-( > > I really like FreeBSD but I just can't see what is causing > this to happen. Surely perl is perl and therefore it should > work for everyone or no one? Or have I missed something > (Probably!)? > > Drew > -- > In line with our policy, this message has been scanned for > viruses and dangerous content. > Our email policy can be found at www.trunknetworks.com/policy > > > Trunk Networks Limited is registered in Scotland with > registration number: SC351063 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Nov 20 12:37:36 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Nov 20 12:37:56 2009 Subject: MailScanner hates Microsoft office In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCBA57213@w2003s01.double-l.local> References: <4AF15BE90200008E00011943@10.1.0.206> <57200BF94E69E54880C9BB1AF714BBCBA57213@w2003s01.double-l.local> <4B068D90.9050204@ecs.soton.ac.uk> Message-ID: On 19/11/2009 22:28, Johan Hendriks wrote: > > >For some reason a lot of our office files are being held hostage by > MailScanner by the filetype filter for various reasons which to me > dont make any sense. > > >These range from the file being identified as an executable to AVI movies. > > >When I do 'file -i' on it, it'll always show 'application/msword; > charset=binary' > > > > > >So far i've tried setting 'unpack microsoft documents' to no and > removed 'ole' from the 'Archives Are' setting, but that did not change > anything. > > >Am I overlooking anything ? > > > > > >- > > >Arjan > > I have the same issue now, in my case i needed to add ?i to the file > command in the mailscanner.conf file. > his solved it for me. > What's wrong with reading the docs at the top of filename.rules.conf, and discovering that all the "-i" stuff is already implemented for you. I do *not* support adding "-i" to the file command in MailScanner.conf. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Johan at double-l.nl Fri Nov 20 13:03:39 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Fri Nov 20 13:03:52 2009 Subject: MailScanner hates Microsoft office References: <4AF15BE90200008E00011943@10.1.0.206><57200BF94E69E54880C9BB1AF714BBCBA57213@w2003s01.double-l.local><4B068D90.9050204@ecs.soton.ac.uk> Message-ID: <57200BF94E69E54880C9BB1AF714BBCBA57225@w2003s01.double-l.local> >> >> >For some reason a lot of our office files are being held hostage by >> MailScanner by the filetype filter for various reasons which to me >> dont make any sense. >> >> >These range from the file being identified as an executable to AVI movies. >> >> >When I do 'file -i' on it, it'll always show 'application/msword; >> charset=binary' >> >> > >> >> >So far i've tried setting 'unpack microsoft documents' to no and >> removed 'ole' from the 'Archives Are' setting, but that did not change >> anything. >> >> >Am I overlooking anything ? >> >> > >> >> >- >> >> >Arjan >> >> I have the same issue now, in my case i needed to add -i to the file >> command in the mailscanner.conf file. >> his solved it for me. >> >What's wrong with reading the docs at the top of filename.rules.conf, >and discovering that all the "-i" stuff is already implemented for you. >I do *not* support adding "-i" to the file command in MailScanner.conf. >Jules Nothing is wrong reading the docs at the top of filetype.rules.conf But after trying several things this worked for me. I did read it, but still some Microsoft 2003 docs where seen as AVI after setting -i after the command in my mailscanner.conf i do not have that trouble again. I noticed it on my FreeBSD 8.0RC3 machine only. I have 2 more system running MailScanner on FreeBSD 7.x, on those boxes i do not have that problem, the file command is from an earlier version. If i do file on my FreeBSD 7.x system i get the folowing file Office\ 2003\ -\ document\ from\ ERP\ system.doc Office 2003 - document from ERP system.doc: Microsoft Office Document Doing the same on my 8.0RC3 system i get the following. file Office\ 2003\ -\ document\ from\ ERP\ system.doc Office 2003 - document from ERP system.doc: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Title: ORDER CONFIRMATION, Author: it@xxxxxxxxx.nl, Template: Navision Blanco Document.dot, Last Saved By: User Name, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Last Printed: Thu Nov 16 15:31:00 2006, Create Time/Date: Tue Nov 17 16:01:00 2009, Last Saved Time/Date: Tue Nov 17 16:01:00 2009, Number of Pages: 2, Number of Words: 289, Number of Characters: 1500, Security: 0 Versions off file are FreeBSD 7.x file-4.23 FreeBSD 8.0 file-5.03 Regards, Johan From jethro.binks at strath.ac.uk Fri Nov 20 13:40:04 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Nov 20 13:40:16 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> Message-ID: On Thu, 5 Nov 2009, Randal, Phil wrote: > If I get a chance next week, I'll have a look at the mcafee-autoupdate > script to see what changes are needed. In addition to Phil's subsequent patch which I didn't keep to respond to, I also suggest passing the "-o" option to unzip: Near the top of the script define: unzipopts="-o" then later: run unzip $unzipopts $TARFILE And yes... it is slow... Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From prandal at herefordshire.gov.uk Fri Nov 20 13:57:41 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Nov 20 13:57:58 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA08443219@HC-MBX02.herefordshire.gov.uk> Jethro R Binks wrote: > On Thu, 5 Nov 2009, Randal, Phil wrote: > >> If I get a chance next week, I'll have a look at the >> mcafee-autoupdate script to see what changes are needed. > > In addition to Phil's subsequent patch which I didn't keep to respond > to, I also suggest passing the "-o" option to unzip: > > Near the top of the script define: > > unzipopts="-o" > > then later: > > run unzip $unzipopts $TARFILE > > And yes... it is slow... > > Jethro. > > . . . . . . . . . . . . . . . . . . . . . . . > . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK Does anyone have a patch for MailScanner's SweepViruses.pm to correctly parse the output from uvscan 6.0? Perl isn't my strong point, alas. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From lists at buschor.ch Fri Nov 20 15:24:32 2009 From: lists at buschor.ch (ThB) Date: Fri Nov 20 15:24:51 2009 Subject: Problems MailScanner 4.78.17 Message-ID: <20091120162432.30f30802.lists@buschor.ch> Hello, I've got some problems running MailScanner 4.78.18 a) Taint problem in SweepOther.pm & SweepViruses.pm b) Processing & SpamAssassin Cache Databases problems I'm running MailScanner on Solaris 9 and Perl 5.8.9 (also tried 5.10.1 but had the same problems) a) Taint problem with virus scanners ------------------------------------ Virus Scanners = clamavmodule sophossavi MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(native) Building a message batch to scan... Have a batch of 1 message. File checker failed with real error: Insecure dependency in exec while running with -T switch at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 431. at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 443 Commercial virus checker failed with real error: path argument specified to scan() is tainted at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1169 at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1102 Stopping now as you are debugging me. Note: for some reasons I cannot switch to clamd and sophie is not supported by MailScanner. b) Processing & SpamAssassin Cache Databases problems ----------------------------------------------------- There are 2 problems. 1. MailScanner ignores the configuration settings configured: Processing Attempts Database = /tmp/MailScanner/Processing.db SpamAssassin Cache Database File = /tmp/MailScanner/SpamAssassin.cache.db MailScanner creates the configured databases if they do not exist ls -la /tmp/MailScanner/ total 32 drwxr-xr-x 2 mailscn mail 265 2009-11-20 15:19 ./ drwxrwxrwt 3 root sys 268 2009-11-20 15:19 ../ -rw------- 1 mailscn mail 4096 2009-11-20 15:19 Processing.db -rw------- 1 mailscn mail 5120 2009-11-20 15:18 SpamAssassin.cache.db but using: /var/spool/MailScanner/incoming/Processing.db /var/spool/MailScanner/incoming/SpamAssassin.cache.db Logfile: Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Using SpamAssassin results cache Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Connected to SpamAssassin cache database Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Enabling SpamAssassin auto-whitelist functionality... Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] SophosSAVI 4.45 (engine 2.90) recognizing 991629 viruses Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] SophosSAVI using 581 IDE files Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Connected to Processing Attempts Database Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Found 0 messages in the Processing Attempts Database Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Using locktype = posix Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.warning] Cannot cd to dir /var/spool/MailScanner/incoming/Processing.db to read messages, Not a directory Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.warning] Cannot cd to dir /var/spool/MailScanner/incoming/SpamAssassin.cache.db to read messages, Not a directory MailScanner.conf Incoming Work Dir = /tmp/MailScanner SpamAssassin Temporary Dir = /tmp/MailScanner SpamAssassin Cache Database File = /tmp/MailScanner/SpamAssassin.cache.db Processing Attempts Database = /tmp/MailScanner/Processing.db Btw: This configuration was workling well with the old MailScanner 4.64.3-2. I made the configuration upgrade using the upgrade_MailScanner_conf script. (no processing database of course). Perl & Modules -------------- /opt/MailScanner/bin/MailScanner -v Running on SunOS caval 5.9 Generic_Virtual sun4v sparc SUNW,Sun-Blade-T6320 This is Perl version 5.008009 (5.8.9) This is MailScanner version 4.78.17 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 0.23 bignum 1.10 Carp 1.41 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_17 Data::Dumper 2.27 Date::Parse 1.02 DirHandle 1.06 Fcntl 2.77 File::Basename 2.13 File::Copy 2.01 FileHandle 2.07_02 File::Path 0.20 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.15 POSIX 1.19 Scalar::Util 1.81 Socket 2.19 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9715 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.38 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.817 DB_File 1.25 DBD::SQLite 1.607 DBI 1.15 Digest 1.01 Digest::HMAC 2.37 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect 0.17015 Error missing ExtUtils::CBuilder 2.19 ExtUtils::ParseXS 2.38 Getopt::Long 0.45 Inline missing IO::String 1.09 IO::Zlib 2.27 IP::Country 0.29 Mail::ClamAV 3.002005 Mail::SpamAssassin v2.004 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build missing Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.027 NetAddr::IP 1.94 Parse::RecDescent 0.30 SAVI 3.16 Test::Harness missing Test::Manifest 1.98 Text::Balanced 1.40 URI 0.78 version missing YAML perl -V Summary of my perl5 (revision 5 version 8 subversion 9) configuration: Platform: osname=solaris, osvers=2.9, archname=sun4-solaris-thread-multi uname='sunos sphinx 5.9 generic_virtual sun4u sparc sunw,sun-fire-v240 ' config_args='' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='/opt/SUNWspro/bin/cc', ccflags ='-D_REENTRANT -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O', cppflags='-D_REENTRANT -I/usr/local/include' ccversion='Sun C 5.8 Patch 121015-06 2007/10/03', gccversion='', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='/opt/SUNWspro/bin/cc', ldflags =' -L/usr/lib -L/usr/local/lib ' libpth=/usr/lib /usr/local/lib libs=-lsocket -lnsl -ldb -ldl -lm -lpthread -lc perllibs=-lsocket -lnsl -ldl -lm -lpthread -lc libc=/usr/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' cccdlflags='-KPIC', lddlflags='-G -L/usr/lib -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_FAST_STDIO USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_REENTRANT_API Built under solaris Compiled at Nov 19 2009 13:28:41 @INC: /opt/MailScanner/perl/lib/5.8.9/sun4-solaris-thread-multi /opt/MailScanner/perl/lib/5.8.9 /opt/MailScanner/perl/lib/site_perl/5.8.9/sun4-solaris-thread-multi /opt/MailScanner/perl/lib/site_perl/5.8.9 . Any help is appreciated regards and have a greate weekend Thomas From hvdkooij at vanderkooij.org Fri Nov 20 19:16:30 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Nov 20 19:16:42 2009 Subject: Stopping messages without To: or Cc: header(s) Message-ID: <4B06EB0E.7020208@vanderkooij.org> Hi, I want to stop messages without a To: or Cc: header. Postfix will translate them to: To: undisclosed-recipients:; In the postfix cleanup(8) manual page I found this: undisclosed_recipients_header (To: undisclosed-recipi- ents:;) Message header that the Postfix cleanup(8) server inserts when a message contains no To: or Cc: mes- sage header. I would prefer to kill them at postfix entry before they even get accepted. But if this is not possible I would like to kill them in MailScanner as high scoring spam. Any suggestion? Hugo. From Garrod.Alwood at lorodoes.com Fri Nov 20 19:17:59 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Fri Nov 20 19:23:55 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B06EB0E.7020208@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> Message-ID: Need to be careful about that because some newsletters people sign up for use that in the "To:" header Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij [hvdkooij@vanderkooij.org] Sent: Friday, November 20, 2009 2:16 PM To: mailscanner@lists.mailscanner.info Subject: Stopping messages without To: or Cc: header(s) Hi, I want to stop messages without a To: or Cc: header. Postfix will translate them to: To: undisclosed-recipients:; In the postfix cleanup(8) manual page I found this: undisclosed_recipients_header (To: undisclosed-recipi- ents:;) Message header that the Postfix cleanup(8) server inserts when a message contains no To: or Cc: mes- sage header. I would prefer to kill them at postfix entry before they even get accepted. But if this is not possible I would like to kill them in MailScanner as high scoring spam. Any suggestion? Hugo. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Fri Nov 20 19:43:11 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Nov 20 19:43:20 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: References: <4B06EB0E.7020208@vanderkooij.org> Message-ID: <4B06F14F.2080009@vanderkooij.org> On 20/11/09 20:17, Garrod M. Alwood wrote: > Need to be careful about that because some newsletters people sign up for use that in the "To:" header Well. Too bad for them. Hugo. From alex at rtpty.com Fri Nov 20 19:54:48 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Nov 20 19:55:03 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B06F14F.2080009@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org> Message-ID: <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> They deserve to be taken out and flogged silly with a wet noodle for their crime! On Nov 20, 2009, at 2:43 PM, Hugo van der Kooij wrote: > Well. Too bad for them. From Garrod.Alwood at lorodoes.com Fri Nov 20 20:20:18 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Fri Nov 20 20:26:24 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org>, <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> Message-ID: Hey, I agree with both of you, but when it's a newsletter the boss wants, then I do as I say and go yes sir. Thats all I'm saying. An you could use a header rule in postfix. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman [alex@rtpty.com] Sent: Friday, November 20, 2009 2:54 PM To: MailScanner discussion Subject: Re: Stopping messages without To: or Cc: header(s) They deserve to be taken out and flogged silly with a wet noodle for their crime! On Nov 20, 2009, at 2:43 PM, Hugo van der Kooij wrote: > Well. Too bad for them. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Fri Nov 20 20:50:47 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Nov 20 20:50:57 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org>, <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> Message-ID: <4B070127.5050209@vanderkooij.org> On 20/11/09 21:20, Garrod M. Alwood wrote: > Hey, I agree with both of you, but when it's a newsletter the boss wants, then I do as I say and go yes sir. Thats all I'm saying. An you could use a header rule in postfix. I have not found a way to write a postfix expression to match a missing set where neither the To: or the From: lines are set. Hugo. From ilikeuce at bornefeld-ettmann.de Fri Nov 20 22:16:29 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Fri Nov 20 22:17:06 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B070127.5050209@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org>, <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> Message-ID: Hugo van der Kooij schrieb: > On 20/11/09 21:20, Garrod M. Alwood wrote: >> Hey, I agree with both of you, but when it's a newsletter the boss >> wants, then I do as I say and go yes sir. Thats all I'm saying. An you >> could use a header rule in postfix. > > I have not found a way to write a postfix expression to match a missing > set where neither the To: or the From: lines are set. > > Hugo. would you please share it with me/us? cheers Ralph From hvdkooij at vanderkooij.org Sat Nov 21 06:17:13 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Nov 21 06:17:27 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org>, <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> Message-ID: <4B0785E9.3030509@vanderkooij.org> On 20/11/09 23:16, Ralph Bornefeld-Ettmann wrote: > Hugo van der Kooij schrieb: >> On 20/11/09 21:20, Garrod M. Alwood wrote: >>> Hey, I agree with both of you, but when it's a newsletter the boss >>> wants, then I do as I say and go yes sir. Thats all I'm saying. An >>> you could use a header rule in postfix. >> >> I have not found a way to write a postfix expression to match a >> missing set where neither the To: or the From: lines are set. >> >> Hugo. > > would you please share it with me/us? I can't share what I don't have. I would assume that was obvious. Hugo. From ilikeuce at bornefeld-ettmann.de Sat Nov 21 10:34:44 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Sat Nov 21 10:35:18 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B0785E9.3030509@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org>, <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> <4B0785E9.3030509@vanderkooij.org> Message-ID: Hugo van der Kooij schrieb: > On 20/11/09 23:16, Ralph Bornefeld-Ettmann wrote: >> Hugo van der Kooij schrieb: >>> On 20/11/09 21:20, Garrod M. Alwood wrote: >>>> Hey, I agree with both of you, but when it's a newsletter the boss >>>> wants, then I do as I say and go yes sir. Thats all I'm saying. An >>>> you could use a header rule in postfix. >>> >>> I have not found a way to write a postfix expression to match a >>> missing set where neither the To: or the From: lines are set. >>> >>> Hugo. >> >> would you please share it with me/us? > > I can't share what I don't have. I would assume that was obvious. > > Hugo. hups ... sorry ... I missed reading the word "not" :-( Ralph From FUNK.Gabor at hunetkft.hu Sat Nov 21 17:48:52 2009 From: FUNK.Gabor at hunetkft.hu (Gabor FUNK) Date: Sat Nov 21 17:49:15 2009 Subject: Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm and headerless quarantineing Message-ID: Hi all, I have two recent problems with MS (currently at 4.78.17-1 but was trying different ones, last known good was 4.68.8-1, though for problem 2) the change in /usr/lib/perl/5.10/IO/File.pm seems to be the triggering cause in any MS version) 1) previously [v4.68.8-1] the Quarantine Whole Messages As Queue Files = no worked as intended, but now with 4.78.17-1 it saves the body ONLY, without the headers. 2) messages with zip, doc and other attachments got into the quarantine, mail.log said something like that: 2009-11-10 21:05:14 ns1 MailScanner[21038]: Making attempt 2 at processing message 1N7wta-0005Be-OV 2009-11-10 21:09:09 ns1 MailScanner[21419]: Making attempt 3 at processing message 1N7wta-0005Be-OV 2009-11-10 21:12:28 ns1 MailScanner[5011]: Making attempt 4 at processing message 1N7wta-0005Be-OV 2009-11-10 21:25:41 ns1 MailScanner[26105]: Making attempt 5 at processing message 1N7wta-0005Be-OV 2009-11-10 21:37:55 ns1 MailScanner[15173]: Making attempt 6 at processing message 1N7wta-0005Be-OV 2009-11-10 21:38:13 ns1 MailScanner[15275]: Warning: skipping message 1N7wta-0005Be-OV as it has been attempted too many times 2009-11-10 21:38:13 ns1 MailScanner[15275]: Quarantined message 1N7wta-0005Be-OV as it caused MailScanner to crash several times 2009-11-10 21:38:13 ns1 MailScanner[15275]: Saved entire message to /var/spool/MailScanner/quarantine/20091110/1N7wta-0005Be-OV Since the "caused MailScanner to crash several times" didn't give any hint what and where were the crash, I played with tnef and other settings with no useful results. Then, after setting Maximum Archive Depth = %rules-dir%/max.arch.depth to Maximum Archive Depth = 0 and copy files back to incoming queue, the mail "passed through": 2009-11-10 22:02:55 ns1 MailScanner[23964]: Filename Checks: Allowing 1N7wta-0005Be-OV msg-23964-1.txt (no rule matched) 2009-11-10 22:02:55 ns1 MailScanner[23964]: Filename Checks: Allowing 1N7wta-0005Be-OV 2009-11-10_21-00-54_report.zip (no rule matched) a "MailScanner --debug --id=1N7wta-0005Be-OV" result's is: " In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. " Googling for it gave me: http://episteme.arstechnica.com/eve/forums/a/tpc/f/96509133/m/966003098931 then http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529358 There is a suggested fix at the end of the bugreport (msg 30) Anybody else experiencing any or both of the above problems? Regards, Gabor From glenn.steen at gmail.com Sun Nov 22 09:02:57 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 22 09:03:06 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B0785E9.3030509@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org> <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> <4B0785E9.3030509@vanderkooij.org> Message-ID: <223f97700911220102t7d4008c4je025c44b34db1f0e@mail.gmail.com> Is there explicit support for this type of rejection in the standard? I thought it only implied...;-) Many distribution list thingies use this, not only baddies. I suppose you've analysed it a bit already...? Anyway, there's no obvious way to do it in Postfix, due to the "operate on one line at a time" thing. Simplest would likely be to use a SpamAssassin rule and the rule hit thing in MS. Cheers! 2009/11/21, Hugo van der Kooij : > On 20/11/09 23:16, Ralph Bornefeld-Ettmann wrote: >> Hugo van der Kooij schrieb: >>> On 20/11/09 21:20, Garrod M. Alwood wrote: >>>> Hey, I agree with both of you, but when it's a newsletter the boss >>>> wants, then I do as I say and go yes sir. Thats all I'm saying. An >>>> you could use a header rule in postfix. >>> >>> I have not found a way to write a postfix expression to match a >>> missing set where neither the To: or the From: lines are set. >>> >>> Hugo. >> >> would you please share it with me/us? > > I can't share what I don't have. I would assume that was obvious. > > Hugo. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Nov 22 09:33:47 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 22 09:33:58 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <223f97700911220102t7d4008c4je025c44b34db1f0e@mail.gmail.com> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org> <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> <4B0785E9.3030509@vanderkooij.org> <223f97700911220102t7d4008c4je025c44b34db1f0e@mail.gmail.com> Message-ID: <4B09057B.1060707@vanderkooij.org> On 22/11/09 10:02, Glenn Steen wrote: > Is there explicit support for this type of rejection in the standard? > I thought it only implied...;-) > Many distribution list thingies use this, not only baddies. I suppose > you've analysed it a bit already...? Well. RFC5322 does not make them required. +----------------+--------+------------+----------------------------+ | Field | Min | Max number | Notes | | | number | | | +----------------+--------+------------+----------------------------+ | trace | 0 | unlimited | Block prepended - see | | | | | 3.6.7 | | resent-date | 0* | unlimited* | One per block, required if | | | | | other resent fields are | | | | | present - see 3.6.6 | | resent-from | 0 | unlimited* | One per block - see 3.6.6 | | resent-sender | 0* | unlimited* | One per block, MUST occur | | | | | with multi-address | | | | | resent-from - see 3.6.6 | | resent-to | 0 | unlimited* | One per block - see 3.6.6 | | resent-cc | 0 | unlimited* | One per block - see 3.6.6 | | resent-bcc | 0 | unlimited* | One per block - see 3.6.6 | | resent-msg-id | 0 | unlimited* | One per block - see 3.6.6 | | orig-date | 1 | 1 | | | from | 1 | 1 | See sender and 3.6.2 | | sender | 0* | 1 | MUST occur with | | | | | multi-address from - see | | | | | 3.6.2 | | reply-to | 0 | 1 | | | to | 0 | 1 | | | cc | 0 | 1 | | | bcc | 0 | 1 | | | message-id | 0* | 1 | SHOULD be present - see | | | | | 3.6.4 | | in-reply-to | 0* | 1 | SHOULD occur in some | | | | | replies - see 3.6.4 | | references | 0* | 1 | SHOULD occur in some | | | | | replies - see 3.6.4 | | subject | 0 | 1 | | | comments | 0 | unlimited | | | keywords | 0 | unlimited | | | optional-field | 0 | unlimited | | +----------------+--------+------------+----------------------------+ But in my experience all newsletters I am expecting and all mailinglists I have subscribed to make proper use of at least the To: or Cc: header. Hugo. From glenn.steen at gmail.com Sun Nov 22 10:02:24 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Nov 22 10:02:34 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B09057B.1060707@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org> <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> <4B0785E9.3030509@vanderkooij.org> <223f97700911220102t7d4008c4je025c44b34db1f0e@mail.gmail.com> <4B09057B.1060707@vanderkooij.org> Message-ID: <223f97700911220202l27c80d70o466b05c35b13a90a@mail.gmail.com> :-) As said... I was pretty sure you already had looked at that angle. ... So then its just a matter of some SA rule hacking;-)... I'm not the greatest re-designer, but I suppose a few rules to check for the presence and one to combine and "invert" should do the trick... Should be some rules you could piggyback, but... Can't check that ATM. Btw, sorry for the quoting style... The wife is hogging all the computers, and the gmail application on my phone kind of sucks in this regard. Cheers 2009/11/22, Hugo van der Kooij : > On 22/11/09 10:02, Glenn Steen wrote: >> Is there explicit support for this type of rejection in the standard? >> I thought it only implied...;-) >> Many distribution list thingies use this, not only baddies. I suppose >> you've analysed it a bit already...? > > Well. RFC5322 does not make them required. > > +----------------+--------+------------+----------------------------+ > | Field | Min | Max number | Notes | > | | number | | | > +----------------+--------+------------+----------------------------+ > | trace | 0 | unlimited | Block prepended - see | > | | | | 3.6.7 | > | resent-date | 0* | unlimited* | One per block, required if | > | | | | other resent fields are | > | | | | present - see 3.6.6 | > | resent-from | 0 | unlimited* | One per block - see 3.6.6 | > | resent-sender | 0* | unlimited* | One per block, MUST occur | > | | | | with multi-address | > | | | | resent-from - see 3.6.6 | > | resent-to | 0 | unlimited* | One per block - see 3.6.6 | > | resent-cc | 0 | unlimited* | One per block - see 3.6.6 | > | resent-bcc | 0 | unlimited* | One per block - see 3.6.6 | > | resent-msg-id | 0 | unlimited* | One per block - see 3.6.6 | > | orig-date | 1 | 1 | | > | from | 1 | 1 | See sender and 3.6.2 | > | sender | 0* | 1 | MUST occur with | > | | | | multi-address from - see | > | | | | 3.6.2 | > | reply-to | 0 | 1 | | > | to | 0 | 1 | | > | cc | 0 | 1 | | > | bcc | 0 | 1 | | > | message-id | 0* | 1 | SHOULD be present - see | > | | | | 3.6.4 | > | in-reply-to | 0* | 1 | SHOULD occur in some | > | | | | replies - see 3.6.4 | > | references | 0* | 1 | SHOULD occur in some | > | | | | replies - see 3.6.4 | > | subject | 0 | 1 | | > | comments | 0 | unlimited | | > | keywords | 0 | unlimited | | > | optional-field | 0 | unlimited | | > +----------------+--------+------------+----------------------------+ > > But in my experience all newsletters I am expecting and all mailinglists > I have subscribed to make proper use of at least the To: or Cc: header. > > Hugo. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Skickat fr?n min mobila enhet -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Nov 22 10:24:10 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Nov 22 10:24:20 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <223f97700911220202l27c80d70o466b05c35b13a90a@mail.gmail.com> References: <4B06EB0E.7020208@vanderkooij.org> <4B06F14F.2080009@vanderkooij.org> <25291855-EC11-441C-B005-F5144DDC0501@rtpty.com> <4B070127.5050209@vanderkooij.org> <4B0785E9.3030509@vanderkooij.org> <223f97700911220102t7d4008c4je025c44b34db1f0e@mail.gmail.com> <4B09057B.1060707@vanderkooij.org> <223f97700911220202l27c80d70o466b05c35b13a90a@mail.gmail.com> Message-ID: <4B09114A.9090506@vanderkooij.org> On 22/11/09 11:02, Glenn Steen wrote: > :-) > As said... I was pretty sure you already had looked at that angle. > ... So then its just a matter of some SA rule hacking;-)... I'm not > the greatest re-designer, but I suppose a few rules to check for the > presence and one to combine and "invert" should do the trick... Should > be some rules you could piggyback, but... Can't check that ATM. > Btw, sorry for the quoting style... The wife is hogging all the > computers, and the gmail application on my phone kind of sucks in this > regard. I need to see what postfix can do with the special header. Perhaps direct it to a dummy or not existing address. Hugo From mmmm82 at gmail.com Sun Nov 22 10:26:49 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Sun Nov 22 10:26:59 2009 Subject: Fwd: Store viruses only In-Reply-To: <200911191326.33289.Antony.Stone@mailscanner.open.source.it> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> Message-ID: <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> > I have the clamavmodule and its working fine How do you know this? I knew because I see in the logs that it is catching stuff Try sending an email through the machine with the EICAR attachment (http://www.eicar.org/anti_virus_test_file.htm), and check: I tried the test , thanks for the link a) the mail system logs, to see whether MailScanner thinks it's detected a virus In the log , it found it and gave this Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ eicar.com .... ..... Requeue: A32B56E03A2.E8204 to E19D26E009C .... .... Cleaned: Delivered 1 cleaned messages b) the headers of the (presumably) received message, to see whether it tells you that anti-virus scanning was performed (X-OrganisationName- > > Viruscheck) > > I only had these headers X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A X-MyDomain-MailScanner: Found to be infected X-MyDomain-MailScanner-SpamScore: ss X-MyDomain-MailScanner-From: monis.monther@mediaintl.net X-Spam-Status: No X-RCPT-TO: Status: U X-UIDL: 548082981 So I conclude that it was not detected as spam but as infected , and I got the notification attachment delivered saying call help desk... bal bla But the attachment was not saved under quarantine, I want the attachments to be saved. > c) the output of /path/to/MailScanner --lint (to see whether it thinks the > antivirus engine is correctly installed and available) > It showed that I have clamavmodule successfully installed Conclusion: I was mistakes when I thought it was related to spam score, but now I want the virus attachment to be stored in quarantine not deleted, Thanks On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone < Antony.Stone@mailscanner.open.source.it> wrote: > On Thursday 19 November 2009, Monis Monther wrote: > > > I have the following > > > > Virus Scanning = yes > > Virus Scanners = clamavmodule > > Deliver Disinfected Files = no > > Silent Viruses = HTML-IFrame All-Viruses > > Still Deliver Silent Viruses = no > > > > I have the clamavmodule and its working fine > > How do you know this? > > > and when I set HighScore spam = store it started to quarantine virus that > > get a high score spam and still delivers viruses that come with low spam > > messages > > Are you saying that the quarantined messages (quarantined because they are > detected as spam) still contain the virus attachments, or have these been > cleaned? > > Try sending an email through the machine with the EICAR attachment > (http://www.eicar.org/anti_virus_test_file.htm), and check: > > a) the mail system logs, to see whether MailScanner thinks it's detected a > virus > > b) the headers of the (presumably) received message, to see whether it > tells > you that anti-virus scanning was performed (X-OrganisationName-Viruscheck) > > c) the output of /path/to/MailScanner --lint (to see whether it thinks the > antivirus engine is correctly installed and available) > > > Antony. > > -- > "Reports that say that something hasn't happened are always interesting to > me, > because as we know, there are known knowns; there are things we know we > know. > We also know there are known unknowns; that is to say we know there are > some > things we do not know. But there are also unknown unknowns - the ones we > don't know we don't know." > > - Donald Rumsfeld, US Secretary of Defence > > Please reply to the > list; > please don't CC > me. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091122/8712f517/attachment.html From MailScanner at ecs.soton.ac.uk Sun Nov 22 11:53:51 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 11:54:13 2009 Subject: Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm and headerless quarantineing In-Reply-To: References: <4B09264F.5010004@ecs.soton.ac.uk> Message-ID: On 21/11/2009 17:48, Gabor FUNK wrote: > Hi all, > > I have two recent problems with MS (currently at 4.78.17-1 but was > trying different ones, last known good was 4.68.8-1, though for > problem 2) the change in /usr/lib/perl/5.10/IO/File.pm seems to be the > triggering cause in any MS version) > > > 1) previously [v4.68.8-1] the > Quarantine Whole Messages As Queue Files = no > worked as intended, but now with 4.78.17-1 it saves > the body ONLY, without the headers. What MTA are you using? What are your "Run As User" and "Run As Group" settings? I can't reproduce this. With MTA=sendmail it works fine for me. I get a file for each attachment, and 1 file called "message" which contains the entire message, both headers and body. Worked fine with MTA=postfix as well. > > > > 2) messages with zip, doc and other attachments got into the > quarantine, mail.log said something like that: > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 1 message. > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.10/IO/File.pm line 63. > " I think I have fixed this. I'll put out another beta in a minute to fix this problem. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Nov 22 12:01:01 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 12:01:26 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) In-Reply-To: References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> <1dff82c40911151253m70e0170cy12f21bbc65d9f853@mail.gmail.com> <4B068B55.1060906@ecs.soton.ac.uk> <4B0927FD.3030109@ecs.soton.ac.uk> Message-ID: I *think* I have found all the occurrences of this problem, and have just released a new beta. If I have missed any, please do shout! Jules. On 20/11/2009 12:28, Julian Field wrote: > Can you tell me what the changes are, and give me any hints or tips on > what changes I need to make to my code to work with these new changes? > > It'll take me hours to find out exactly what I need to change, and I > simply don't have that much time right now. But I would like to get > the problem fixed as soon as poss. > > Jules. > > On 15/11/2009 20:53, Sanderson4 wrote: >> To follow up on my previous post, Perl 5.10.1 resolved bugs in taint >> that MailScanner got around in 5.8 and 5.10. Now that taint has been >> fixed in 5.10.1, MailScanner doesn't run. >> Sanderson4 >> >> On Sun, Nov 15, 2009 at 1:59 PM, Sanderson4 > > wrote: >> >> Unfortunately, the issue is MailScanner and not Perl. When a user >> sets "Run As Users" and "Run As Group" in MailScanner, it forces >> Perl to run in taint mode because Perl was directed by >> MailScanner to run as a different user. For security reasons this >> causes Perl to be very sceptical as to what tasks the assigned >> user can perform. MailScanner has not been updated to resolve >> these tainted tasks (ie load custom function files or chown). >> The reason you don't see the Linux community compain about Perl is >> because they use a packaging system that doesn't force a user to >> upgrade to the latest version of Perl each time they upgrade >> MailScanner. FreeBSD's portmaster and portupgrade check each >> dependancy of MailScanner and will upgrade any dependancy that has >> a newer version available. I know with portmaster you can include >> the -x argument to "avoid building or updating ports that match >> this pattern." Unfortunately I don't use portupgrade so I don't >> know how to exclude an upgrade. Please refer to the man page for >> a solution. >> With that said, we as a FreeBSD community need to submit bug >> requests to Jules so he can resolve these programming constraints >> that newer versions of Perl produce. >> Cheers, >> Sanderson4 >> On Sun, Nov 15, 2009 at 12:18 PM, Drew Marshall >> > > wrote: >> >> >> On 15 Nov 2009, at 14:03, Mog wrote: >> >> Hi, >> >> I followed the procedure you described exactly. I'm >> guessing the other people who are experiencing the same >> problem did the same thing as well (as mentioned on the >> ports mailing list). I'm using that exact version of perl >> you mentioned and used the perl-after-upgrade call as >> always. As it turns out, to get the mail server back up >> and running again I had to revert to the packaged version >> perl-5.10.0_2.tbz and ignore the upgrade (like last time >> this happened). >> >> >> Yup, same here. Make sure you continue to be vigilant when >> running portupgrade again or else you will be right back again. >> >> >> >> I can only assume that either you did something extra we >> haven't to make it work, or ... Actually there is no or, >> I'm out of ideas. I have no idea why it should work for a >> few people but not dozens of others (unless you're using >> portmaster and we're using portupgrade or something). Nor >> do I know what actually is the cause of the problem. >> >> >> I have upgraded to 5.10.1 and had to roll back too. I have no >> idea what could be causing the issue but it's a right pain. >> >> >> >> I can't see any logical reason why every so often a perl >> upgrade will cause MailScanner to break. Presumably either >> it's a recurring problem with the FreeBSD port, the >> upgrade process, or within perl itself. >> >> >> It's not a problem within the same version but every so often >> a new version pops out and having gone through the upgrade, >> then reinstalling all the p5-* ports (portupgrade -f p5-* I >> always do that as I don't find the the perl-after-upgrade >> script does the job fully but then I have never run it with >> the -f option so I'll try that next time) to find that >> something borks MS and then you have to downgrade again is a >> right pain :-( >> >> I really like FreeBSD but I just can't see what is causing >> this to happen. Surely perl is perl and therefore it should >> work for everyone or no one? Or have I missed something >> (Probably!)? >> >> Drew >> -- In line with our policy, this message has been >> scanned for >> viruses and dangerous content. >> Our email policy can be found at www.trunknetworks.com/policy >> >> >> Trunk Networks Limited is registered in Scotland with >> registration number: SC351063 >> Registered Office 55-57 West High Street Inverurie AB51 3QQ >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From FUNK.Gabor at hunetkft.hu Sun Nov 22 12:11:27 2009 From: FUNK.Gabor at hunetkft.hu (Gabor FUNK) Date: Sun Nov 22 12:11:52 2009 Subject: Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm and headerless quarantineing References: <4B09264F.5010004@ecs.soton.ac.uk> Message-ID: Hi, >> 1) previously [v4.68.8-1] the >> Quarantine Whole Messages As Queue Files = no >> worked as intended, but now with 4.78.17-1 it saves >> the body ONLY, without the headers. > What MTA are you using? What are your "Run As User" and "Run As Group" > settings? I can't reproduce this. With MTA=sendmail it works fine for me. > I get a file for each attachment, and 1 file called "message" which > contains the entire message, both headers and body. > Worked fine with MTA=postfix as well. I use debian, exim4, run as user/group are Debian-exim. Was working well before an upgrade, which involved perl library upgrades. Since problem 2 was the first priority, I didn't do debug with this, but now I can imagine that this is also caused by some underlying perl library incompatibility or alike. If issue 2 is fixed, I will try to play around with this some more and let you know. Thanks, G. From MailScanner at ecs.soton.ac.uk Sun Nov 22 12:14:23 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 12:14:45 2009 Subject: Problems MailScanner 4.78.17 In-Reply-To: <20091120162432.30f30802.lists@buschor.ch> References: <20091120162432.30f30802.lists@buschor.ch> <4B092B1F.2080308@ecs.soton.ac.uk> Message-ID: On 20/11/2009 15:24, ThB wrote: > Hello, > > I've got some problems running MailScanner 4.78.18 > > a) Taint problem in SweepOther.pm& SweepViruses.pm > I hope I have found them. Try the latest beta. > b) Processing& SpamAssassin Cache Databases problems > I cannot reproduce this fault. Judging from the "Cannot cd to dir ... to read messages" I would suggest you have put something wrong in your MailScanner.conf file. "MailScanner --changed" will help you find what's wrong. > I'm running MailScanner on Solaris 9 and Perl 5.8.9 > (also tried 5.10.1 but had the same problems) > > > a) Taint problem with virus scanners > ------------------------------------ > Virus Scanners = clamavmodule sophossavi > > MailScanner --debug > > In Debugging mode, not forking... > Trying to setlogsock(native) > Building a message batch to scan... > Have a batch of 1 message. > File checker failed with real error: Insecure dependency in exec while running with -T switch at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 431. > at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 443 > Commercial virus checker failed with real error: path argument specified to scan() is tainted at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1169 > at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1102 > Stopping now as you are debugging me. > > > Note: for some reasons I cannot switch to clamd and sophie is not supported by MailScanner. > > > b) Processing& SpamAssassin Cache Databases problems > ----------------------------------------------------- > > There are 2 problems. > > 1. MailScanner ignores the configuration settings > configured: > Processing Attempts Database = /tmp/MailScanner/Processing.db > SpamAssassin Cache Database File = /tmp/MailScanner/SpamAssassin.cache.db > > MailScanner creates the configured databases if they do not exist > ls -la /tmp/MailScanner/ > total 32 > drwxr-xr-x 2 mailscn mail 265 2009-11-20 15:19 ./ > drwxrwxrwt 3 root sys 268 2009-11-20 15:19 ../ > -rw------- 1 mailscn mail 4096 2009-11-20 15:19 Processing.db > -rw------- 1 mailscn mail 5120 2009-11-20 15:18 SpamAssassin.cache.db > > but using: > /var/spool/MailScanner/incoming/Processing.db > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > > Logfile: > Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Using SpamAssassin results cache > Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Connected to SpamAssassin cache database > Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Enabling SpamAssassin auto-whitelist functionality... > Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] SophosSAVI 4.45 (engine 2.90) recognizing 991629 viruses > Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] SophosSAVI using 581 IDE files > Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Connected to Processing Attempts Database > Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Found 0 messages in the Processing Attempts Database > Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.info] Using locktype = posix > Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.warning] Cannot cd to dir /var/spool/MailScanner/incoming/Processing.db to read messages, Not a directory > Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 local1.warning] Cannot cd to dir /var/spool/MailScanner/incoming/SpamAssassin.cache.db to read messages, Not a directory > > > MailScanner.conf > Incoming Work Dir = /tmp/MailScanner > SpamAssassin Temporary Dir = /tmp/MailScanner > SpamAssassin Cache Database File = /tmp/MailScanner/SpamAssassin.cache.db > Processing Attempts Database = /tmp/MailScanner/Processing.db > > Btw: > This configuration was workling well with the old MailScanner 4.64.3-2. > I made the configuration upgrade using the upgrade_MailScanner_conf script. (no processing database of course). > > > Perl& Modules > -------------- > /opt/MailScanner/bin/MailScanner -v > Running on > SunOS caval 5.9 Generic_Virtual sun4v sparc SUNW,Sun-Blade-T6320 > This is Perl version 5.008009 (5.8.9) > > This is MailScanner version 4.78.17 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 0.23 bignum > 1.10 Carp > 1.41 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.121_17 Data::Dumper > 2.27 Date::Parse > 1.02 DirHandle > 1.06 Fcntl > 2.77 File::Basename > 2.13 File::Copy > 2.01 FileHandle > 2.07_02 File::Path > 0.20 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.07 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.07 MIME::QuotedPrint > 5.427 MIME::Tools > 0.13 Net::CIDR > 1.25 Net::IP > 0.16 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.05 Pod::Simple > 1.15 POSIX > 1.19 Scalar::Util > 1.81 Socket > 2.19 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.26 Test::Pod > 0.86 Test::Simple > 1.9715 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.38 Archive::Tar > 0.23 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.817 DB_File > 1.25 DBD::SQLite > 1.607 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.37 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > 0.17015 Error > missing ExtUtils::CBuilder > 2.19 ExtUtils::ParseXS > 2.38 Getopt::Long > 0.45 Inline > missing IO::String > 1.09 IO::Zlib > 2.27 IP::Country > 0.29 Mail::ClamAV > 3.002005 Mail::SpamAssassin > v2.004 Mail::SPF > missing Mail::SPF::Query > 0.35 Module::Build > missing Net::CIDR::Lite > 0.65 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.027 NetAddr::IP > 1.94 Parse::RecDescent > 0.30 SAVI > 3.16 Test::Harness > missing Test::Manifest > 1.98 Text::Balanced > 1.40 URI > 0.78 version > missing YAML > > > perl -V > Summary of my perl5 (revision 5 version 8 subversion 9) configuration: > Platform: > osname=solaris, osvers=2.9, archname=sun4-solaris-thread-multi > uname='sunos sphinx 5.9 generic_virtual sun4u sparc sunw,sun-fire-v240 ' > config_args='' > hint=recommended, useposix=true, d_sigaction=define > usethreads=define use5005threads=undef useithreads=define usemultiplicity=define > useperlio=define d_sfio=undef uselargefiles=define usesocks=undef > use64bitint=undef use64bitall=undef uselongdouble=undef > usemymalloc=n, bincompat5005=undef > Compiler: > cc='/opt/SUNWspro/bin/cc', ccflags ='-D_REENTRANT -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', > optimize='-O', > cppflags='-D_REENTRANT -I/usr/local/include' > ccversion='Sun C 5.8 Patch 121015-06 2007/10/03', gccversion='', gccosandvers='' > intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 > d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 > ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 > alignbytes=8, prototype=define > Linker and Libraries: > ld='/opt/SUNWspro/bin/cc', ldflags =' -L/usr/lib -L/usr/local/lib ' > libpth=/usr/lib /usr/local/lib > libs=-lsocket -lnsl -ldb -ldl -lm -lpthread -lc > perllibs=-lsocket -lnsl -ldl -lm -lpthread -lc > libc=/usr/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a > gnulibc_version='' > Dynamic Linking: > dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' > cccdlflags='-KPIC', lddlflags='-G -L/usr/lib -L/usr/local/lib' > > > Characteristics of this binary (from libperl): > Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP > USE_FAST_STDIO USE_ITHREADS USE_LARGE_FILES > USE_PERLIO USE_REENTRANT_API > Built under solaris > Compiled at Nov 19 2009 13:28:41 > @INC: > /opt/MailScanner/perl/lib/5.8.9/sun4-solaris-thread-multi > /opt/MailScanner/perl/lib/5.8.9 > /opt/MailScanner/perl/lib/site_perl/5.8.9/sun4-solaris-thread-multi > /opt/MailScanner/perl/lib/site_perl/5.8.9 > . > > > Any help is appreciated > regards and have a greate weekend > Thomas > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Nov 22 12:15:34 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 12:15:57 2009 Subject: Fwd: Store viruses only In-Reply-To: <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> <4B092B66.4040607@ecs.soton.ac.uk> Message-ID: If it's being treated as a "Silent Virus" then it won't be stored in the quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in MailScanner.conf. On 22/11/2009 10:26, Monis Monther wrote: > > I have the clamavmodule and its working fine > > How do you know this? > > > I knew because I see in the logs that it is catching stuff > > > Try sending an email through the machine with the EICAR attachment > (http://www.eicar.org/anti_virus_test_file.htm), and check: > > I tried the test , thanks for the link > > a) the mail system logs, to see whether MailScanner thinks it's detected a > virus > > In the log , it found it and gave this > > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ > ClamAVModule::INFECTED:: Eicar-Test-Signature:: > ./A32B56E03A2.E8204/eicar.com > .... > ..... > Requeue: A32B56E03A2.E8204 to E19D26E009C > .... > .... > Cleaned: Delivered 1 cleaned messages > > > b) the headers of the (presumably) received message, to see whether it > tells > you that anti-virus scanning was performed (X-OrganisationName- > > Viruscheck) > > I only had these headers > X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A > X-MyDomain-MailScanner: Found to be infected > X-MyDomain-MailScanner-SpamScore: ss > X-MyDomain-MailScanner-From: monis.monther@mediaintl.net > > X-Spam-Status: No > X-RCPT-TO: > Status: U > X-UIDL: 548082981 > > So I conclude that it was not detected as spam but as infected , and I > got the notification attachment delivered saying call help desk... bal > bla > > But the attachment was not saved under quarantine, I want the > attachments to be saved. > > c) the output of /path/to/MailScanner --lint (to see whether it > thinks the > antivirus engine is correctly installed and available) > > > It showed that I have clamavmodule successfully installed > > > > Conclusion: I was mistakes when I thought it was related to spam > score, but now I want the virus attachment to be stored in quarantine > not deleted, Thanks > > > > > > On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone > > wrote: > > On Thursday 19 November 2009, Monis Monther wrote: > > > I have the following > > > > Virus Scanning = yes > > Virus Scanners = clamavmodule > > Deliver Disinfected Files = no > > Silent Viruses = HTML-IFrame All-Viruses > > Still Deliver Silent Viruses = no > > > > I have the clamavmodule and its working fine > > How do you know this? > > > and when I set HighScore spam = store it started to quarantine > virus that > > get a high score spam and still delivers viruses that come with > low spam > > messages > > Are you saying that the quarantined messages (quarantined because > they are > detected as spam) still contain the virus attachments, or have > these been > cleaned? > > Try sending an email through the machine with the EICAR attachment > (http://www.eicar.org/anti_virus_test_file.htm), and check: > > a) the mail system logs, to see whether MailScanner thinks it's > detected a > virus > > b) the headers of the (presumably) received message, to see > whether it tells > you that anti-virus scanning was performed > (X-OrganisationName-Viruscheck) > > c) the output of /path/to/MailScanner --lint (to see whether it > thinks the > antivirus engine is correctly installed and available) > > > Antony. > > -- > "Reports that say that something hasn't happened are always > interesting to me, > because as we know, there are known knowns; there are things we > know we know. > We also know there are known unknowns; that is to say we know > there are some > things we do not know. But there are also unknown unknowns - the > ones we > don't know we don't know." > > - Donald Rumsfeld, US Secretary of Defence > > Please reply > to the list; > please > don't CC me. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Nov 22 12:18:12 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 12:18:42 2009 Subject: Stopping messages without To: or Cc: header(s) In-Reply-To: <4B06EB0E.7020208@vanderkooij.org> References: <4B06EB0E.7020208@vanderkooij.org> <4B092C04.2020906@ecs.soton.ac.uk> Message-ID: You can do this with a simple SpamAssassin rule to pick up the "undisclosed-recipients" in the "To" header. Assign it a score of just off zero (so it gets executed). Then use a "SpamAssassin Rule Actions" setting to delete any messages hitting this rule. Dead easy :-) Jules. On 20/11/2009 19:16, Hugo van der Kooij wrote: > Hi, > > I want to stop messages without a To: or Cc: header. Postfix will > translate them to: > To: undisclosed-recipients:; > > In the postfix cleanup(8) manual page I found this: > > undisclosed_recipients_header (To: undisclosed-recipi- > ents:;) > Message header that the Postfix cleanup(8) server > inserts when a message contains no To: or Cc: mes- > sage header. > > I would prefer to kill them at postfix entry before they even get > accepted. But if this is not possible I would like to kill them in > MailScanner as high scoring spam. > > Any suggestion? > > Hugo. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From malinux at gmail.com Sun Nov 22 13:33:58 2009 From: malinux at gmail.com (=?ISO-8859-1?Q?Martin_Schi=F8tz?=) Date: Sun Nov 22 13:34:07 2009 Subject: Per domain Message-ID: Hi Is it possible with MailScanner to do per domain specific configuration like: - quarantine spam mails, delete them or just do header marking based on the domain. - different rules for message size, attachments etc. How do I do that? -- Martin From mikael at syska.dk Sun Nov 22 15:30:20 2009 From: mikael at syska.dk (Mikael Syska) Date: Sun Nov 22 15:30:33 2009 Subject: Per domain In-Reply-To: References: Message-ID: <6beca9db0911220730i743d90b1idadccfba1c10e9d1@mail.gmail.com> Hi On Sun, Nov 22, 2009 at 2:33 PM, Martin Schi?tz wrote: > Hi > > Is it possible with MailScanner to do per domain specific configuration > like: > yes > - quarantine spam mails, delete them or just do header marking based > on the domain. > - different rules for message size, attachments etc. > > How do I do that? > >From the MailScanner.conf # The maximum size, in bytes, of any message including the headers. # If this is set to zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = %rules-dir%/max.message.size.rules So use rules ... > > -- Martin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091122/9fb8a894/attachment.html From MailScanner at ecs.soton.ac.uk Sun Nov 22 16:02:11 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 22 16:02:37 2009 Subject: Per domain In-Reply-To: References: <4B096083.7090705@ecs.soton.ac.uk> Message-ID: Read up about rulesets. You can have just about every setting different for different domains, users, groups of users, whatever. They are usually put in /etc/MailScanner/rules and then referred to in the MailScanner.conf file. Check out the files in that directory, they will give you some pointers and examples to get started. On 22/11/2009 13:33, Martin Schi?tz wrote: > Hi > > Is it possible with MailScanner to do per domain specific configuration like: > > - quarantine spam mails, delete them or just do header marking based > on the domain. > - different rules for message size, attachments etc. > > How do I do that? > > -- Martin > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pedro at romehosting.com Sun Nov 22 19:40:26 2009 From: pedro at romehosting.com (Dave Gattis) Date: Sun Nov 22 19:40:42 2009 Subject: Moving quarantine directory to MySQL database Message-ID: I may be mistaken, but in a previous install I think I had all quarantine messages being stored in a MySQL database. I've looked all over the web and can't find the instructions to do this. Can someone point me in the right direction? Thanks! Dave From mikael at syska.dk Sun Nov 22 20:19:33 2009 From: mikael at syska.dk (Mikael Syska) Date: Sun Nov 22 20:19:46 2009 Subject: Moving quarantine directory to MySQL database In-Reply-To: References: Message-ID: <6beca9db0911221219h6e194a68hd5eb7d9c86290057@mail.gmail.com> Hi, Dont think the whole message should be stored in mysql ... but you could be thinking about MailWatch. On Sun, Nov 22, 2009 at 8:40 PM, Dave Gattis wrote: > I may be mistaken, but in a previous install I think I had all quarantine > messages being stored in a MySQL database. I've looked all over the web > and can't find the instructions to do this. Can someone point me in the > right direction? > Thanks! > Dave > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > mvh Mikael Syska -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091122/e9e33826/attachment.html From drolland at kdinet.com Sun Nov 22 23:39:19 2009 From: drolland at kdinet.com (Diane Rolland) Date: Sun Nov 22 23:40:58 2009 Subject: Problem with check_MailScanner hourly Cron Message-ID: <002d01ca6bcd$04ea4490$0ebecdb0$@com> Hi all, I seem to have a problem on one of my servers with the check_MailScanner hourly job. If MailScanner is stopped it honors the lock MailScanner.off and the cron job says Not Restarting. However, if I MailScanner is running I get Starting MailScanner. Done in the cron notice. Resultant problem is that I end up with hundreds of MailScanner processes (1 master waiting for children, and 5 waiting for messages - every hour). So, it appears it isn't seeing that MailScanner is already running and starts again. And MailScanner stop only stops the group associated with the .pid file, so I end up having to manually kill the orphaned processes I am running: Linux Red Hat Enterprise AS release 4 (Nahant Update 8) MailScanner 4.78.17 What could be wrong and what can I check? I have had to take it out of the cron.hourly directory, but I can recreate the issue by running the check_MailScanner manually. Thanks in Advance! Diane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091122/70d3555a/attachment.html From mmmm82 at gmail.com Mon Nov 23 06:53:21 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Mon Nov 23 06:53:30 2009 Subject: Fwd: Store viruses only In-Reply-To: References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <4B092B66.4040607@ecs.soton.ac.uk> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> Message-ID: <837e17ab0911222253h686384bet5ba7770b8cc5beac@mail.gmail.com> Dear Julian , Thanks for your reply, I read about what you proposed and did the following 1- Under MailScanner.conf Still deliver silent viruses = yes and I removed the eicar from the nonforgering virus list 2- Restart the MailScanner service I sent the eicar virus and in the log I got this Silent: Delivered 1 messages containing silent viruses Still I did not get the message I only go the attachment that says The original e-mail attachment "the entire message" was believed to be dangerous and/or infected by a virus and has been replaced by this warning message. Due to limitations placed on us by the Regulation of Investigatory Powers Act 2000, we were unable to keep a copy of the infected attachment. Please ask the sender of the message to disinfect their original version and send you a clean copy. My Goal is that if someone sent a message that contained a virus, the virus should be quarantined/deleted , but the message should reach its recipient with the subject changed to virus and the warning attachment sent with it, the last two I am achieving but the first I am failing at.Thanks. On Sun, Nov 22, 2009 at 2:15 PM, Jules Field wrote: > If it's being treated as a "Silent Virus" then it won't be stored in the > quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in > MailScanner.conf. > > > On 22/11/2009 10:26, Monis Monther wrote: > >> > I have the clamavmodule and its working fine >> >> How do you know this? >> >> >> I knew because I see in the logs that it is catching stuff >> >> >> Try sending an email through the machine with the EICAR attachment >> (http://www.eicar.org/anti_virus_test_file.htm), and check: >> >> I tried the test , thanks for the link >> >> a) the mail system logs, to see whether MailScanner thinks it's detected a >> virus >> >> In the log , it found it and gave this >> >> Virus and Content Scanning: Starting >> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ >> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ >> eicar.com >> >> .... >> ..... >> Requeue: A32B56E03A2.E8204 to E19D26E009C >> .... >> .... >> Cleaned: Delivered 1 cleaned messages >> >> >> b) the headers of the (presumably) received message, to see whether it >> tells >> you that anti-virus scanning was performed (X-OrganisationName- >> >> Viruscheck) >> >> I only had these headers >> X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A >> X-MyDomain-MailScanner: Found to be infected >> X-MyDomain-MailScanner-SpamScore: ss >> X-MyDomain-MailScanner-From: monis.monther@mediaintl.net > monis.monther@mediaintl.net> >> >> X-Spam-Status: No >> X-RCPT-TO: >> Status: U >> X-UIDL: 548082981 >> >> So I conclude that it was not detected as spam but as infected , and I got >> the notification attachment delivered saying call help desk... bal bla >> >> But the attachment was not saved under quarantine, I want the attachments >> to be saved. >> >> c) the output of /path/to/MailScanner --lint (to see whether it >> thinks the >> antivirus engine is correctly installed and available) >> >> >> It showed that I have clamavmodule successfully installed >> >> >> >> Conclusion: I was mistakes when I thought it was related to spam score, >> but now I want the virus attachment to be stored in quarantine not deleted, >> Thanks >> >> >> >> >> >> On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone < >> Antony.Stone@mailscanner.open.source.it > Antony.Stone@mailscanner.open.source.it>> wrote: >> >> On Thursday 19 November 2009, Monis Monther wrote: >> >> > I have the following >> > >> > Virus Scanning = yes >> > Virus Scanners = clamavmodule >> > Deliver Disinfected Files = no >> > Silent Viruses = HTML-IFrame All-Viruses >> > Still Deliver Silent Viruses = no >> > >> > I have the clamavmodule and its working fine >> >> How do you know this? >> >> > and when I set HighScore spam = store it started to quarantine >> virus that >> > get a high score spam and still delivers viruses that come with >> low spam >> > messages >> >> Are you saying that the quarantined messages (quarantined because >> they are >> detected as spam) still contain the virus attachments, or have >> these been >> cleaned? >> >> Try sending an email through the machine with the EICAR attachment >> (http://www.eicar.org/anti_virus_test_file.htm), and check: >> >> a) the mail system logs, to see whether MailScanner thinks it's >> detected a >> virus >> >> b) the headers of the (presumably) received message, to see >> whether it tells >> you that anti-virus scanning was performed >> (X-OrganisationName-Viruscheck) >> >> c) the output of /path/to/MailScanner --lint (to see whether it >> thinks the >> antivirus engine is correctly installed and available) >> >> >> Antony. >> >> -- >> "Reports that say that something hasn't happened are always >> interesting to me, >> because as we know, there are known knowns; there are things we >> know we know. >> We also know there are known unknowns; that is to say we know >> there are some >> things we do not know. But there are also unknown unknowns - the >> ones we >> don't know we don't know." >> >> - Donald Rumsfeld, US Secretary of Defence >> >> Please reply >> to the list; >> please >> don't CC me. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091123/217a49f4/attachment.html From mmmm82 at gmail.com Mon Nov 23 11:58:31 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Mon Nov 23 11:58:42 2009 Subject: Fwd: Store viruses only In-Reply-To: <837e17ab0911222253h686384bet5ba7770b8cc5beac@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <4B092B66.4040607@ecs.soton.ac.uk> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> <837e17ab0911222253h686384bet5ba7770b8cc5beac@mail.gmail.com> Message-ID: <837e17ab0911230358u5f4d1800hac6b4ca8f1f299ec@mail.gmail.com> OK everyone I also changed the option Quarantine Silent Virus = yes I will test and post results here in the list On Mon, Nov 23, 2009 at 8:53 AM, Monis Monther wrote: > Dear Julian , Thanks for your reply, I read about what you proposed and > did the following > > 1- Under MailScanner.conf > Still deliver silent viruses = yes > > and I removed the eicar from the nonforgering virus list > > 2- Restart the MailScanner service > > I sent the eicar virus and in the log I got this > > Silent: Delivered 1 messages containing silent viruses > > > Still I did not get the message I only go the attachment that says > > The original e-mail attachment "the entire message" > was believed to be dangerous and/or infected by a virus and has been > replaced by this warning message. > > Due to limitations placed on us by the Regulation of Investigatory Powers > Act 2000, we were unable to keep a copy of the infected attachment. Please > ask the sender of the message to disinfect their original version and send > you a clean copy. > > > > My Goal is that if someone sent a message that contained a virus, the virus > should be quarantined/deleted , but the message should reach its recipient > with the subject changed to virus and the warning attachment sent with it, > the last two I am achieving but the first I am failing at.Thanks. > > > On Sun, Nov 22, 2009 at 2:15 PM, Jules Field wrote: > >> If it's being treated as a "Silent Virus" then it won't be stored in the >> quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in >> MailScanner.conf. >> >> >> On 22/11/2009 10:26, Monis Monther wrote: >> >>> > I have the clamavmodule and its working fine >>> >>> How do you know this? >>> >>> >>> I knew because I see in the logs that it is catching stuff >>> >>> >>> Try sending an email through the machine with the EICAR attachment >>> (http://www.eicar.org/anti_virus_test_file.htm), and check: >>> >>> I tried the test , thanks for the link >>> >>> a) the mail system logs, to see whether MailScanner thinks it's detected >>> a >>> virus >>> >>> In the log , it found it and gave this >>> >>> Virus and Content Scanning: Starting >>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ >>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/ >>> eicar.com >>> >>> .... >>> ..... >>> Requeue: A32B56E03A2.E8204 to E19D26E009C >>> .... >>> .... >>> Cleaned: Delivered 1 cleaned messages >>> >>> >>> b) the headers of the (presumably) received message, to see whether it >>> tells >>> you that anti-virus scanning was performed (X-OrganisationName- >>> >>> Viruscheck) >>> >>> I only had these headers >>> X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A >>> X-MyDomain-MailScanner: Found to be infected >>> X-MyDomain-MailScanner-SpamScore: ss >>> X-MyDomain-MailScanner-From: monis.monther@mediaintl.net >> monis.monther@mediaintl.net> >>> >>> X-Spam-Status: No >>> X-RCPT-TO: >>> Status: U >>> X-UIDL: 548082981 >>> >>> So I conclude that it was not detected as spam but as infected , and I >>> got the notification attachment delivered saying call help desk... bal bla >>> >>> But the attachment was not saved under quarantine, I want the attachments >>> to be saved. >>> >>> c) the output of /path/to/MailScanner --lint (to see whether it >>> thinks the >>> antivirus engine is correctly installed and available) >>> >>> >>> It showed that I have clamavmodule successfully installed >>> >>> >>> >>> Conclusion: I was mistakes when I thought it was related to spam score, >>> but now I want the virus attachment to be stored in quarantine not deleted, >>> Thanks >>> >>> >>> >>> >>> >>> On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone < >>> Antony.Stone@mailscanner.open.source.it >> Antony.Stone@mailscanner.open.source.it>> wrote: >>> >>> On Thursday 19 November 2009, Monis Monther wrote: >>> >>> > I have the following >>> > >>> > Virus Scanning = yes >>> > Virus Scanners = clamavmodule >>> > Deliver Disinfected Files = no >>> > Silent Viruses = HTML-IFrame All-Viruses >>> > Still Deliver Silent Viruses = no >>> > >>> > I have the clamavmodule and its working fine >>> >>> How do you know this? >>> >>> > and when I set HighScore spam = store it started to quarantine >>> virus that >>> > get a high score spam and still delivers viruses that come with >>> low spam >>> > messages >>> >>> Are you saying that the quarantined messages (quarantined because >>> they are >>> detected as spam) still contain the virus attachments, or have >>> these been >>> cleaned? >>> >>> Try sending an email through the machine with the EICAR attachment >>> (http://www.eicar.org/anti_virus_test_file.htm), and check: >>> >>> a) the mail system logs, to see whether MailScanner thinks it's >>> detected a >>> virus >>> >>> b) the headers of the (presumably) received message, to see >>> whether it tells >>> you that anti-virus scanning was performed >>> (X-OrganisationName-Viruscheck) >>> >>> c) the output of /path/to/MailScanner --lint (to see whether it >>> thinks the >>> antivirus engine is correctly installed and available) >>> >>> >>> Antony. >>> >>> -- >>> "Reports that say that something hasn't happened are always >>> interesting to me, >>> because as we know, there are known knowns; there are things we >>> know we know. >>> We also know there are known unknowns; that is to say we know >>> there are some >>> things we do not know. But there are also unknown unknowns - the >>> ones we >>> don't know we don't know." >>> >>> - Donald Rumsfeld, US Secretary of Defence >>> >>> Please reply >>> to the list; >>> please >>> don't CC me. >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> >>> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091123/6d21a607/attachment-0001.html From lists at buschor.ch Mon Nov 23 13:34:35 2009 From: lists at buschor.ch (ThB) Date: Mon Nov 23 13:34:46 2009 Subject: Problems MailScanner 4.78.17 Message-ID: <62098.130.59.6.127.1258983275.squirrel@webmail.buschor.ch> Hello, On 22/11/2009 12:14, Julian Field wrote: > On 20/11/2009 15:24, ThB wrote: >> Hello, >> >> I've got some problems running MailScanner 4.78.18 >> >> a) Taint problem in SweepOther.pm& SweepViruses.pm >> > I hope I have found them. Try the latest beta. Tried MailScanner 4.79.3-1 today - the taint problem is solved. >> b) Processing& SpamAssassin Cache Databases problems >> > I cannot reproduce this fault. Judging from the "Cannot cd to dir ... to > read messages" I would suggest you have put something wrong in your > MailScanner.conf file. "MailScanner --changed" will help you find what's > wrong. Excerpt from output of MailScanner --changed (I added some formatting to improve readability) Option Name: processingattemptsdatabase Default: /var/spool/MailScanner/incoming/Processing.db Current: /tmp/MailScanner/Processing.db Option Name: spamassassincachedatabasefile Default: /var/spool/MailScanner/incoming/SpamAssassin.cache.db Current: /tmp/MailScanner/SpamAssassin.cache.db The above is what I expected. But the paths for "Processing.db" and "SpamAssassin.cache.db" also show up in "incomingqueuedir" but with the default values. Option Name: incomingqueuedir Default: /var/spool/mqueue.in Current: /var/spool/MailScanner/incoming/input,\ /var/spool/MailScanner/incoming/Locks,\ /var/spool/MailScanner/incoming/msglog,\ /var/spool/MailScanner/incoming/Processing.db,\ /var/spool/MailScanner/incoming/SpamAssassin-Temp,\ /var/spool/MailScanner/incoming/SpamAssassin.cache.db regards Thomas >> I'm running MailScanner on Solaris 9 and Perl 5.8.9 >> (also tried 5.10.1 but had the same problems) >> >> >> a) Taint problem with virus scanners >> ------------------------------------ >> Virus Scanners = clamavmodule sophossavi >> >> MailScanner --debug >> >> In Debugging mode, not forking... >> Trying to setlogsock(native) >> Building a message batch to scan... >> Have a batch of 1 message. >> File checker failed with real error: Insecure dependency in exec while >> running with -T switch at /opt/MailScanner/lib/MailScanner/SweepOther.pm >> line 431. >> at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 443 >> Commercial virus checker failed with real error: path argument specified >> to scan() is tainted at /opt/MailScanner/lib/MailScanner/SweepViruses.pm >> line 1169 >> at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1102 >> Stopping now as you are debugging me. >> >> >> Note: for some reasons I cannot switch to clamd and sophie is not >> supported by MailScanner. >> >> >> b) Processing& SpamAssassin Cache Databases problems >> ----------------------------------------------------- >> >> There are 2 problems. >> >> 1. MailScanner ignores the configuration settings >> configured: >> Processing Attempts Database = /tmp/MailScanner/Processing.db >> SpamAssassin Cache Database File = >> /tmp/MailScanner/SpamAssassin.cache.db >> >> MailScanner creates the configured databases if they do not exist >> ls -la /tmp/MailScanner/ >> total 32 >> drwxr-xr-x 2 mailscn mail 265 2009-11-20 15:19 ./ >> drwxrwxrwt 3 root sys 268 2009-11-20 15:19 ../ >> -rw------- 1 mailscn mail 4096 2009-11-20 15:19 Processing.db >> -rw------- 1 mailscn mail 5120 2009-11-20 15:18 SpamAssassin.cache.db >> >> but using: >> /var/spool/MailScanner/incoming/Processing.db >> /var/spool/MailScanner/incoming/SpamAssassin.cache.db >> >> Logfile: >> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Using SpamAssassin results cache >> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Connected to SpamAssassin cache database >> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Enabling SpamAssassin auto-whitelist functionality... >> Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] SophosSAVI 4.45 (engine 2.90) recognizing 991629 viruses >> Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] SophosSAVI using 581 IDE files >> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Connected to Processing Attempts Database >> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Found 0 messages in the Processing Attempts Database >> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.info] Using locktype = posix >> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.warning] Cannot cd to dir >> /var/spool/MailScanner/incoming/Processing.db to read messages, Not a >> directory >> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >> local1.warning] Cannot cd to dir >> /var/spool/MailScanner/incoming/SpamAssassin.cache.db to read messages, >> Not a directory >> >> >> MailScanner.conf >> Incoming Work Dir = /tmp/MailScanner >> SpamAssassin Temporary Dir = /tmp/MailScanner >> SpamAssassin Cache Database File = >> /tmp/MailScanner/SpamAssassin.cache.db >> Processing Attempts Database = /tmp/MailScanner/Processing.db >> >> Btw: >> This configuration was workling well with the old MailScanner 4.64.3-2. >> I made the configuration upgrade using the upgrade_MailScanner_conf >> script. (no processing database of course). >> >> >> Perl& Modules >> -------------- >> /opt/MailScanner/bin/MailScanner -v >> Running on >> SunOS caval 5.9 Generic_Virtual sun4v sparc SUNW,Sun-Blade-T6320 >> This is Perl version 5.008009 (5.8.9) >> >> This is MailScanner version 4.78.17 >> Module versions are: >> 1.00 AnyDBM_File >> 1.16 Archive::Zip >> 0.23 bignum >> 1.10 Carp >> 1.41 Compress::Zlib >> 1.119 Convert::BinHex >> 0.17 Convert::TNEF >> 2.121_17 Data::Dumper >> 2.27 Date::Parse >> 1.02 DirHandle >> 1.06 Fcntl >> 2.77 File::Basename >> 2.13 File::Copy >> 2.01 FileHandle >> 2.07_02 File::Path >> 0.20 File::Temp >> 0.90 Filesys::Df >> 1.35 HTML::Entities >> 3.56 HTML::Parser >> 2.37 HTML::TokeParser >> 1.23 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 2.04 Mail::Header >> 1.89 Math::BigInt >> 0.22 Math::BigRat >> 3.07 MIME::Base64 >> 5.427 MIME::Decoder >> 5.427 MIME::Decoder::UU >> 5.427 MIME::Head >> 5.427 MIME::Parser >> 3.07 MIME::QuotedPrint >> 5.427 MIME::Tools >> 0.13 Net::CIDR >> 1.25 Net::IP >> 0.16 OLE::Storage_Lite >> 1.04 Pod::Escapes >> 3.05 Pod::Simple >> 1.15 POSIX >> 1.19 Scalar::Util >> 1.81 Socket >> 2.19 Storable >> 1.4 Sys::Hostname::Long >> 0.27 Sys::Syslog >> 1.26 Test::Pod >> 0.86 Test::Simple >> 1.9715 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.38 Archive::Tar >> 0.23 bignum >> missing Business::ISBN >> missing Business::ISBN::Data >> missing Data::Dump >> 1.817 DB_File >> 1.25 DBD::SQLite >> 1.607 DBI >> 1.15 Digest >> 1.01 Digest::HMAC >> 2.37 Digest::MD5 >> 2.11 Digest::SHA1 >> missing Encode::Detect >> 0.17015 Error >> missing ExtUtils::CBuilder >> 2.19 ExtUtils::ParseXS >> 2.38 Getopt::Long >> 0.45 Inline >> missing IO::String >> 1.09 IO::Zlib >> 2.27 IP::Country >> 0.29 Mail::ClamAV >> 3.002005 Mail::SpamAssassin >> v2.004 Mail::SPF >> missing Mail::SPF::Query >> 0.35 Module::Build >> missing Net::CIDR::Lite >> 0.65 Net::DNS >> v0.003 Net::DNS::Resolver::Programmable >> missing Net::LDAP >> 4.027 NetAddr::IP >> 1.94 Parse::RecDescent >> 0.30 SAVI >> 3.16 Test::Harness >> missing Test::Manifest >> 1.98 Text::Balanced >> 1.40 URI >> 0.78 version >> missing YAML >> >> >> perl -V >> Summary of my perl5 (revision 5 version 8 subversion 9) configuration: >> Platform: >> osname=solaris, osvers=2.9, archname=sun4-solaris-thread-multi >> uname='sunos sphinx 5.9 generic_virtual sun4u sparc >> sunw,sun-fire-v240 ' >> config_args='' >> hint=recommended, useposix=true, d_sigaction=define >> usethreads=define use5005threads=undef useithreads=define >> usemultiplicity=define >> useperlio=define d_sfio=undef uselargefiles=define usesocks=undef >> use64bitint=undef use64bitall=undef uselongdouble=undef >> usemymalloc=n, bincompat5005=undef >> Compiler: >> cc='/opt/SUNWspro/bin/cc', ccflags ='-D_REENTRANT >> -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', >> optimize='-O', >> cppflags='-D_REENTRANT -I/usr/local/include' >> ccversion='Sun C 5.8 Patch 121015-06 2007/10/03', gccversion='', >> gccosandvers='' >> intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 >> d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 >> ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', >> lseeksize=8 >> alignbytes=8, prototype=define >> Linker and Libraries: >> ld='/opt/SUNWspro/bin/cc', ldflags =' -L/usr/lib -L/usr/local/lib ' >> libpth=/usr/lib /usr/local/lib >> libs=-lsocket -lnsl -ldb -ldl -lm -lpthread -lc >> perllibs=-lsocket -lnsl -ldl -lm -lpthread -lc >> libc=/usr/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a >> gnulibc_version='' >> Dynamic Linking: >> dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' >> cccdlflags='-KPIC', lddlflags='-G -L/usr/lib -L/usr/local/lib' >> >> >> Characteristics of this binary (from libperl): >> Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT >> PERL_MALLOC_WRAP >> USE_FAST_STDIO USE_ITHREADS USE_LARGE_FILES >> USE_PERLIO USE_REENTRANT_API >> Built under solaris >> Compiled at Nov 19 2009 13:28:41 >> @INC: >> /opt/MailScanner/perl/lib/5.8.9/sun4-solaris-thread-multi >> /opt/MailScanner/perl/lib/5.8.9 >> /opt/MailScanner/perl/lib/site_perl/5.8.9/sun4-solaris-thread-multi >> /opt/MailScanner/perl/lib/site_perl/5.8.9 >> . >> >> >> Any help is appreciated >> regards and have a greate weekend >> Thomas >> >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > From alex at rtpty.com Mon Nov 23 15:38:29 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 23 15:38:43 2009 Subject: Store viruses only In-Reply-To: <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> Message-ID: You're sure it's the clamav module and not clamd or another process, right? On Nov 22, 2009, at 5:26 AM, Monis Monther wrote: > I knew because I see in the logs that it is catching stuff From MailScanner at ecs.soton.ac.uk Mon Nov 23 19:54:25 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Mon Nov 23 19:54:46 2009 Subject: Problems MailScanner 4.78.17 In-Reply-To: <62098.130.59.6.127.1258983275.squirrel@webmail.buschor.ch> References: <62098.130.59.6.127.1258983275.squirrel@webmail.buschor.ch> <4B0AE871.90907@ecs.soton.ac.uk> Message-ID: On 23/11/2009 13:34, ThB wrote: > > Excerpt from output of MailScanner --changed > (I added some formatting to improve readability) > > The above is what I expected. But the paths for "Processing.db" and > "SpamAssassin.cache.db" also show up in "incomingqueuedir" but with the > default values. > > Option Name: > incomingqueuedir > Default: > /var/spool/mqueue.in > Current: > /var/spool/MailScanner/incoming/input,\ > /var/spool/MailScanner/incoming/Locks,\ > /var/spool/MailScanner/incoming/msglog,\ > /var/spool/MailScanner/incoming/Processing.db,\ > /var/spool/MailScanner/incoming/SpamAssassin-Temp,\ > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > Please show me exactly what your MailScanner.conf file shows for the "Incoming Queue Dir =" setting. > > regards > Thomas > > > >>> I'm running MailScanner on Solaris 9 and Perl 5.8.9 >>> (also tried 5.10.1 but had the same problems) >>> >>> >>> a) Taint problem with virus scanners >>> ------------------------------------ >>> Virus Scanners = clamavmodule sophossavi >>> >>> MailScanner --debug >>> >>> In Debugging mode, not forking... >>> Trying to setlogsock(native) >>> Building a message batch to scan... >>> Have a batch of 1 message. >>> File checker failed with real error: Insecure dependency in exec while >>> running with -T switch at /opt/MailScanner/lib/MailScanner/SweepOther.pm >>> line 431. >>> at /opt/MailScanner/lib/MailScanner/SweepOther.pm line 443 >>> Commercial virus checker failed with real error: path argument specified >>> to scan() is tainted at /opt/MailScanner/lib/MailScanner/SweepViruses.pm >>> line 1169 >>> at /opt/MailScanner/lib/MailScanner/SweepViruses.pm line 1102 >>> Stopping now as you are debugging me. >>> >>> >>> Note: for some reasons I cannot switch to clamd and sophie is not >>> supported by MailScanner. >>> >>> >>> b) Processing& SpamAssassin Cache Databases problems >>> ----------------------------------------------------- >>> >>> There are 2 problems. >>> >>> 1. MailScanner ignores the configuration settings >>> configured: >>> Processing Attempts Database = /tmp/MailScanner/Processing.db >>> SpamAssassin Cache Database File = >>> /tmp/MailScanner/SpamAssassin.cache.db >>> >>> MailScanner creates the configured databases if they do not exist >>> ls -la /tmp/MailScanner/ >>> total 32 >>> drwxr-xr-x 2 mailscn mail 265 2009-11-20 15:19 ./ >>> drwxrwxrwt 3 root sys 268 2009-11-20 15:19 ../ >>> -rw------- 1 mailscn mail 4096 2009-11-20 15:19 Processing.db >>> -rw------- 1 mailscn mail 5120 2009-11-20 15:18 SpamAssassin.cache.db >>> >>> but using: >>> /var/spool/MailScanner/incoming/Processing.db >>> /var/spool/MailScanner/incoming/SpamAssassin.cache.db >>> >>> Logfile: >>> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Using SpamAssassin results cache >>> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Connected to SpamAssassin cache database >>> Nov 20 15:18:00 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Enabling SpamAssassin auto-whitelist functionality... >>> Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] SophosSAVI 4.45 (engine 2.90) recognizing 991629 viruses >>> Nov 20 15:18:28 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] SophosSAVI using 581 IDE files >>> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Connected to Processing Attempts Database >>> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Found 0 messages in the Processing Attempts Database >>> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.info] Using locktype = posix >>> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.warning] Cannot cd to dir >>> /var/spool/MailScanner/incoming/Processing.db to read messages, Not a >>> directory >>> Nov 20 15:19:01 caval MailScanner.conf.caval[3507]: [ID 702911 >>> local1.warning] Cannot cd to dir >>> /var/spool/MailScanner/incoming/SpamAssassin.cache.db to read messages, >>> Not a directory >>> >>> >>> MailScanner.conf >>> Incoming Work Dir = /tmp/MailScanner >>> SpamAssassin Temporary Dir = /tmp/MailScanner >>> SpamAssassin Cache Database File = >>> /tmp/MailScanner/SpamAssassin.cache.db >>> Processing Attempts Database = /tmp/MailScanner/Processing.db >>> >>> Btw: >>> This configuration was workling well with the old MailScanner 4.64.3-2. >>> I made the configuration upgrade using the upgrade_MailScanner_conf >>> script. (no processing database of course). >>> >>> >>> Perl& Modules >>> -------------- >>> /opt/MailScanner/bin/MailScanner -v >>> Running on >>> SunOS caval 5.9 Generic_Virtual sun4v sparc SUNW,Sun-Blade-T6320 >>> This is Perl version 5.008009 (5.8.9) >>> >>> This is MailScanner version 4.78.17 >>> Module versions are: >>> 1.00 AnyDBM_File >>> 1.16 Archive::Zip >>> 0.23 bignum >>> 1.10 Carp >>> 1.41 Compress::Zlib >>> 1.119 Convert::BinHex >>> 0.17 Convert::TNEF >>> 2.121_17 Data::Dumper >>> 2.27 Date::Parse >>> 1.02 DirHandle >>> 1.06 Fcntl >>> 2.77 File::Basename >>> 2.13 File::Copy >>> 2.01 FileHandle >>> 2.07_02 File::Path >>> 0.20 File::Temp >>> 0.90 Filesys::Df >>> 1.35 HTML::Entities >>> 3.56 HTML::Parser >>> 2.37 HTML::TokeParser >>> 1.23 IO >>> 1.14 IO::File >>> 1.13 IO::Pipe >>> 2.04 Mail::Header >>> 1.89 Math::BigInt >>> 0.22 Math::BigRat >>> 3.07 MIME::Base64 >>> 5.427 MIME::Decoder >>> 5.427 MIME::Decoder::UU >>> 5.427 MIME::Head >>> 5.427 MIME::Parser >>> 3.07 MIME::QuotedPrint >>> 5.427 MIME::Tools >>> 0.13 Net::CIDR >>> 1.25 Net::IP >>> 0.16 OLE::Storage_Lite >>> 1.04 Pod::Escapes >>> 3.05 Pod::Simple >>> 1.15 POSIX >>> 1.19 Scalar::Util >>> 1.81 Socket >>> 2.19 Storable >>> 1.4 Sys::Hostname::Long >>> 0.27 Sys::Syslog >>> 1.26 Test::Pod >>> 0.86 Test::Simple >>> 1.9715 Time::HiRes >>> 1.02 Time::localtime >>> >>> Optional module versions are: >>> 1.38 Archive::Tar >>> 0.23 bignum >>> missing Business::ISBN >>> missing Business::ISBN::Data >>> missing Data::Dump >>> 1.817 DB_File >>> 1.25 DBD::SQLite >>> 1.607 DBI >>> 1.15 Digest >>> 1.01 Digest::HMAC >>> 2.37 Digest::MD5 >>> 2.11 Digest::SHA1 >>> missing Encode::Detect >>> 0.17015 Error >>> missing ExtUtils::CBuilder >>> 2.19 ExtUtils::ParseXS >>> 2.38 Getopt::Long >>> 0.45 Inline >>> missing IO::String >>> 1.09 IO::Zlib >>> 2.27 IP::Country >>> 0.29 Mail::ClamAV >>> 3.002005 Mail::SpamAssassin >>> v2.004 Mail::SPF >>> missing Mail::SPF::Query >>> 0.35 Module::Build >>> missing Net::CIDR::Lite >>> 0.65 Net::DNS >>> v0.003 Net::DNS::Resolver::Programmable >>> missing Net::LDAP >>> 4.027 NetAddr::IP >>> 1.94 Parse::RecDescent >>> 0.30 SAVI >>> 3.16 Test::Harness >>> missing Test::Manifest >>> 1.98 Text::Balanced >>> 1.40 URI >>> 0.78 version >>> missing YAML >>> >>> >>> perl -V >>> Summary of my perl5 (revision 5 version 8 subversion 9) configuration: >>> Platform: >>> osname=solaris, osvers=2.9, archname=sun4-solaris-thread-multi >>> uname='sunos sphinx 5.9 generic_virtual sun4u sparc >>> sunw,sun-fire-v240 ' >>> config_args='' >>> hint=recommended, useposix=true, d_sigaction=define >>> usethreads=define use5005threads=undef useithreads=define >>> usemultiplicity=define >>> useperlio=define d_sfio=undef uselargefiles=define usesocks=undef >>> use64bitint=undef use64bitall=undef uselongdouble=undef >>> usemymalloc=n, bincompat5005=undef >>> Compiler: >>> cc='/opt/SUNWspro/bin/cc', ccflags ='-D_REENTRANT >>> -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', >>> optimize='-O', >>> cppflags='-D_REENTRANT -I/usr/local/include' >>> ccversion='Sun C 5.8 Patch 121015-06 2007/10/03', gccversion='', >>> gccosandvers='' >>> intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 >>> d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 >>> ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', >>> lseeksize=8 >>> alignbytes=8, prototype=define >>> Linker and Libraries: >>> ld='/opt/SUNWspro/bin/cc', ldflags =' -L/usr/lib -L/usr/local/lib ' >>> libpth=/usr/lib /usr/local/lib >>> libs=-lsocket -lnsl -ldb -ldl -lm -lpthread -lc >>> perllibs=-lsocket -lnsl -ldl -lm -lpthread -lc >>> libc=/usr/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a >>> gnulibc_version='' >>> Dynamic Linking: >>> dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' ' >>> cccdlflags='-KPIC', lddlflags='-G -L/usr/lib -L/usr/local/lib' >>> >>> >>> Characteristics of this binary (from libperl): >>> Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT >>> PERL_MALLOC_WRAP >>> USE_FAST_STDIO USE_ITHREADS USE_LARGE_FILES >>> USE_PERLIO USE_REENTRANT_API >>> Built under solaris >>> Compiled at Nov 19 2009 13:28:41 >>> @INC: >>> /opt/MailScanner/perl/lib/5.8.9/sun4-solaris-thread-multi >>> /opt/MailScanner/perl/lib/5.8.9 >>> /opt/MailScanner/perl/lib/site_perl/5.8.9/sun4-solaris-thread-multi >>> /opt/MailScanner/perl/lib/site_perl/5.8.9 >>> . >>> >>> >>> Any help is appreciated >>> regards and have a greate weekend >>> Thomas >>> >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fcusack at fcusack.com Tue Nov 24 01:55:36 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Nov 24 01:55:47 2009 Subject: virus scan not available -> no virus check! Message-ID: I can't believe this is the default behavior. Also, I can't find a way to change it. > Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content Scanning: Starting > Nov 23 18:09:05 localhost MailScanner[26997]: Cannot find Socket (/tmp/clamd.socket) Exiting! and then mailscanner goes on to bless the email as "clean". Note that I do not have virus scanning set to "auto", I have it explicitly set to "clamd". My preferred behavior would be to send an email to postmaster (or whoever) at some regular interval if the virus scanner is not available. Anyway to get some semblance of that configured? -frank From fcusack at fcusack.com Tue Nov 24 02:00:34 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Tue Nov 24 02:00:45 2009 Subject: clamav not working? Message-ID: <765892CD1A77238CE4BC8F42@rdf.local> I'm trying to use the clamav (not clamd) virus scanner. clamscan does report my email as containing a virus (I'm using the eicar test virus; and I've disabled the filename check so that it actually gets to the virus check) but mailscanner does not process the clamav output correctly. Looking at ProcessClamAVOutput() in SweepViruses.pm I see a lot of pattern matching which is hurting my brain. Ok, that is fine for logging but why doesn't it just check the return value of clamav-wrapper (which passes the return value of clamscan) to determine success? I also notice in ProcessClamAVOutput() the incorrect comment that clamscan stops as soon as one virus is detected. I want to use clamav instead of clamd because mailscanner has the poor behavior of simply accepting (and declaring "clean") all email when clamd is not available, as I noted in a previous message. Is anyone actually successfully using the clamav virus scanner? thanks -frank From rcooper at dwford.com Tue Nov 24 03:23:41 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Nov 24 03:23:58 2009 Subject: virus scan not available -> no virus check! In-Reply-To: References: Message-ID: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Monday, November 23, 2009 8:56 PM To: mailscanner@lists.mailscanner.info Subject: virus scan not available -> no virus check! > I can't believe this is the default behavior. Also, I can't find a > way to change it. > >> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content >> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: Cannot >> find Socket (/tmp/clamd.socket) Exiting! > > and then mailscanner goes on to bless the email as "clean". Note that > I do not have virus scanning set to "auto", I have it explicitly set > to "clamd". > > My preferred behavior would be to send an email to postmaster (or > whoever) at some regular interval if the virus scanner is not available. > Anyway to get some semblance of that configured? > > -frank As with any Daemon including MailScanner it's self you should have some kind of monitoring installed that restarts and notifies you that is not MailScanner's job. Should it send an email for each issue with all externals and internals to the postmaster? It did the best thing I could think of, it issues an error to the log and moves on. I guess it could shut MailScanner down I suppose. It would appear to be a configuration error since clam doesn't remove it's socket if it crashes and MailScanner --lint would have caught it. Monit, Webmin, PingClamd.pl in a cron job, some kind of monitoring should be in place for both ClamD and MailScanner it's self, and what ever mta you are using... Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Nov 24 03:32:32 2009 From: rcooper at dwford.com (Rick Cooper) Date: Tue Nov 24 03:32:49 2009 Subject: clamav not working? In-Reply-To: <765892CD1A77238CE4BC8F42@rdf.local> References: <765892CD1A77238CE4BC8F42@rdf.local> Message-ID: <12779DEF33AD49A6ADDD4CAF7778B7F2@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Monday, November 23, 2009 9:01 PM To: mailscanner@lists.mailscanner.info Subject: clamav not working? > I'm trying to use the clamav (not clamd) virus scanner. clamscan does > report my email as containing a virus (I'm using the eicar test virus; > and I've disabled the filename check so that it actually gets to the > virus check) but mailscanner does not process the clamav output correctly. Which means what exactly? It misses the virus? It outputs Slovakian? It's dyslexic? > > Looking at ProcessClamAVOutput() in SweepViruses.pm I see a lot of > pattern matching which is hurting my brain. Ok, that is fine for > logging but why doesn't it just check the return value of clamav-wrapper > (which passes the return value of clamscan) to determine success? Because there is more to the output than logging, such as admin notification, user notification (of virus name and file containing it) and of course the return value. > > I also notice in ProcessClamAVOutput() the incorrect comment that > clamscan stops as soon as one virus is detected. I want to use clamav > instead of clamd because mailscanner has the poor behavior of simply > accepting (and declaring "clean") all email when clamd is not available, > as I noted in a previous message. > Which is : a. A good reason to use more than one A/V soultion b. A very good reason use monitoring solutions (try Swatch for tracking errors found in log files) c. A very good reason enter the correct configuration values (such as socket location, or IP address, port) d. A very good reason to run MailScanner --lint before declaring a configuration working and useable > Is anyone actually successfully using the clamav virus scanner? And how about is anyone sucessfully using clamd as a virus scanner? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mmmm82 at gmail.com Tue Nov 24 07:31:01 2009 From: mmmm82 at gmail.com (Monis Monther) Date: Tue Nov 24 07:31:12 2009 Subject: Store viruses only In-Reply-To: References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> Message-ID: <837e17ab0911232331j4154b12cwebd3c82ab75363d7@mail.gmail.com> Hi everyone YES i am sure , /etc/sbin/MailScanner --lint conformed this to me Now after testing , I successfully quarantined the virus, but it quarantined it as a whole message not only the attachment, I would like the message to be sent to the user stripped of the virus , similar to the behavior of filetype and filename checks actions. On Mon, Nov 23, 2009 at 5:38 PM, Alex Neuman wrote: > You're sure it's the clamav module and not clamd or another process, right? > > On Nov 22, 2009, at 5:26 AM, Monis Monther wrote: > > > I knew because I see in the logs that it is catching stuff > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091124/3d8df578/attachment.html From MailScanner at ecs.soton.ac.uk Tue Nov 24 09:36:40 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 24 09:37:03 2009 Subject: clamav not working? In-Reply-To: <765892CD1A77238CE4BC8F42@rdf.local> References: <765892CD1A77238CE4BC8F42@rdf.local> <4B0BA928.7030205@ecs.soton.ac.uk> Message-ID: On 24/11/2009 02:00, Frank Cusack wrote: > Looking at ProcessClamAVOutput() in SweepViruses.pm I see a lot of > pattern matching which is hurting my brain. Ok, that is fine for > logging but why doesn't it just check the return value of clamav-wrapper > (which passes the return value of clamscan) to determine success? For the very good reason that part of MailScanner's high speed comes from the fact that it checks many messages at a time. So checking the return value is useless as it would not tell you which message contained the virus. If it worked in the same slow way as its competition, it would check each message individually, at which point it could use the return code. But scanning 5 files takes only fractionally longer than scanning 1 file, as the largest proportion of the time in the virus scanner is when it is starting up and reading all its virus pattern databases. So to gain a huge increase in speed, I scan many messages at once. If you want to see what happens when you scan each message individually, set the "Max Unsafe Messages Per Scan = 1" and watch how slowly it goes! There is method in my madness. Just because you don't see a good reason for a design decision, it does not mean there *isn't* a good reason for it, just that you don't see it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Nov 24 09:39:18 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 24 09:39:37 2009 Subject: Store viruses only In-Reply-To: <837e17ab0911232331j4154b12cwebd3c82ab75363d7@mail.gmail.com> References: <837e17ab0911171001u12754c29jc45949dd8ae16009@mail.gmail.com> <200911190942.55181.Antony.Stone@mailscanner.open.source.it> <837e17ab0911190113h728c6fd5n676c453b0289ca61@mail.gmail.com> <200911191326.33289.Antony.Stone@mailscanner.open.source.it> <837e17ab0911220226k6cb51abeg4d1906d42eff18a3@mail.gmail.com> <837e17ab0911232331j4154b12cwebd3c82ab75363d7@mail.gmail.com> <4B0BA9C6.3020308@ecs.soton.ac.uk> Message-ID: Set Deliver Disinfected Files = yes Note that this will have a big impact on speed, as each message has to be scanned 3 times instead of once, to be absolutely sure the correct portion of the message has been removed. This is set to "no" by default as 99.999% of modern viruses in the wild are totally made up messages, with no useful content in them at all that the recipient might want. Once you see what you get by setting this to "yes", I think you will see my point and set it to "no" again :-) Jules. On 24/11/2009 07:31, Monis Monther wrote: > Hi everyone > > > YES i am sure , /etc/sbin/MailScanner --lint conformed this to me > > > Now after testing , I successfully quarantined the virus, but it > quarantined it as a whole message not only the attachment, I would > like the message to be sent to the user stripped of the virus , > similar to the behavior of filetype and filename checks actions. > > > > > On Mon, Nov 23, 2009 at 5:38 PM, Alex Neuman > wrote: > > You're sure it's the clamav module and not clamd or another > process, right? > > On Nov 22, 2009, at 5:26 AM, Monis Monther wrote: > > > I knew because I see in the logs that it is catching stuff > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at buschor.ch Tue Nov 24 10:06:29 2009 From: lists at buschor.ch (ThB) Date: Tue Nov 24 10:06:40 2009 Subject: Problems MailScanner 4.78.17 Message-ID: <64215.130.59.6.127.1259057189.squirrel@webmail.buschor.ch> Hello, On 23/11/2009 19:54, Julian Field wrote: >> Excerpt from output of MailScanner --changed >> (I added some formatting to improve readability) >> >> The above is what I expected. But the paths for "Processing.db" and >> "SpamAssassin.cache.db" also show up in "incomingqueuedir" but with the >> default values. >> >> Option Name: >> incomingqueuedir >> Default: >> /var/spool/mqueue.in >> Current: >> /var/spool/MailScanner/incoming/input,\ >> /var/spool/MailScanner/incoming/Locks,\ >> /var/spool/MailScanner/incoming/msglog,\ >> /var/spool/MailScanner/incoming/Processing.db,\ >> /var/spool/MailScanner/incoming/SpamAssassin-Temp,\ >> /var/spool/MailScanner/incoming/SpamAssassin.cache.db >> > Please show me exactly what your MailScanner.conf file shows for the > "Incoming Queue Dir =" setting. Incoming Queue Dir = /var/spool/MailScanner/incoming/* I'm using Exim as mailer and when removing the "*" at the final, then MailScanner does not detect any new messages in the queue. Trying to use a configuration file containing the 2 exim directories (input, msglog). Incoming Queue Dir = /var/spool/MailScanner/incoming/exim.queue.conf /var/spool/MailScanner/incoming/exim.queue.conf: /var/spool/MailScanner/incoming/input /var/spool/MailScanner/incoming/msglog This configuration works well. Last try, using the exim input directory as queue dir Incoming Queue Dir = /var/spool/MailScanner/incoming/input This setting also works, but I'm not sure if exim's msglog is cleaned up properly. So for now I have at least one correct working configuration. Thanks & regards Thomas From MailScanner at ecs.soton.ac.uk Tue Nov 24 10:48:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Nov 24 10:49:17 2009 Subject: Problems MailScanner 4.78.17 In-Reply-To: <64215.130.59.6.127.1259057189.squirrel@webmail.buschor.ch> References: <64215.130.59.6.127.1259057189.squirrel@webmail.buschor.ch> <4B0BBA19.50606@ecs.soton.ac.uk> Message-ID: On 24/11/2009 10:06, ThB wrote: > Hello, > > On 23/11/2009 19:54, Julian Field wrote: > >>> Excerpt from output of MailScanner --changed >>> (I added some formatting to improve readability) >>> >>> The above is what I expected. But the paths for "Processing.db" and >>> "SpamAssassin.cache.db" also show up in "incomingqueuedir" but with the >>> default values. >>> >>> Option Name: >>> incomingqueuedir >>> Default: >>> /var/spool/mqueue.in >>> Current: >>> /var/spool/MailScanner/incoming/input,\ >>> /var/spool/MailScanner/incoming/Locks,\ >>> /var/spool/MailScanner/incoming/msglog,\ >>> /var/spool/MailScanner/incoming/Processing.db,\ >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp,\ >>> /var/spool/MailScanner/incoming/SpamAssassin.cache.db >>> >>> >> Please show me exactly what your MailScanner.conf file shows for the >> "Incoming Queue Dir =" setting. >> > Incoming Queue Dir = /var/spool/MailScanner/incoming/* > > I'm using Exim as mailer and when removing the "*" at the final, then > MailScanner does not detect any new messages in the queue. > That will be your problem. It is doing exactly what you told it to. You probably meant to put Incoming Queue Dir = /var/spool/exim.in/input Please read the docs at http://www.mailscanner.info/exim.html > > Trying to use a configuration file containing the 2 exim directories > (input, msglog). > > Incoming Queue Dir = /var/spool/MailScanner/incoming/exim.queue.conf > > /var/spool/MailScanner/incoming/exim.queue.conf: > /var/spool/MailScanner/incoming/input > /var/spool/MailScanner/incoming/msglog > > This configuration works well. > > > Last try, using the exim input directory as queue dir > Incoming Queue Dir = /var/spool/MailScanner/incoming/input > > This setting also works, but I'm not sure if exim's msglog is cleaned up > properly. > > So for now I have at least one correct working configuration. > > Thanks& regards > Thomas > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve at fsl.com Tue Nov 24 12:37:42 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Nov 24 12:37:53 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> Message-ID: <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> On Nov 23, 2009, at 10:23 PM, Rick Cooper wrote: > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank > Cusack Sent: Monday, November 23, 2009 8:56 PM To: > mailscanner@lists.mailscanner.info Subject: virus scan not available -> no > virus check! > >> I can't believe this is the default behavior. Also, I can't find a >> way to change it. >> >>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content >>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: Cannot >>> find Socket (/tmp/clamd.socket) Exiting! >> >> and then mailscanner goes on to bless the email as "clean". Note that >> I do not have virus scanning set to "auto", I have it explicitly set >> to "clamd". >> >> My preferred behavior would be to send an email to postmaster (or >> whoever) at some regular interval if the virus scanner is not available. >> Anyway to get some semblance of that configured? >> >> -frank > > As with any Daemon including MailScanner it's self you should have some kind > of monitoring installed that restarts and notifies you that is not > MailScanner's job. Should it send an email for each issue with all externals > and internals to the postmaster? It did the best thing I could think of, it > issues an error to the log and moves on. I guess it could shut MailScanner > down I suppose. It would appear to be a configuration error since clam > doesn't remove it's socket if it crashes and MailScanner --lint would have > caught it. Monit, Webmin, PingClamd.pl in a cron job, some kind of > monitoring should be in place for both ClamD and MailScanner it's self, and > what ever mta you are using... > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! You really need to implement an "out of band" monitoring system to monitor a mail server. How's a mail server going to send a mail notification if mail is broken :) Nagios provides a very good solution. Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available From lhaig at haigmail.com Tue Nov 24 14:58:46 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Nov 24 14:59:09 2009 Subject: 2MX server Mailscanner solution. Message-ID: <1259074726.2415.41.camel@lancehaig> Hi, I am looking to create a 2 server mx solution for my MailScanner environment. I have been reading the backlog on the list and have decided on a path. 1. Install 2 MS servers. 2. Configure them to connect to a 3rd Mysql Db server. I will keep the config in sync by running rsync between the hosts. Does this seem like a good solution? Thanks Lance -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Tue Nov 24 15:16:22 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Nov 24 15:16:44 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> Message-ID: <1213490F1F316842A544A850422BFA96128C18AFBA@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Stephen Swaney > Sent: 24 November 2009 12:38 > To: MailScanner discussion > Subject: Re: virus scan not available -> no virus check! > > > On Nov 23, 2009, at 10:23 PM, Rick Cooper wrote: > > > ----Original Message---- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Frank > > Cusack Sent: Monday, November 23, 2009 8:56 PM To: > > mailscanner@lists.mailscanner.info Subject: virus scan not available > -> no > > virus check! > > > >> I can't believe this is the default behavior. Also, I can't find a > >> way to change it. > >> > >>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content > >>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: > Cannot > >>> find Socket (/tmp/clamd.socket) Exiting! > >> > >> and then mailscanner goes on to bless the email as "clean". Note > that > >> I do not have virus scanning set to "auto", I have it explicitly set > >> to "clamd". > >> > >> My preferred behavior would be to send an email to postmaster (or > >> whoever) at some regular interval if the virus scanner is not > available. > >> Anyway to get some semblance of that configured? > >> > >> -frank > > > > As with any Daemon including MailScanner it's self you should have > some kind > > of monitoring installed that restarts and notifies you that is not > > MailScanner's job. Should it send an email for each issue with all > externals > > and internals to the postmaster? It did the best thing I could think > of, it > > issues an error to the log and moves on. I guess it could shut > MailScanner > > down I suppose. It would appear to be a configuration error since > clam > > doesn't remove it's socket if it crashes and MailScanner --lint would > have > > caught it. Monit, Webmin, PingClamd.pl in a cron job, some kind of > > monitoring should be in place for both ClamD and MailScanner it's > self, and > > what ever mta you are using... > > > > Rick > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > You really need to implement an "out of band" monitoring system to > monitor a mail server. > > How's a mail server going to send a mail notification if mail is broken > :) > > Nagios provides a very good solution. I do something similar as part of our zabbix system. Works quite well. Combined with a php script to dump mail queues to a web page and it works a treat. Jason From lists at elasticmind.net Tue Nov 24 15:25:27 2009 From: lists at elasticmind.net (mog) Date: Tue Nov 24 15:25:55 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <1259074726.2415.41.camel@lancehaig> References: <1259074726.2415.41.camel@lancehaig> Message-ID: <4B0BFAE7.6080001@elasticmind.net> Lance Haig wrote: > Hi, > > I am looking to create a 2 server mx solution for my MailScanner > environment. > > I have been reading the backlog on the list and have decided on a path. > > 1. Install 2 MS servers. > 2. Configure them to connect to a 3rd Mysql Db server. > > I will keep the config in sync by running rsync between the hosts. > > Does this seem like a good solution? > > Thanks > > Lance > > Hi, I'm not sure why you need a MySQL DB for running MailScanner or that syncing config files automatically is wise. If a problem is accidentally introduced into one of the mail server's configuration files, it will automatically be replicated to the other one, possibly causing that to break as well. From lhaig at haigmail.com Tue Nov 24 16:07:45 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Nov 24 16:08:04 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <4B0BFAE7.6080001@elasticmind.net> References: <1259074726.2415.41.camel@lancehaig> <4B0BFAE7.6080001@elasticmind.net> Message-ID: <1259078865.2415.43.camel@lancehaig> The idea is to admin one server and make changes there and they are passed to the other server. The DB server is for Mailwatch so you can release spam from a single interface. Lance On Tue, 2009-11-24 at 15:25 +0000, mog wrote: > Lance Haig wrote: > > Hi, > > > > I am looking to create a 2 server mx solution for my MailScanner > > environment. > > > > I have been reading the backlog on the list and have decided on a path. > > > > 1. Install 2 MS servers. > > 2. Configure them to connect to a 3rd Mysql Db server. > > > > I will keep the config in sync by running rsync between the hosts. > > > > Does this seem like a good solution? > > > > Thanks > > > > Lance > > > > > > Hi, > > I'm not sure why you need a MySQL DB for running MailScanner or that > syncing config files automatically is wise. If a problem is accidentally > introduced into one of the mail server's configuration files, it will > automatically be replicated to the other one, possibly causing that to > break as well. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From derek.winkler at algorithmics.com Tue Nov 24 16:31:01 2009 From: derek.winkler at algorithmics.com (derek.winkler@algorithmics.com) Date: Tue Nov 24 16:32:17 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <1259074726.2415.41.camel@lancehaig> References: <1259074726.2415.41.camel@lancehaig> Message-ID: <23675CFC52BBC44EB355406A3A8A04910F616F55@TORMAIL.algorithmics.com> I don't do MySQL, but do use rsync, works great. Used to keep 4 servers in sync this way until I got the quad cores. Really helps if the servers are exactly the same, you don't need to tune for the slowest one then. I rsync the entire /etc/MailScanner directory and let the MailScanner "Restart Every" pick up the changes. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance Haig Sent: Tuesday, November 24, 2009 9:59 AM To: MailScanner discussion Subject: 2MX server Mailscanner solution. Hi, I am looking to create a 2 server mx solution for my MailScanner environment. I have been reading the backlog on the list and have decided on a path. 1. Install 2 MS servers. 2. Configure them to connect to a 3rd Mysql Db server. I will keep the config in sync by running rsync between the hosts. Does this seem like a good solution? Thanks Lance -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------------------------------------------------------------------- This email and any files transmitted with it are confidential and proprietary to Algorithmics Incorporated and its affiliates ("Algorithmics"). If received in error, use is prohibited. Please destroy, and notify sender. Sender does not waive confidentiality or privilege. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. Algorithmics does not accept liability for any errors or omissions. Any commitment intended to bind Algorithmics must be reduced to writing and signed by an authorized signatory. -------------------------------------------------------------------------- From Garrod.Alwood at lorodoes.com Tue Nov 24 16:35:25 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 16:40:58 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <1259078865.2415.43.camel@lancehaig> References: <1259074726.2415.41.camel@lancehaig> <4B0BFAE7.6080001@elasticmind.net>, <1259078865.2415.43.camel@lancehaig> Message-ID: I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 From Garrod.Alwood at lorodoes.com Tue Nov 24 16:37:52 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 16:44:19 2009 Subject: Clamd problem Message-ID: I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 From ms-list at alexb.ch Tue Nov 24 16:49:07 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Nov 24 16:49:17 2009 Subject: Clamd problem In-Reply-To: References: Message-ID: <4B0C0E83.2030008@alexb.ch> On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: > I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. clamd.conf AllowSupplementaryGroups yes does that help ? > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Garrod.Alwood at lorodoes.com Tue Nov 24 16:52:57 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 16:58:29 2009 Subject: Clamd problem In-Reply-To: <4B0C0E83.2030008@alexb.ch> References: , <4B0C0E83.2030008@alexb.ch> Message-ID: nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /tmp/clamd.socket FixStaleSocket true # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav AllowSupplementaryGroups yes ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 StreamMaxLength 50M LogSyslog true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false MailFollowURLs false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: Tuesday, November 24, 2009 11:49 AM To: MailScanner discussion Subject: Re: Clamd problem On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: > I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. clamd.conf AllowSupplementaryGroups yes does that help ? > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From iam at st-andrews.ac.uk Tue Nov 24 17:03:35 2009 From: iam at st-andrews.ac.uk (Ian McDonald) Date: Tue Nov 24 17:04:04 2009 Subject: Clamd problem In-Reply-To: References: , <4B0C0E83.2030008@alexb.ch> Message-ID: <4B0C11E7.7060407@st-andrews.ac.uk> SELinux? -- ian Garrod M. Alwood wrote: > nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #Please read /usr/share/doc/clamav-base/README.Debian.gz for details > LocalSocket /tmp/clamd.socket > FixStaleSocket true > # TemporaryDirectory is not set to its default /tmp here to make overriding > # the default with environment variables TMPDIR/TMP/TEMP possible > User clamav > AllowSupplementaryGroups yes > ScanMail true > ScanArchive true > ArchiveBlockEncrypted false > MaxDirectoryRecursion 15 > FollowDirectorySymlinks false > FollowFileSymlinks false > ReadTimeout 180 > MaxThreads 12 > MaxConnectionQueueLength 15 > StreamMaxLength 50M > LogSyslog true > LogFacility LOG_LOCAL6 > LogClean false > LogVerbose false > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > Foreground false > Debug false > ScanPE true > ScanOLE2 true > ScanHTML true > DetectBrokenExecutables false > MailFollowURLs false > ExitOnOOM false > LeaveTemporaryFiles false > AlgorithmicDetection true > ScanELF true > IdleTimeout 30 > PhishingSignatures true > PhishingScanURLs true > PhishingAlwaysBlockSSLMismatch false > DetectPUA false > ScanPartialMessages false > HeuristicScanPrecedence false > StructuredDataDetection false > CommandReadTimeout 5 > SendBufTimeout 200 > MaxQueue 100 > LogFile /var/log/clamav/clamav.log > LogTime true > LogFileUnlock false > LogFileMaxSize 0 > > > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988 > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] > Sent: Tuesday, November 24, 2009 11:49 AM > To: MailScanner discussion > Subject: Re: Clamd problem > > On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: > >> I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. >> > > clamd.conf > > AllowSupplementaryGroups yes > > does that help ? > > >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From lhaig at haigmail.com Tue Nov 24 17:05:48 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Nov 24 17:06:11 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <23675CFC52BBC44EB355406A3A8A04910F616F55@TORMAIL.algorithmics.com> References: <1259074726.2415.41.camel@lancehaig> <23675CFC52BBC44EB355406A3A8A04910F616F55@TORMAIL.algorithmics.com> Message-ID: <1259082348.2415.45.camel@lancehaig> This is what I was thinking. So that you only manage the one install. My machines are going to be exactly the same. I was just looking for some advice Lance On Tue, 2009-11-24 at 11:31 -0500, derek.winkler@algorithmics.com wrote: > I don't do MySQL, but do use rsync, works great. > > Used to keep 4 servers in sync this way until I got the quad cores. > > Really helps if the servers are exactly the same, you don't need to tune for the slowest one then. > > I rsync the entire /etc/MailScanner directory and let the MailScanner "Restart Every" pick up the changes. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance Haig > Sent: Tuesday, November 24, 2009 9:59 AM > To: MailScanner discussion > Subject: 2MX server Mailscanner solution. > > Hi, > > I am looking to create a 2 server mx solution for my MailScanner > environment. > > I have been reading the backlog on the list and have decided on a path. > > 1. Install 2 MS servers. > 2. Configure them to connect to a 3rd Mysql Db server. > > I will keep the config in sync by running rsync between the hosts. > > Does this seem like a good solution? > > Thanks > > Lance > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -------------------------------------------------------------------------- > This email and any files transmitted with it are confidential and proprietary to Algorithmics Incorporated and its affiliates ("Algorithmics"). If received in error, use is prohibited. Please destroy, and notify sender. Sender does not waive confidentiality or privilege. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. Algorithmics does not accept liability for any errors or omissions. Any commitment intended to bind Algorithmics must be reduced to writing and signed by an authorized signatory. > -------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Garrod.Alwood at lorodoes.com Tue Nov 24 17:01:28 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 17:08:55 2009 Subject: Clamd problem In-Reply-To: <4B0C11E7.7060407@st-andrews.ac.uk> References: , <4B0C0E83.2030008@alexb.ch> , <4B0C11E7.7060407@st-andrews.ac.uk> Message-ID: It's ubuntu and I have apparmor, but good call. I forgot about apparmer. I thought I had removed it, but it must have been reinstalled at the last upgrade i did. Very good call. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ian McDonald [iam@st-andrews.ac.uk] Sent: Tuesday, November 24, 2009 12:03 PM To: MailScanner discussion Subject: Re: Clamd problem SELinux? -- ian Garrod M. Alwood wrote: > nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #Please read /usr/share/doc/clamav-base/README.Debian.gz for details > LocalSocket /tmp/clamd.socket > FixStaleSocket true > # TemporaryDirectory is not set to its default /tmp here to make overriding > # the default with environment variables TMPDIR/TMP/TEMP possible > User clamav > AllowSupplementaryGroups yes > ScanMail true > ScanArchive true > ArchiveBlockEncrypted false > MaxDirectoryRecursion 15 > FollowDirectorySymlinks false > FollowFileSymlinks false > ReadTimeout 180 > MaxThreads 12 > MaxConnectionQueueLength 15 > StreamMaxLength 50M > LogSyslog true > LogFacility LOG_LOCAL6 > LogClean false > LogVerbose false > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > Foreground false > Debug false > ScanPE true > ScanOLE2 true > ScanHTML true > DetectBrokenExecutables false > MailFollowURLs false > ExitOnOOM false > LeaveTemporaryFiles false > AlgorithmicDetection true > ScanELF true > IdleTimeout 30 > PhishingSignatures true > PhishingScanURLs true > PhishingAlwaysBlockSSLMismatch false > DetectPUA false > ScanPartialMessages false > HeuristicScanPrecedence false > StructuredDataDetection false > CommandReadTimeout 5 > SendBufTimeout 200 > MaxQueue 100 > LogFile /var/log/clamav/clamav.log > LogTime true > LogFileUnlock false > LogFileMaxSize 0 > > > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988 > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] > Sent: Tuesday, November 24, 2009 11:49 AM > To: MailScanner discussion > Subject: Re: Clamd problem > > On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: > >> I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. >> > > clamd.conf > > AllowSupplementaryGroups yes > > does that help ? > > >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Tue Nov 24 17:10:20 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Nov 24 17:10:30 2009 Subject: Clamd problem In-Reply-To: References: , <4B0C0E83.2030008@alexb.ch> Message-ID: <4B0C137C.3020500@alexb.ch> my setup with Pfix (not using socket!) clamd.conf # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /tmp/clamd.socket # Remove stale socket after unclean shutdown. # Default: yes #FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 relevant part in MailScanner.conf Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes On 11/24/2009 5:52 PM, Garrod M. Alwood wrote: > nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #Please read /usr/share/doc/clamav-base/README.Debian.gz for details > LocalSocket /tmp/clamd.socket > FixStaleSocket true > # TemporaryDirectory is not set to its default /tmp here to make overriding > # the default with environment variables TMPDIR/TMP/TEMP possible > User clamav > AllowSupplementaryGroups yes > ScanMail true > ScanArchive true > ArchiveBlockEncrypted false > MaxDirectoryRecursion 15 > FollowDirectorySymlinks false > FollowFileSymlinks false > ReadTimeout 180 > MaxThreads 12 > MaxConnectionQueueLength 15 > StreamMaxLength 50M > LogSyslog true > LogFacility LOG_LOCAL6 > LogClean false > LogVerbose false > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > Foreground false > Debug false > ScanPE true > ScanOLE2 true > ScanHTML true > DetectBrokenExecutables false > MailFollowURLs false > ExitOnOOM false > LeaveTemporaryFiles false > AlgorithmicDetection true > ScanELF true > IdleTimeout 30 > PhishingSignatures true > PhishingScanURLs true > PhishingAlwaysBlockSSLMismatch false > DetectPUA false > ScanPartialMessages false > HeuristicScanPrecedence false > StructuredDataDetection false > CommandReadTimeout 5 > SendBufTimeout 200 > MaxQueue 100 > LogFile /var/log/clamav/clamav.log > LogTime true > LogFileUnlock false > LogFileMaxSize 0 > > > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988 > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] > Sent: Tuesday, November 24, 2009 11:49 AM > To: MailScanner discussion > Subject: Re: Clamd problem > > On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: >> I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. > > clamd.conf > > AllowSupplementaryGroups yes > > does that help ? > >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Garrod.Alwood at lorodoes.com Tue Nov 24 17:15:51 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 17:21:35 2009 Subject: Clamd problem In-Reply-To: <4B0C137C.3020500@alexb.ch> References: , <4B0C0E83.2030008@alexb.ch> , <4B0C137C.3020500@alexb.ch> Message-ID: does it use less resources that way? Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: Tuesday, November 24, 2009 12:10 PM To: MailScanner discussion Subject: Re: Clamd problem my setup with Pfix (not using socket!) clamd.conf # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /tmp/clamd.socket # Remove stale socket after unclean shutdown. # Default: yes #FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 relevant part in MailScanner.conf Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes On 11/24/2009 5:52 PM, Garrod M. Alwood wrote: > nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. > > #Automatically Generated by clamav-base postinst > #To reconfigure clamd run #dpkg-reconfigure clamav-base > #Please read /usr/share/doc/clamav-base/README.Debian.gz for details > LocalSocket /tmp/clamd.socket > FixStaleSocket true > # TemporaryDirectory is not set to its default /tmp here to make overriding > # the default with environment variables TMPDIR/TMP/TEMP possible > User clamav > AllowSupplementaryGroups yes > ScanMail true > ScanArchive true > ArchiveBlockEncrypted false > MaxDirectoryRecursion 15 > FollowDirectorySymlinks false > FollowFileSymlinks false > ReadTimeout 180 > MaxThreads 12 > MaxConnectionQueueLength 15 > StreamMaxLength 50M > LogSyslog true > LogFacility LOG_LOCAL6 > LogClean false > LogVerbose false > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav > SelfCheck 3600 > Foreground false > Debug false > ScanPE true > ScanOLE2 true > ScanHTML true > DetectBrokenExecutables false > MailFollowURLs false > ExitOnOOM false > LeaveTemporaryFiles false > AlgorithmicDetection true > ScanELF true > IdleTimeout 30 > PhishingSignatures true > PhishingScanURLs true > PhishingAlwaysBlockSSLMismatch false > DetectPUA false > ScanPartialMessages false > HeuristicScanPrecedence false > StructuredDataDetection false > CommandReadTimeout 5 > SendBufTimeout 200 > MaxQueue 100 > LogFile /var/log/clamav/clamav.log > LogTime true > LogFileUnlock false > LogFileMaxSize 0 > > > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988 > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] > Sent: Tuesday, November 24, 2009 11:49 AM > To: MailScanner discussion > Subject: Re: Clamd problem > > On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: >> I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. > > clamd.conf > > AllowSupplementaryGroups yes > > does that help ? > >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Tue Nov 24 17:32:48 2009 From: ms-list at alexb.ch (Alex Broens) Date: Tue Nov 24 17:32:57 2009 Subject: Clamd problem In-Reply-To: References: , <4B0C0E83.2030008@alexb.ch> , <4B0C137C.3020500@alexb.ch> Message-ID: <4B0C18C0.9080301@alexb.ch> On 11/24/2009 6:15 PM, Garrod M. Alwood wrote: > does it use less resources that way? using TCP instead of sockets? dunno.. but never liked sockets. guess some socket user can say more... ClamD/TCP have been very nice to me for a long time :-) > > Garrod M. Alwood > Consultant > garrod.alwood@lorodoes.com > 904.738.4988 > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] > Sent: Tuesday, November 24, 2009 12:10 PM > To: MailScanner discussion > Subject: Re: Clamd problem > > my setup with Pfix (not using socket!) > > clamd.conf > # Path to a local socket file the daemon will listen on. > # Default: disabled (must be specified by a user) > # LocalSocket /tmp/clamd.socket > > # Remove stale socket after unclean shutdown. > # Default: yes > #FixStaleSocket yes > > # TCP port address. > # Default: no > TCPSocket 3310 > > # TCP address. > # By default we bind to INADDR_ANY, probably not wise. > # Enable the following to provide some degree of protection > # from the outside world. > # Default: no > TCPAddr 127.0.0.1 > > relevant part in MailScanner.conf > > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = # /var/lock/subsys/clamd > Clamd Use Threads = yes > > > > > > On 11/24/2009 5:52 PM, Garrod M. Alwood wrote: >> nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. >> >> #Automatically Generated by clamav-base postinst >> #To reconfigure clamd run #dpkg-reconfigure clamav-base >> #Please read /usr/share/doc/clamav-base/README.Debian.gz for details >> LocalSocket /tmp/clamd.socket >> FixStaleSocket true >> # TemporaryDirectory is not set to its default /tmp here to make overriding >> # the default with environment variables TMPDIR/TMP/TEMP possible >> User clamav >> AllowSupplementaryGroups yes >> ScanMail true >> ScanArchive true >> ArchiveBlockEncrypted false >> MaxDirectoryRecursion 15 >> FollowDirectorySymlinks false >> FollowFileSymlinks false >> ReadTimeout 180 >> MaxThreads 12 >> MaxConnectionQueueLength 15 >> StreamMaxLength 50M >> LogSyslog true >> LogFacility LOG_LOCAL6 >> LogClean false >> LogVerbose false >> PidFile /var/run/clamav/clamd.pid >> DatabaseDirectory /var/lib/clamav >> SelfCheck 3600 >> Foreground false >> Debug false >> ScanPE true >> ScanOLE2 true >> ScanHTML true >> DetectBrokenExecutables false >> MailFollowURLs false >> ExitOnOOM false >> LeaveTemporaryFiles false >> AlgorithmicDetection true >> ScanELF true >> IdleTimeout 30 >> PhishingSignatures true >> PhishingScanURLs true >> PhishingAlwaysBlockSSLMismatch false >> DetectPUA false >> ScanPartialMessages false >> HeuristicScanPrecedence false >> StructuredDataDetection false >> CommandReadTimeout 5 >> SendBufTimeout 200 >> MaxQueue 100 >> LogFile /var/log/clamav/clamav.log >> LogTime true >> LogFileUnlock false >> LogFileMaxSize 0 >> >> >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988 >> ________________________________________ >> From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] >> Sent: Tuesday, November 24, 2009 11:49 AM >> To: MailScanner discussion >> Subject: Re: Clamd problem >> >> On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: >>> I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. >> clamd.conf >> >> AllowSupplementaryGroups yes >> >> does that help ? >> >>> Garrod M. Alwood >>> Consultant >>> garrod.alwood@lorodoes.com >>> 904.738.4988-- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website!-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Nov 24 18:05:09 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Nov 24 18:05:24 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> Message-ID: <4A09477D575C2C4B86497161427DD94C136ABB1D6E@city-exchange07> Stephen Swaney wrote: > You really need to implement an "out of band" monitoring system to > monitor a mail server. Isn't that what users are for? :-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From steve at fsl.com Tue Nov 24 18:28:13 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Nov 24 18:28:23 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <4A09477D575C2C4B86497161427DD94C136ABB1D6E@city-exchange07> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <06CF3799-A489-4180-8B39-53F420BD7574@fsl.com> <4A09477D575C2C4B86497161427DD94C136ABB1D6E@city-exchange07> Message-ID: On Nov 24, 2009, at 1:05 PM, Kevin Miller wrote: > Stephen Swaney wrote: > >> You really need to implement an "out of band" monitoring system to >> monitor a mail server. > > Isn't that what users are for? :-) Yes. They can be very effective ! Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available From shprahi at gmail.com Tue Nov 24 18:36:22 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Tue Nov 24 18:36:31 2009 Subject: 2MX server Mailscanner solution. In-Reply-To: <1259082348.2415.45.camel@lancehaig> References: <1259074726.2415.41.camel@lancehaig> <23675CFC52BBC44EB355406A3A8A04910F616F55@TORMAIL.algorithmics.com> <1259082348.2415.45.camel@lancehaig> Message-ID: Just check /etc/clamd.conf what is the user owning clamd, Also you can use MysqlDB for mailwatch as well as bayesian DB on which folder you are changing the permission. Frankly I use 5 servers with slight different config but it is i am not doing rsync every time if i change i will change on all 5 server. may be cumbersome I use postfix and mailscanner. I am using different server for mailwatch and bayesian Thanks, Shprahi On Tue, Nov 24, 2009 at 10:35 PM, Lance Haig wrote: > This is what I was thinking. So that you only manage the one install. > > My machines are going to be exactly the same. > > I was just looking for some advice > > > Lance > > > On Tue, 2009-11-24 at 11:31 -0500, derek.winkler@algorithmics.com wrote: > > I don't do MySQL, but do use rsync, works great. > > > > Used to keep 4 servers in sync this way until I got the quad cores. > > > > Really helps if the servers are exactly the same, you don't need to tune > for the slowest one then. > > > > I rsync the entire /etc/MailScanner directory and let the MailScanner > "Restart Every" pick up the changes. > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance Haig > > Sent: Tuesday, November 24, 2009 9:59 AM > > To: MailScanner discussion > > Subject: 2MX server Mailscanner solution. > > > > Hi, > > > > I am looking to create a 2 server mx solution for my MailScanner > > environment. > > > > I have been reading the backlog on the list and have decided on a path. > > > > 1. Install 2 MS servers. > > 2. Configure them to connect to a 3rd Mysql Db server. > > > > I will keep the config in sync by running rsync between the hosts. > > > > Does this seem like a good solution? > > > > Thanks > > > > Lance > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > -------------------------------------------------------------------------- > > This email and any files transmitted with it are confidential and > proprietary to Algorithmics Incorporated and its affiliates > ("Algorithmics"). If received in error, use is prohibited. Please destroy, > and notify sender. Sender does not waive confidentiality or privilege. > Internet communications cannot be guaranteed to be timely, secure, error or > virus-free. Algorithmics does not accept liability for any errors or > omissions. Any commitment intended to bind Algorithmics must be reduced to > writing and signed by an authorized signatory. > > > -------------------------------------------------------------------------- > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091125/0643a5f3/attachment.html From shprahi at gmail.com Tue Nov 24 18:42:20 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Tue Nov 24 18:42:30 2009 Subject: Clamd problem In-Reply-To: <4B0C18C0.9080301@alexb.ch> References: <4B0C0E83.2030008@alexb.ch> <4B0C137C.3020500@alexb.ch> <4B0C18C0.9080301@alexb.ch> Message-ID: Please paste the error log and which folder permission clamd giving error On Tue, Nov 24, 2009 at 11:02 PM, Alex Broens wrote: > On 11/24/2009 6:15 PM, Garrod M. Alwood wrote: > >> does it use less resources that way? >> > > using TCP instead of sockets? dunno.. but never liked sockets. > guess some socket user can say more... > > ClamD/TCP have been very nice to me for a long time :-) > > > >> Garrod M. Alwood >> Consultant >> garrod.alwood@lorodoes.com >> 904.738.4988 >> ________________________________________ >> From: mailscanner-bounces@lists.mailscanner.info[mailscanner-bounces@lists. >> .mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] >> Sent: Tuesday, November 24, 2009 12:10 PM >> To: MailScanner discussion >> Subject: Re: Clamd problem >> >> my setup with Pfix (not using socket!) >> >> clamd.conf >> # Path to a local socket file the daemon will listen on. >> # Default: disabled (must be specified by a user) >> # LocalSocket /tmp/clamd.socket >> >> # Remove stale socket after unclean shutdown. >> # Default: yes >> #FixStaleSocket yes >> >> # TCP port address. >> # Default: no >> TCPSocket 3310 >> >> # TCP address. >> # By default we bind to INADDR_ANY, probably not wise. >> # Enable the following to provide some degree of protection >> # from the outside world. >> # Default: no >> TCPAddr 127.0.0.1 >> >> relevant part in MailScanner.conf >> >> Clamd Port = 3310 >> Clamd Socket = /tmp/clamd >> Clamd Lock File = # /var/lock/subsys/clamd >> Clamd Use Threads = yes >> >> >> >> >> >> On 11/24/2009 5:52 PM, Garrod M. Alwood wrote: >> >>> nope, didn't work.This is really wierd. All of my training says that if I >>> put postfix (which is the chown user) and www-data (which is the chown >>> group) in to clamav then it should be able to access everything that those >>> two can access or am I missing something here? I am including my clamd.conf >>> file below. I really don't want to use 0755 for my permissions as when I >>> googled I saw in one post, unless I really have to. >>> >>> #Automatically Generated by clamav-base postinst >>> #To reconfigure clamd run #dpkg-reconfigure clamav-base >>> #Please read /usr/share/doc/clamav-base/README.Debian.gz for details >>> LocalSocket /tmp/clamd.socket >>> FixStaleSocket true >>> # TemporaryDirectory is not set to its default /tmp here to make >>> overriding >>> # the default with environment variables TMPDIR/TMP/TEMP possible >>> User clamav >>> AllowSupplementaryGroups yes >>> ScanMail true >>> ScanArchive true >>> ArchiveBlockEncrypted false >>> MaxDirectoryRecursion 15 >>> FollowDirectorySymlinks false >>> FollowFileSymlinks false >>> ReadTimeout 180 >>> MaxThreads 12 >>> MaxConnectionQueueLength 15 >>> StreamMaxLength 50M >>> LogSyslog true >>> LogFacility LOG_LOCAL6 >>> LogClean false >>> LogVerbose false >>> PidFile /var/run/clamav/clamd.pid >>> DatabaseDirectory /var/lib/clamav >>> SelfCheck 3600 >>> Foreground false >>> Debug false >>> ScanPE true >>> ScanOLE2 true >>> ScanHTML true >>> DetectBrokenExecutables false >>> MailFollowURLs false >>> ExitOnOOM false >>> LeaveTemporaryFiles false >>> AlgorithmicDetection true >>> ScanELF true >>> IdleTimeout 30 >>> PhishingSignatures true >>> PhishingScanURLs true >>> PhishingAlwaysBlockSSLMismatch false >>> DetectPUA false >>> ScanPartialMessages false >>> HeuristicScanPrecedence false >>> StructuredDataDetection false >>> CommandReadTimeout 5 >>> SendBufTimeout 200 >>> MaxQueue 100 >>> LogFile /var/log/clamav/clamav.log >>> LogTime true >>> LogFileUnlock false >>> LogFileMaxSize 0 >>> >>> >>> Garrod M. Alwood >>> Consultant >>> garrod.alwood@lorodoes.com >>> 904.738.4988 >>> ________________________________________ >>> From: mailscanner-bounces@lists.mailscanner.info[mailscanner-bounces@lists. >>> .mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] >>> Sent: Tuesday, November 24, 2009 11:49 AM >>> To: MailScanner discussion >>> Subject: Re: Clamd problem >>> >>> On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: >>> >>>> I am having trouble with the permissions of the clamd. I have put the >>>> postfix and www-data users in to the clamav group (both of which have owner >>>> permissions) and still clamd gets an permissions error everytime I run it. I >>>> have the permissions set to 0640. I am in need of help. oops put the other >>>> one with the wrong subject My bad. >>>> >>> clamd.conf >>> >>> AllowSupplementaryGroups yes >>> >>> does that help ? >>> >>> Garrod M. Alwood >>>> Consultant >>>> garrod.alwood@lorodoes.com >>>> 904.738.4988-- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website!-- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website!-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091125/b8e383c6/attachment-0001.html From Garrod.Alwood at lorodoes.com Tue Nov 24 18:39:39 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Tue Nov 24 18:45:47 2009 Subject: Clamd problem In-Reply-To: References: <4B0C0E83.2030008@alexb.ch> <4B0C137C.3020500@alexb.ch> <4B0C18C0.9080301@alexb.ch>, Message-ID: It was apparmor (which I never configured.) Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of shprahi shprahi [shprahi@gmail.com] Sent: Tuesday, November 24, 2009 1:42 PM To: MailScanner discussion Subject: Re: Clamd problem Please paste the error log and which folder permission clamd giving error On Tue, Nov 24, 2009 at 11:02 PM, Alex Broens > wrote: On 11/24/2009 6:15 PM, Garrod M. Alwood wrote: does it use less resources that way? using TCP instead of sockets? dunno.. but never liked sockets. guess some socket user can say more... ClamD/TCP have been very nice to me for a long time :-) Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: Tuesday, November 24, 2009 12:10 PM To: MailScanner discussion Subject: Re: Clamd problem my setup with Pfix (not using socket!) clamd.conf # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) # LocalSocket /tmp/clamd.socket # Remove stale socket after unclean shutdown. # Default: yes #FixStaleSocket yes # TCP port address. # Default: no TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. # Default: no TCPAddr 127.0.0.1 relevant part in MailScanner.conf Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes On 11/24/2009 5:52 PM, Garrod M. Alwood wrote: nope, didn't work.This is really wierd. All of my training says that if I put postfix (which is the chown user) and www-data (which is the chown group) in to clamav then it should be able to access everything that those two can access or am I missing something here? I am including my clamd.conf file below. I really don't want to use 0755 for my permissions as when I googled I saw in one post, unless I really have to. #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /tmp/clamd.socket FixStaleSocket true # TemporaryDirectory is not set to its default /tmp here to make overriding # the default with environment variables TMPDIR/TMP/TEMP possible User clamav AllowSupplementaryGroups yes ScanMail true ScanArchive true ArchiveBlockEncrypted false MaxDirectoryRecursion 15 FollowDirectorySymlinks false FollowFileSymlinks false ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 StreamMaxLength 50M LogSyslog true LogFacility LOG_LOCAL6 LogClean false LogVerbose false PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 Foreground false Debug false ScanPE true ScanOLE2 true ScanHTML true DetectBrokenExecutables false MailFollowURLs false ExitOnOOM false LeaveTemporaryFiles false AlgorithmicDetection true ScanELF true IdleTimeout 30 PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false DetectPUA false ScanPartialMessages false HeuristicScanPrecedence false StructuredDataDetection false CommandReadTimeout 5 SendBufTimeout 200 MaxQueue 100 LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists..mailscanner.info] On Behalf Of Alex Broens [ms-list@alexb.ch] Sent: Tuesday, November 24, 2009 11:49 AM To: MailScanner discussion Subject: Re: Clamd problem On 11/24/2009 5:37 PM, Garrod M. Alwood wrote: I am having trouble with the permissions of the clamd. I have put the postfix and www-data users in to the clamav group (both of which have owner permissions) and still clamd gets an permissions error everytime I run it. I have the permissions set to 0640. I am in need of help. oops put the other one with the wrong subject My bad. clamd.conf AllowSupplementaryGroups yes does that help ? Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091124/2808e924/attachment.html From shprahi at gmail.com Tue Nov 24 18:50:40 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Tue Nov 24 18:50:54 2009 Subject: From header problem In-Reply-To: <20091105140718.eyngqptgcgkwk4k8@webmail.capensis.fr> References: <16174a770911020710j346c7d42w28720dbc6df7fe96@mail.gmail.com> <200911031306.24041.Antony.Stone@mailscanner.open.source.it> <223f97700911050448p499a2aefle323fb917872a238@mail.gmail.com> <20091105140718.eyngqptgcgkwk4k8@webmail.capensis.fr> Message-ID: Header which is coming in header section is the real from ID and the address which is shoing in the From field is the alias set in email client like reply to OR reply FROm e.g in outlook express...... Hope I am not wrong on this On Thu, Nov 5, 2009 at 6:37 PM, Yann Bachy wrote: > Hello everyone, > > I currently have a problem on my mail server: > > I get spam which has 2 different "From" addresses. > Is there anyway to block this kind of spam?, to explain my problem I join > an screenshot of mailscanner showing the phenomenon. > > thanks > > > -- > Yann Bachy > > CAPENSIS > 30 rue du Triez > 59290 Wasquehal > ---------------------- > Tel 03 59 39 13 40 > Fax 03 59 39 13 49 > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091125/2c02e1da/attachment.html From jethro.binks at strath.ac.uk Tue Nov 24 22:49:47 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Nov 24 22:49:58 2009 Subject: McAfee VirusScan 6.00.0 for Unix is now out In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA081F25C2@HC-MBX02.herefordshire.gov.uk> Message-ID: On Fri, 20 Nov 2009, Jethro R Binks wrote: > > If I get a chance next week, I'll have a look at the mcafee-autoupdate > > script to see what changes are needed. > > In addition to Phil's subsequent patch which I didn't keep to respond to, > I also suggest passing the "-o" option to unzip: ... Attached is a diff which brings in more robust additional support for the new VirusScan CLI 6 and V2 DAT files. It also tidies up some aspects of the original script, including making it a little less verbose in normal operation (I think). The logic is slightly more convoluted now it potentially has to deal with two versions of the DATS, but I see this as an interim measure: in theory, after McAfee stop publishing V1 DATs after March 2010, the support can be removed for those versions and it all tidied up again. I have not looked at any changes required to SweepViruses.pl etc. I have found that the new McAfee is now so slow on startup that it is probably even more unuseable than ever here, but I supply this patch for the benefit of anyone else who is sticking with it! Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK -------------- next part -------------- --- mcafee-autoupdate.1.52 2009-03-18 18:20:37.000000000 +0000 +++ mcafee-autoupdate 2009-11-24 22:46:08.000000000 +0000 @@ -2,6 +2,8 @@ # # Update the McAfee data files. # +# based on: +# # $Cambridge: hermes/conf/build/bin/uvscan-update,v 1.52 2004/08/18 19:12:02 fanf2 Exp $ # $PREFIX is the directory where the uvscan binary is (NOT a symlink to @@ -17,13 +19,38 @@ # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. +# + +# As of Apr 2010, McAfee will no longer publish V1 DATs, and will only +# publish V2 DATs: +# +# https://kc.mcafee.com/corporate/index?page=content&id=KB60404 +# https://kc.mcafee.com/corporate/index?page=content&id=KB60772 +# +# Version 6 of McAfee VirusScan Command Line Scanner for Unix is able to +# use V2 DATs. +# +# If this script detects taht we are running VirusScan CLI version 6, we +# extract the DATs from the V2 DAT zip archive (avvdat-XXXX.zip). +# Otherwise, we stick with the previous V1 tar archive (dat-XXXX.tar). +# +# In theory, after Apr 2010, support for the V1 DATs could be removed, +# however no doubt there will be some people who will continue to run the +# old version of VirusScan CLI even though it no longer receives DAT +# updates ... but then this script is redundant anyway! # defaults OPTS="-d" PREFIX=/opt/uvscan -FTPDIR=http://download.nai.com/products/datfiles/4.x/nai +FTPDIR=http://download.nai.com/products/commonupdater RETRIES=1 INTERVAL=300 +CLIVERSION=6 + +wgetverbosity="--no-verbose" +tarverbosity="" +unzipverbosity="-q" +unzipopts="-o" # handle the command line usage () { @@ -61,7 +88,7 @@ ;; /*) PREFIX=$arg ;; - http:) ftp_proxy=$arg + http://*) ftp_proxy=$arg http_proxy=$arg export ftp_proxy export http_proxy @@ -90,9 +117,12 @@ option v VERBOSE case $FORCE in yes) VERBOSE=yes + wgetverbosity="" + tarverbosity="v" + unzipverbosity="" esac -# look for binaries and libraris in plausible places +# look for binaries and libraries in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX @@ -100,7 +130,12 @@ # where this script finds things DATDIR=$PREFIX/datfiles -DATFILES="clean.dat extra.dat internet.dat names.dat scan.dat" +# These are for CLI pre-v6: +DATFILES5="clean.dat extra.dat internet.dat names.dat scan.dat" +# These are for CLI v6+: +# Note that runtime.dat is not distributed; it is generated by uvscan the +# first time it runs (including with "uvscan --version"). +DATFILES6="avvclean.dat avvnames.dat avvscan.dat runtime.dat extra.dat" LINKNAME=current LINKREL=datfiles/$LINKNAME @@ -143,7 +178,11 @@ say PREFIX=$PREFIX # check directory setup is correct -for link in $LINKREL $DATFILES +# At this point we do not know whether this is a CLI version 6 or version 5 +# installation, and more particularly what the filenames for the DAT files +# are. +#for link in $LINKREL $DATFILES +for link in $LINKREL do if ! is -h $PREFIX/$link then @@ -185,8 +224,8 @@ try=$RETRIES while : do getver "wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/update.ini" update.ini "DATVersion=" - VERSION=$VER - case $VERSION in + NEWVER=$VER + case $NEWVER in UNKNOWN) if ! try=`expr $try - 1` then break @@ -201,40 +240,62 @@ done # work out installed dat version -getver "uvscan --version" version.err "Virus data file v" +# CLI v6 is noticeably slower, so we check for it first: +getver "uvscan --version" version.err "Dat set version: " +if is $VER = UNKNOWN +then + # Must be CLI pre-v6: + getver "uvscan --version" version.err "Virus data file v" + CLIVERSION=5 +fi PREVIOUS=$VER case $FORCE in yes) say Forced update from $PREVIOUS PREVIOUS=0000 ;; -*) if is $VERSION -eq $PREVIOUS - then say Already have $VERSION +*) if is $NEWVER -eq $PREVIOUS + then say Already have $NEWVER run exit 0 fi esac +# select appropriate archive name and DAT filenames +# if this is CLI v6, we use V2 DAT archive +if is ! $CLIVERSION 6 +then + DISTARC=dat-$NEWVER.tar + DATFILES="$DATFILES5" +else + DISTARC=avvdat-$NEWVER.zip + DATFILES="$DATFILES6" +fi + VERBOSE=yes +# We are performing an update, so be chatty (as opposed to explicitly +# verbose as requested) +CHATTY=yes + say Installed dat file is $PREVIOUS -say Latest dat file is $VERSION +say Latest dat file is $NEWVER -if is $VERSION = UNKNOWN +if is $NEWVER = UNKNOWN then say Problem with McAfee datfile update from $FTPDIR run exit 1 -elif is $VERSION -lt $PREVIOUS +elif is $NEWVER -lt $PREVIOUS then say Remote version $VERSION older than installed version $PREVIOUS run exit 1 -elif is -d $VERSION -then say Cleaning away $VERSION directory - run rm -rf $VERSION +elif is -d $NEWVER +then say Cleaning away $NEWVER directory + run rm -rf $NEWVER fi retry () { echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR - run rm -rf $VERSION + run rm -rf $NEWVER if ! try=`expr $try - 1` then say Giving up run exit 1 @@ -248,18 +309,23 @@ while : do # fetch and extract dat files - TARFILE=dat-$VERSION.tar - run mkdir $VERSION - run cd $VERSION + run mkdir $NEWVER + run cd $NEWVER run chmod 700 . - if ! run wget --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE + if ! run wget $wgetverbosity --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$DISTARC then retry fi - run tar xvf $TARFILE + if is ! $CLIVERSION 6 + then + run tar x${tarverbosity}f $DISTARC + else + run unzip $unzipverbosity $unzipopts $DISTARC + fi run chmod 644 * run chmod 755 . # verify the contents + # this will create runtime.dat too CMD="uvscan --version --dat ." say "> $CMD" if ! OUT=`$CMD 2>&1` @@ -280,21 +346,19 @@ s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap -run rm -f *.diz *.exe *.ini *.lst *.tar *.txt +run rm -f *.diz *.exe *.ini *.lst *.tar *.txt *.zip -# do remaining part of initial setup -case $INIT in -yes) for file in $DATFILES - do - run rm -f $PREFIX/$file - run ln -s $LINKREL/$file $PREFIX/$file - done -esac +# Make sure symlinks are in place +for file in $DATFILES +do + run rm -f $PREFIX/$file + run ln -s $LINKREL/$file $PREFIX/$file +done # update the current version link run cd $DATDIR -run ln -s $VERSION $VERSION/$LINKNAME -run mv $VERSION/$LINKNAME . +run ln -s $NEWVER $NEWVER/$LINKNAME +run mv $NEWVER/$LINKNAME . # maybe delete old dat files case $DELETE in From nick at inticon.net.au Wed Nov 25 05:48:50 2009 From: nick at inticon.net.au (Nick Brown) Date: Wed Nov 25 05:49:06 2009 Subject: Quarantine behaviour Message-ID: <75276B00-4E32-4E99-92FC-2FF010EE8E25@inticon.net.au> Hi All, Have happily been running MailScanner in front of 15k+ mailboxes for some time without issue, distributed over two physically diverse mail gateways. We have recently been looking at developing and offering a quarantine option to users, however obviously this presents the issue of needing to centralise the quarantine store. The last thing we want to do is to provide a value add service at the expense of our redundancy, so have been tasked with looking into what options we have available to us. In a simple world we simply configure one gateway to store quarantined mail locally, the other to store to an NFS mount, in the event the first server dies - so be it, quarantine stops working, presumably mail will be dumped in a local directory and then I just have to pick it up and move it to the quarantine store once all is well again (Technically speaking the quarantine store will actually be a third box, most likely connected via iSCSI). However I'm interested to hear if this is how others have actually seen MailScanner behave, or better yet - is there a cleaner suggestion out there, as I can't help but feel like this is a dirty hack.The other option that crossed my mind was to look at a MySQL file system, however seems like overkill. Cheers Nick. From J.Ede at birchenallhowden.co.uk Wed Nov 25 10:21:13 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Nov 25 10:21:33 2009 Subject: Quarantine behaviour In-Reply-To: <75276B00-4E32-4E99-92FC-2FF010EE8E25@inticon.net.au> References: <75276B00-4E32-4E99-92FC-2FF010EE8E25@inticon.net.au> Message-ID: <1213490F1F316842A544A850422BFA96128C18B006@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nick Brown > Sent: 25 November 2009 05:49 > To: MailScanner discussion > Subject: Quarantine behaviour > > Hi All, > > Have happily been running MailScanner in front of 15k+ mailboxes for > some time without issue, distributed over two physically diverse mail > gateways. We have recently been looking at developing and offering a > quarantine option to users, however obviously this presents the issue > of needing to centralise the quarantine store. The last thing we want > to do is to provide a value add service at the expense of our > redundancy, so have been tasked with looking into what options we have > available to us. > > In a simple world we simply configure one gateway to store quarantined > mail locally, the other to store to an NFS mount, in the event the > first server dies - so be it, quarantine stops working, presumably > mail will be dumped in a local directory and then I just have to pick > it up and move it to the quarantine store once all is well again > (Technically speaking the quarantine store will actually be a third > box, most likely connected via iSCSI). > > However I'm interested to hear if this is how others have actually > seen MailScanner behave, or better yet - is there a cleaner suggestion > out there, as I can't help but feel like this is a dirty hack.The > other option that crossed my mind was to look at a MySQL file system, > however seems like overkill. > > Cheers > Nick. Have you looked at mailwatch to do the very thing you're thinking of? http://mailwatch.sourceforge.net/doku.php Jason From support-lists at petdoctors.co.uk Wed Nov 25 10:37:45 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Nov 25 10:49:19 2009 Subject: bitdefender-autoupdate grabbing lots of RAM In-Reply-To: <4C2997B933944A49934733ABFC7D5160@SUPPORT01V> References: <4C2997B933944A49934733ABFC7D5160@SUPPORT01V> Message-ID: <6ED9A88FBF2D44958B25BBE2C84EC396@SUPPORT01V> This is still an issue - any ideas? Thanks _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick Sent: Wednesday, November 18, 2009 3:27 PM To: 'MailScanner discussion' Subject: bitdefender-autoupdate grabbing lots of RAM Hi, Just had a look at a mail server (MS 4.77.9) that was running slowly all of a sudden and it was paging like the clappers, with bitdefender-autoupdate hogging 800MB RAM and nearly 1GB of virtual. What should I check, hit, delete, kill or update etc..!? Thanks Nigel Kendrick IT Associate Pet Doctors Ltd Pet Doctors House Drayton Lane, Merston Chichester, West Sussex PO20 1EL Tel (direct): 01555 708 601 Fax: 01243 782 584 General IT support issues should be sent to support@petdoctors.co.uk DISCLAIMER This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Pet Doctors Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Pet Doctors Limited is a company registered in England and Wales, company number 03769799. Registered office is Pet Doctors House, Drayton Lane, Merston, Chichester, West Sussex PO20 1EL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091125/782da289/attachment.html From adelgado at laubat.com Wed Nov 25 11:11:23 2009 From: adelgado at laubat.com (Delgado Moreno, Alex) Date: Wed Nov 25 11:11:39 2009 Subject: bitdefender-autoupdate grabbing lots of RAM In-Reply-To: <6ED9A88FBF2D44958B25BBE2C84EC396@SUPPORT01V> References: <4C2997B933944A49934733ABFC7D5160@SUPPORT01V> <6ED9A88FBF2D44958B25BBE2C84EC396@SUPPORT01V> Message-ID: Hi, I'm having the same issue. Ended up disabling bitdefender. But I think time ago also happened for first time, and think I found a way to solve it, but can't remeber. If anyone could point us in the right way, would be great. Thanks Alex Delgado Resp. Informatica Industrias Laubat, S.A. ________________________________ De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] En nombre de Nigel Kendrick Enviado el: mi?rcoles, 25 de noviembre de 2009 11:38 Para: 'MailScanner discussion' Asunto: RE: bitdefender-autoupdate grabbing lots of RAM This is still an issue - any ideas? Thanks ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick Sent: Wednesday, November 18, 2009 3:27 PM To: 'MailScanner discussion' Subject: bitdefender-autoupdate grabbing lots of RAM Hi, Just had a look at a mail server (MS 4.77.9) that was running slowly all of a sudden and it was paging like the clappers, with bitdefender-autoupdate hogging 800MB RAM and nearly 1GB of virtual. What should I check, hit, delete, kill or update etc..!? Thanks Nigel Kendrick IT Associate Pet Doctors Ltd Pet Doctors House Drayton Lane, Merston Chichester, West Sussex PO20 1EL Tel (direct): 01555 708 601 Fax: 01243 782 584 General IT support issues should be sent to support@petdoctors.co.uk DISCLAIMER This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Pet Doctors Limited. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Pet Doctors Limited is a company registered in England and Wales, company number 03769799. Registered office is Pet Doctors House, Drayton Lane, Merston, Chichester, West Sussex PO20 1EL -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. "En cumplimiento de la Ley Organica de Proteccion de Datos de Caracter Personal (LOPD), le informamos de que sus datos de contacto han sido incorporados en ficheros de titularidad de INDUSTRIAS LAUBAT, S.A., que corresponden a la finalidad de servir de directorio o agenda de contactos asi como para facilitar la gestion administrativa y comercial desarrollada por la empresa. Ud. tiene la posibilidad de ejercer los derechos de acceso, rectificacion, cancelacion y oposicion previstos en la ley mediante correo electronico a lopd@laubat.com" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091125/6c00f97a/attachment.html From jethro.binks at strath.ac.uk Wed Nov 25 11:15:10 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed Nov 25 11:15:18 2009 Subject: Problems MailScanner 4.78.17 In-Reply-To: <64215.130.59.6.127.1259057189.squirrel@webmail.buschor.ch> References: <64215.130.59.6.127.1259057189.squirrel@webmail.buschor.ch> Message-ID: On Tue, 24 Nov 2009, ThB wrote: > Last try, using the exim input directory as queue dir > Incoming Queue Dir = /var/spool/MailScanner/incoming/input > > This setting also works, but I'm not sure if exim's msglog is cleaned up > properly. Link your incoming/msglog dir to outgoing/msglog: ie, only have one, which is shared between both queues. Then you'll have all the msglogs together and it will all get cleaned up properly. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From lists at buschor.ch Wed Nov 25 16:57:18 2009 From: lists at buschor.ch (ThB) Date: Wed Nov 25 16:57:28 2009 Subject: Problems MailScanner 4.78.17 Message-ID: <50838.130.59.6.127.1259168238.squirrel@webmail.buschor.ch> Hello, There's another small taint problem in Message.pm. It occured when scanning an eicar test virus. MailScanner's debugging output: In Debugging mode, not forking... Trying to setlogsock(native) INFO:: Meaningless output that goes nowhere, to keep SAVI happy Building a message batch to scan... Have a batch of 1 message. Insecure dependency in eval while running with -T switch at /opt/MailScanner/lib/MailScanner/Message.pm line 4372, line 1. -> at this point the MailScanner gets killed Code Snippet Message.pm 4369 $line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any regex characters 4370 # Untainting joy... 4371 $line =~ $1 if $line =~ /(.*)/; 4372 $result = eval "\"$line\""; After checking & trying to understand the code, I think the problem is line 4371 which should be: 4371 $line = $1 if $line =~ /(.*)/; (note the "=" instead of "=~") After this modification my MailScanner 4.79.3-1 is perfectly running. regards Thomas From davidj at synaq.com Thu Nov 26 08:10:30 2009 From: davidj at synaq.com (David Jacobson) Date: Thu Nov 26 08:10:55 2009 Subject: Rulesets with multiple recipients In-Reply-To: <30040544.980.1259222969821.JavaMail.root@zimbra.synaq.com> Message-ID: <20a4f4e6-da63-11de-959c-0007e92@asp2.rocketseed.com> Hi List / Julian, I understand that this has been discussed a few times, however would like to raise this topic again. Scenario: We offer a service to certain users only for some domains where we forward a copy of their mail to a seperate server and deliver (kinda like an insurance policy) - incase they have trouble with their server and need to access a mail urgently and/or respond. This works fine - unless the mail has multiple recipients in the same domain. Example : user1@company.com sends to user1@company2.com and user2@company2.com MailScanner will parse the non spam action rules and see that the action for user1@company2.com is to forward to another server and deliver, then it will do that and skip the rest of the forwards and deliver mail normally. This is a problem, as all users in the RCPT TO should be forwarded & delivered. I understand this is not a MailScanner issue as MailScanner does not split the mail and can only really do one action with the message (understandable). I also understand I can change the default behaviour from first match to use default ruleset with "Use Default Rules With Multiple Recipients = yes" however since we only do this for certain users and only for certain domains that change will not help. So I assume the fix people will suggest is to actually split the mail so MailScanner can do the right thing per message. I have done this with Exim and it works fine in terms of splitting the mail and then doing the correct rules per mail. My major concern with this is as follows: 1) Increasing the load on the server, 1 message to 10 recipients is now 10 seperate messages 2) Bandwidth increase to customer 3) MailWatch logs seperate messages to maillog Point 3 is my biggest problem - we don't want to have 10 of the same messages logged in maillog - this will increase our DB size (which is already huge) and it will be "non efficient" to have multiple of the same messages in the DB for us to search and release etc. Additionally I could be wrong but I'm not even sure if splitting mail like this is RFC compliant. OK, so now that my rant is over about the issues we have - is it at all possible to change MailScanner in any way to parse through the ruleset via a subroutine or something similar so it doesn't do first match and works out it's to multiple recipients and somehow parses the ruleset correctly? Or perhaps any other way EXCEPT splitting the mail as I can see it causing more problems than it's worth. Any assistance/guidance would be greatly appreciated, additionally we'd be happy to pay for some dev work to make this happen somehow. Regards,
David Jacobson
Technical Director
Tel: 011 262 3632
Fax: 086 637 8868
Cell: 083 235 0760
Email: davidj@synaq.com
Web: www.synaq.com

Sandhaven Office Park, Pongola Crescent
Eastgate Ext 17 Sandton
 
 
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091126/7855a9d6/attachment.html From steve.freegard at fsl.com Thu Nov 26 11:01:11 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Nov 26 11:01:24 2009 Subject: Rulesets with multiple recipients In-Reply-To: <20a4f4e6-da63-11de-959c-0007e92@asp2.rocketseed.com> References: <30040544.980.1259222969821.JavaMail.root@zimbra.synaq.com> <20a4f4e6-da63-11de-959c-0007e92@asp2.rocketseed.com> Message-ID: <4B0E5FF7.4040405@fsl.com> David Jacobson wrote: > Hi List / Julian, > > I understand that this has been discussed a few times, however would > like to raise this topic again. > > Scenario: > > We offer a service to certain users only for some domains where we > forward a copy of their mail to a seperate server and deliver (kinda > like an insurance policy) - incase they have trouble with their server > and need to access a mail urgently and/or respond. > > This works fine - unless the mail has multiple recipients in the same > domain. > > Example : user1@company.com sends to user1@company2.com and > user2@company2.com MailScanner will parse the non spam action rules and > see that the action for user1@company2.com is to forward to another > server and deliver, then it will do that and skip the rest of the > forwards and deliver mail normally. This is a problem, as all users in > the RCPT TO should be forwarded & delivered. > > I understand this is not a MailScanner issue as MailScanner does not > split the mail and can only really do one action with the message > (understandable). > > I also understand I can change the default behaviour from first match to > use default ruleset with "Use Default Rules With Multiple Recipients = > yes" however since we only do this for certain users and only for > certain domains that change will not help. > > So I assume the fix people will suggest is to actually split the mail so > MailScanner can do the right thing per message. I have done this with > Exim and it works fine in terms of splitting the mail and then doing the > correct rules per mail. > > My major concern with this is as follows: > > 1) Increasing the load on the server, 1 message to 10 recipients is now > 10 seperate messages > 2) Bandwidth increase to customer > 3) MailWatch logs seperate messages to maillog > > Point 3 is my biggest problem - we don't want to have 10 of the same > messages logged in maillog - this will increase our DB size (which is > already huge) and it will be "non efficient" to have multiple of the > same messages in the DB for us to search and release etc. > > Additionally I could be wrong but I'm not even sure if splitting mail > like this is RFC compliant. > > OK, so now that my rant is over about the issues we have - is it at all > possible to change MailScanner in any way to parse through the ruleset > via a subroutine or something similar so it doesn't do first match and > works out it's to multiple recipients and somehow parses the ruleset > correctly? > > Or perhaps any other way EXCEPT splitting the mail as I can see it > causing more problems than it's worth. > Recipient splitting is advisable anywhere users are able to set-up their own preferences as you have to consider that case of a multi-recipient e-mail where one user has blacklisted the sender (this will cause the mail to be blacklisted for all recipients). The SpamAssassin cache reduces a lot of the overhead of recipient splitting however there are a few disadvantages as you point out; IIRC Exim and Postfix recipient splitting is also pretty ugly whereas Sendmail definitely wins out in this regard (it generates multiple qf/df files on message reception instead of requiring re-injection). However - forgive me for saying - but the whole method of (mis)using Non-Spam Actions for what you are attempting is a nasty hack which is why it's causing you issues. The most straightforward way to achieve what you are trying to do would be to maintain a 'map' of the users/domains that have this 'feature' enabled e.g.: blah@blah.com -> forward@blah.com ... Then either in a MailScanner CustomFunction *or* in your MTA; build up a Bcc: header based on the envelope recipients using the map. If MailScanner delivers the message (e.g. it's non-spam) then the 'copy' mailbox automatically gets sent a copy via the Bcc: header. IMO - that's a far less horrible way to achieve this without trying to misuse the message actions. Regards, Steve. From davidj at synaq.com Thu Nov 26 11:37:09 2009 From: davidj at synaq.com (David Jacobson) Date: Thu Nov 26 11:37:44 2009 Subject: Rulesets with multiple recipients In-Reply-To: <4B0E5FF7.4040405@fsl.com> Message-ID: <05836194-da80-11de-a168-0007e92@asp2.rocketseed.com> ----- "Steve Freegard" wrote: > David Jacobson wrote: > > Hi List / Julian, > > > > I understand that this has been discussed a few times, however would > > > like to raise this topic again. > > > > Scenario: > > > > We offer a service to certain users only for some domains where we > > forward a copy of their mail to a seperate server and deliver (kinda > > > like an insurance policy) - incase they have trouble with their > server > > and need to access a mail urgently and/or respond. > > > > This works fine - unless the mail has multiple recipients in the > same > > domain. > > > > Example : user1@company.com sends to user1@company2.com and > > user2@company2.com MailScanner will parse the non spam action rules > and > > see that the action for user1@company2.com is to forward to another > > > server and deliver, then it will do that and skip the rest of the > > forwards and deliver mail normally. This is a problem, as all users > in > > the RCPT TO should be forwarded & delivered. > > > > I understand this is not a MailScanner issue as MailScanner does not > > > split the mail and can only really do one action with the message > > (understandable). > > > > I also understand I can change the default behaviour from first > match to > > use default ruleset with "Use Default Rules With Multiple Recipients > = > > yes" however since we only do this for certain users and only for > > certain domains that change will not help. > > > > So I assume the fix people will suggest is to actually split the > mail so > > MailScanner can do the right thing per message. I have done this > with > > Exim and it works fine in terms of splitting the mail and then doing > the > > correct rules per mail. > > > > My major concern with this is as follows: > > > > 1) Increasing the load on the server, 1 message to 10 recipients is > now > > 10 seperate messages > > 2) Bandwidth increase to customer > > 3) MailWatch logs seperate messages to maillog > > > > Point 3 is my biggest problem - we don't want to have 10 of the same > > > messages logged in maillog - this will increase our DB size (which > is > > already huge) and it will be "non efficient" to have multiple of the > > > same messages in the DB for us to search and release etc. > > > > Additionally I could be wrong but I'm not even sure if splitting > mail > > like this is RFC compliant. > > > > OK, so now that my rant is over about the issues we have - is it at > all > > possible to change MailScanner in any way to parse through the > ruleset > > via a subroutine or something similar so it doesn't do first match > and > > works out it's to multiple recipients and somehow parses the ruleset > > > correctly? > > > > Or perhaps any other way EXCEPT splitting the mail as I can see it > > causing more problems than it's worth. > > > > Recipient splitting is advisable anywhere users are able to set-up > their > own preferences as you have to consider that case of a > multi-recipient > e-mail where one user has blacklisted the sender (this will cause the > mail to be blacklisted for all recipients). > > The SpamAssassin cache reduces a lot of the overhead of recipient > splitting however there are a few disadvantages as you point out; > IIRC > Exim and Postfix recipient splitting is also pretty ugly whereas > Sendmail definitely wins out in this regard (it generates multiple > qf/df > files on message reception instead of requiring re-injection). > > However - forgive me for saying - but the whole method of (mis)using > Non-Spam Actions for what you are attempting is a nasty hack which is > why it's causing you issues. > > The most straightforward way to achieve what you are trying to do > would > be to maintain a 'map' of the users/domains that have this 'feature' > enabled e.g.: > > blah@blah.com -> forward@blah.com > ... > > Then either in a MailScanner CustomFunction *or* in your MTA; build up > a > Bcc: header based on the envelope recipients using the map. If > MailScanner delivers the message (e.g. it's non-spam) then the 'copy' > mailbox automatically gets sent a copy via the Bcc: header. > > IMO - that's a far less horrible way to achieve this without trying > to > misuse the message actions. > > Regards, > Steve. Steve, Thank you very much for the guidance - sometimes a push in the right direction is what's required :) We've tested with Exim and it definitely seems like a more elegant solution as you suggested. Thanks again. David > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Tel: 011 262 3632 Fax: 086 637 8868 Cell: 083 235 0760 Email: davidj@synaq.com Web: www.synaq.com Sandhaven Office Park, Pongola Crescent Eastgate Ext 17 Sandton -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091126/9d20df75/attachment.html From MailScanner at ecs.soton.ac.uk Thu Nov 26 13:57:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Nov 26 13:57:57 2009 Subject: Problems MailScanner 4.78.17 In-Reply-To: <50838.130.59.6.127.1259168238.squirrel@webmail.buschor.ch> References: <50838.130.59.6.127.1259168238.squirrel@webmail.buschor.ch> <4B0E894A.6030608@ecs.soton.ac.uk> Message-ID: Well spotted. Fixed for the next release. On 25/11/2009 16:57, ThB wrote: > Hello, > > There's another small taint problem in Message.pm. > It occured when scanning an eicar test virus. > > MailScanner's debugging output: > > In Debugging mode, not forking... > Trying to setlogsock(native) > INFO:: Meaningless output that goes nowhere, to keep SAVI happy > Building a message batch to scan... > Have a batch of 1 message. > Insecure dependency in eval while running with -T switch at > /opt/MailScanner/lib/MailScanner/Message.pm line 4372, line 1. > > -> at this point the MailScanner gets killed > > > Code Snippet Message.pm > > 4369 $line =~ s/([\(\)\[\]\.\?\*\+\^"'@])/\\$1/g; # Escape any > regex characters > 4370 # Untainting joy... > 4371 $line =~ $1 if $line =~ /(.*)/; > 4372 $result = eval "\"$line\""; > > > After checking& trying to understand the code, I think the problem is > line 4371 which should be: > > 4371 $line = $1 if $line =~ /(.*)/; > > (note the "=" instead of "=~") > > After this modification my MailScanner 4.79.3-1 is perfectly running. > > regards > Thomas > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alessandro.fachin at qnet.it Thu Nov 26 14:38:49 2009 From: alessandro.fachin at qnet.it (Alessandro Fachin) Date: Thu Nov 26 14:39:00 2009 Subject: Messages in loop Message-ID: <200911261538.49142.alessandro.fachin@qnet.it> Hi, I've notice that I have some messages stuck in Mailscanner queue. They are in loop and doesn't go out from Mailscanner. Anyway, it "works" good with new mails but doesn't finish to process the old others (There are mails from 2-3 days ago). Maybe the proble is with clamav ? Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner clamavmodule timed out! Thanks for help. Some logs: Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Found 4 messages waiting Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Scanning 1 messages, 8401 bytes Nov 26 15:35:17 mail MailScanner[13159]: Virus and Content Scanning: Starting Nov 26 15:35:18 mail MailScanner[13159]: Requeue: E98721C51F7.3F64F to C10C21C778A Nov 26 15:35:18 mail MailScanner[13159]: Uninfected: Delivered 1 messages Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Found 4 messages waiting Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Scanning 1 messages, 3080 bytes Nov 26 15:36:07 mail MailScanner[13159]: Virus and Content Scanning: Starting Nov 26 15:36:07 mail MailScanner[13159]: Requeue: 2E4FB1C51F7.76BB2 to AED6E1C778A Nov 26 15:36:07 mail MailScanner[13159]: Uninfected: Delivered 1 messages Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner clamavmodule timed out! Nov 26 15:37:44 mail MailScanner[12628]: Virus Scanning: Denial Of Service attack detected! -- Alessandro Fachin alessandro.fachin@qnet.it Qnet s.r.l Via Circonvallazione Sud 76 33033 Codroipo (UD) - Italy http://www.qnet.it http://www.qfarm.it Tel. +39 0432 906062 Fax +39 0432 901514 From Denis.Beauchemin at USherbrooke.ca Thu Nov 26 19:34:14 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 26 19:34:51 2009 Subject: OT: Exchange vs MS question Message-ID: <4B0ED836.200@USherbrooke.ca> Hello all, We are considering deploying an Exchange 2010 server for our Outlook users. We were told that an email from one Exchange user to another Exchange user would be handled internally by Exchange, thus bypassing our MS servers. Is this true? If so, is there a way to configure Outlook and/or Exchange to force them to route all emails through our MS gateways? I'm asking because we are having problems virus-scanning emails wich McAfee on our current Exchange server (small workgroup) and the Exchange admins would like to rely on people's local antivirus software, which, I think, is a bad idea... Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maxsec at gmail.com Thu Nov 26 20:00:18 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Nov 26 20:00:28 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0ED836.200@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> Message-ID: <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> Denis there aren't that many virus emails these days, most are drive-by web sites, so sending all you email for extra scanning seems to be a little over the top given the risk. The problem is still the PC and that's where you need the protection, not just gateway machines IMHO. 2009/11/26 Denis Beauchemin > Hello all, > > We are considering deploying an Exchange 2010 server for our Outlook users. > We were told that an email from one Exchange user to another Exchange user > would be handled internally by Exchange, thus bypassing our MS servers. > > Is this true? If so, is there a way to configure Outlook and/or Exchange to > force them to route all emails through our MS gateways? > > I'm asking because we are having problems virus-scanning emails wich McAfee > on our current Exchange server (small workgroup) and the Exchange admins > would like to rely on people's local antivirus software, which, I think, is > a bad idea... > > Thanks! > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091126/7a8b0ebf/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Nov 26 20:09:39 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 26 20:10:09 2009 Subject: OT: Exchange vs MS question In-Reply-To: <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> Message-ID: <4B0EE083.1090803@USherbrooke.ca> Martin Hepworth a ?crit : > Denis > > there aren't that many virus emails these days, most are drive-by web > sites, so sending all you email for extra scanning seems to be a > little over the top given the risk. > > The problem is still the PC and that's where you need the protection, > not just gateway machines IMHO. > Martin, I know but I prefer to have multiple checks done with different software. On my MS gateways I also scan for phishing, scam and more. That's why I would like to route all emails to my MS boxes... Most PCs are running McAfee; my MS gateways also run ClamAV, which make them more valuable than running McAfee on the Exchange box also. Thanks! Denis > > > 2009/11/26 Denis Beauchemin > > > Hello all, > > We are considering deploying an Exchange 2010 server for our > Outlook users. We were told that an email from one Exchange user > to another Exchange user would be handled internally by Exchange, > thus bypassing our MS servers. > > Is this true? If so, is there a way to configure Outlook and/or > Exchange to force them to route all emails through our MS gateways? > > I'm asking because we are having problems virus-scanning emails > wich McAfee on our current Exchange server (small workgroup) and > the Exchange admins would like to rely on people's local antivirus > software, which, I think, is a bad idea... > > Thanks! > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Martin Hepworth > Oxford, UK -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From J.Ede at birchenallhowden.co.uk Thu Nov 26 21:17:11 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Nov 26 21:17:43 2009 Subject: Exchange vs MS question In-Reply-To: <4B0ED836.200@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> Message-ID: <1213490F1F316842A544A850422BFA96128C18B0C3@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin > Sent: 26 November 2009 19:34 > To: MailScanner > Subject: OT: Exchange vs MS question > > Hello all, > > We are considering deploying an Exchange 2010 server for our Outlook > users. We were told that an email from one Exchange user to another > Exchange user would be handled internally by Exchange, thus bypassing > our MS servers. > > Is this true? If so, is there a way to configure Outlook and/or > Exchange > to force them to route all emails through our MS gateways? > > I'm asking because we are having problems virus-scanning emails wich > McAfee on our current Exchange server (small workgroup) and the > Exchange > admins would like to rely on people's local antivirus software, which, > I > think, is a bad idea... > > Thanks! > > Denis Routing between exchange users is all internal and would never go outside the exchange server. Look at mcafeeasap for a web managed version of mcafee which comes with a version of exchange mail scanning that so far has proved quite good for us on Exch 2007 Jason > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jpete at iinet.net.au Thu Nov 26 21:28:23 2009 From: jpete at iinet.net.au (Pete Russell) Date: Thu Nov 26 21:28:55 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0EE083.1090803@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> Message-ID: <4B0EF2F7.6050709@iinet.net.au> Easiest way is to buy an Exchange antispam/virus software. The complication you would add would offer little value compared to the effort. If you have that many problems on your internal email network i would be looking to solve those than change the way exchange works. Why are your exchange users sending spam? Denis Beauchemin wrote: > Martin Hepworth a ?crit : >> Denis >> >> there aren't that many virus emails these days, most are drive-by web >> sites, so sending all you email for extra scanning seems to be a >> little over the top given the risk. >> >> The problem is still the PC and that's where you need the protection, >> not just gateway machines IMHO. >> > > Martin, > > I know but I prefer to have multiple checks done with different > software. On my MS gateways I also scan for phishing, scam and more. > That's why I would like to route all emails to my MS boxes... > > Most PCs are running McAfee; my MS gateways also run ClamAV, which > make them more valuable than running McAfee on the Exchange box also. > > Thanks! > > Denis >> >> >> 2009/11/26 Denis Beauchemin > > >> >> Hello all, >> >> We are considering deploying an Exchange 2010 server for our >> Outlook users. We were told that an email from one Exchange user >> to another Exchange user would be handled internally by Exchange, >> thus bypassing our MS servers. >> >> Is this true? If so, is there a way to configure Outlook and/or >> Exchange to force them to route all emails through our MS gateways? >> >> I'm asking because we are having problems virus-scanning emails >> wich McAfee on our current Exchange server (small workgroup) and >> the Exchange admins would like to rely on people's local antivirus >> software, which, I think, is a bad idea... >> >> Thanks! >> >> Denis >> >> -- _ >> ?v? Denis Beauchemin, analyste >> /(_)\ Universit? de Sherbrooke, S.T.I. >> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> Martin Hepworth >> Oxford, UK > > From Denis.Beauchemin at USherbrooke.ca Thu Nov 26 22:03:31 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Nov 26 22:04:02 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0EF2F7.6050709@iinet.net.au> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> Message-ID: <4B0EFB33.2010008@USherbrooke.ca> Pete Russell a ?crit : > Easiest way is to buy an Exchange antispam/virus software. The > complication you would add would offer little value compared to the > effort. > > If you have that many problems on your internal email network i would > be looking to solve those than change the way exchange works. Why are > your exchange users sending spam? > > Pete, We don't have problems with our internal email network but we have nonetheless scanned all internal and outgoing mail for many years because we want to be part of the solution, not the problem. Once in a while a PC gets infected and sends loads of spam and malware. It it were to send directly to other internal users I think it could get ugly real fast... Denis > > Denis Beauchemin wrote: >> Martin Hepworth a ?crit : >>> Denis >>> >>> there aren't that many virus emails these days, most are drive-by >>> web sites, so sending all you email for extra scanning seems to be a >>> little over the top given the risk. >>> >>> The problem is still the PC and that's where you need the >>> protection, not just gateway machines IMHO. >>> >> >> Martin, >> >> I know but I prefer to have multiple checks done with different >> software. On my MS gateways I also scan for phishing, scam and more. >> That's why I would like to route all emails to my MS boxes... >> >> Most PCs are running McAfee; my MS gateways also run ClamAV, which >> make them more valuable than running McAfee on the Exchange box also. >> >> Thanks! >> >> Denis >>> >>> >>> 2009/11/26 Denis Beauchemin >> > >>> >>> Hello all, >>> >>> We are considering deploying an Exchange 2010 server for our >>> Outlook users. We were told that an email from one Exchange user >>> to another Exchange user would be handled internally by Exchange, >>> thus bypassing our MS servers. >>> >>> Is this true? If so, is there a way to configure Outlook and/or >>> Exchange to force them to route all emails through our MS gateways? >>> >>> I'm asking because we are having problems virus-scanning emails >>> wich McAfee on our current Exchange server (small workgroup) and >>> the Exchange admins would like to rely on people's local antivirus >>> software, which, I think, is a bad idea... >>> >>> Thanks! >>> >>> Denis >>> >>> -- _ >>> ?v? Denis Beauchemin, analyste >>> /(_)\ Universit? de Sherbrooke, S.T.I. >>> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 >>> >>> -- MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >> >> > -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From J.Ede at birchenallhowden.co.uk Fri Nov 27 08:05:29 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Nov 27 08:05:59 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0EFB33.2010008@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> <4B0EFB33.2010008@USherbrooke.ca> Message-ID: <1213490F1F316842A544A850422BFA96128C18B0C5@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin > Sent: 26 November 2009 22:04 > To: MailScanner discussion > Subject: Re: OT: Exchange vs MS question > > Pete Russell a ?crit : > > Easiest way is to buy an Exchange antispam/virus software. The > > complication you would add would offer little value compared to the > > effort. > > > > If you have that many problems on your internal email network i would > > be looking to solve those than change the way exchange works. Why are > > your exchange users sending spam? > > > > > > Pete, > > We don't have problems with our internal email network but we have > nonetheless scanned all internal and outgoing mail for many years > because we want to be part of the solution, not the problem. > > Once in a while a PC gets infected and sends loads of spam and malware. > It it were to send directly to other internal users I think it could > get > ugly real fast... > > Denis Since you already use McAfee then look at either GroupShield or their email server protection as part of McAfeeASAP, which I suspect is one and the same with a few small tweaks between the 2. Either of those will find and kill viruses. Jason Jason From Johan at double-l.nl Fri Nov 27 09:48:59 2009 From: Johan at double-l.nl (Johan Hendriks) Date: Fri Nov 27 09:49:09 2009 Subject: SOLVED in 7.2: Perl problems on FreeBSD (again) References: <4AF587C5.9000701@elasticmind.net> <57200BF94E69E54880C9BB1AF714BBCBA5718C@w2003s01.double-l.local> <585E0435-B830-402F-B607-A767B31281E8@rdc.cl> <4B000A36.9040006@elasticmind.net> <1dff82c40911151159p439fa3c9u2a7d274185aef9d@mail.gmail.com> <1dff82c40911151253m70e0170cy12f21bbc65d9f853@mail.gmail.com> <4B068B55.1060906@ecs.soton.ac.uk><4B0927FD.3030109@ecs.soton.ac.uk> Message-ID: <57200BF94E69E54880C9BB1AF714BBCBA57279@w2003s01.double-l.local> >I *think* I have found all the occurrences of this problem, and have >just released a new beta. >If I have missed any, please do shout! >Jules. Hello First of all thanks for the outstanding work on MailScanner. I have a mailscanner server running with FreeBSD 8.0 with perl 5.10.0 and the latest MailScanner version in the FreeBSD ports system. If i update or use a newly installed machine with perl 5.10.1 i got that problem! I just updated my perl from 5.10.0 to 5.10.1 and i still had that problem. I then updated my MailScanner to 4.79.3 and the problem seems to be gone. no more errors at startup ! Thanks again. I do not know if this is also the case on perl 5.8.9, but on 5.10.1 it now works. Regards, Johan Hendriks From lists at elasticmind.net Fri Nov 27 11:09:21 2009 From: lists at elasticmind.net (mog) Date: Fri Nov 27 11:09:46 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0EE083.1090803@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> Message-ID: <4B0FB361.4000300@elasticmind.net> Hi, Can't you get your users to send their outgoing mail through a MailScanner SMTP server, which can check the mail for infection and such, and then send it on to the Exchange server for final delivery? mog Denis Beauchemin wrote: > Martin Hepworth a ?crit : >> Denis >> >> there aren't that many virus emails these days, most are drive-by web >> sites, so sending all you email for extra scanning seems to be a >> little over the top given the risk. >> >> The problem is still the PC and that's where you need the protection, >> not just gateway machines IMHO. >> > > Martin, > > I know but I prefer to have multiple checks done with different > software. On my MS gateways I also scan for phishing, scam and more. > That's why I would like to route all emails to my MS boxes... > > Most PCs are running McAfee; my MS gateways also run ClamAV, which > make them more valuable than running McAfee on the Exchange box also. > > Thanks! > > Denis >> >> >> 2009/11/26 Denis Beauchemin > > >> >> Hello all, >> >> We are considering deploying an Exchange 2010 server for our >> Outlook users. We were told that an email from one Exchange user >> to another Exchange user would be handled internally by Exchange, >> thus bypassing our MS servers. >> >> Is this true? If so, is there a way to configure Outlook and/or >> Exchange to force them to route all emails through our MS gateways? >> >> I'm asking because we are having problems virus-scanning emails >> wich McAfee on our current Exchange server (small workgroup) and >> the Exchange admins would like to rely on people's local antivirus >> software, which, I think, is a bad idea... >> >> Thanks! >> >> Denis >> >> -- _ >> ?v? Denis Beauchemin, analyste >> /(_)\ Universit? de Sherbrooke, S.T.I. >> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> Martin Hepworth >> Oxford, UK > > From alex at rtpty.com Fri Nov 27 11:57:29 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Nov 27 11:57:45 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0FB361.4000300@elasticmind.net> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0FB361.4000300@elasticmind.net> Message-ID: <8CE325B1-04D7-4885-AF28-9A1A6B49522B@rtpty.com> That's more difficult than it sounds, since the way Exchange accounts are set up you usually don't have the ability to change the outgoing server. What you *could* do is tell one server that outgoing e-mail should go to a "smart host", in this case, one of the MailScanner servers. Either that or a "mailertable" like entry somewhere that states that mail to a particular domain should go to a particular MailScanner host. On Nov 27, 2009, at 6:09 AM, mog wrote: > Can't you get your users to send their outgoing mail through a MailScanner SMTP server, which can check the mail for infection and such, and then send it on to the Exchange server for final delivery? From dharmesh.shah at netmagicsolutions.com Fri Nov 27 13:01:03 2009 From: dharmesh.shah at netmagicsolutions.com (Dharmesh Shah) Date: Fri Nov 27 13:01:20 2009 Subject: Mails getting stuck in hold dir by MailScanner Message-ID: <4B0FCD8F.3090205@netmagicsolutions.com> Dear Team, We are using MailScanner+postfix+Spamassassin on our server to receive incoming mails. Problem we are facing is many a times when mail hits on the server, once mail get in to the Hold dir by mailscanner, it takes longer time to deliver the same. Mailscanner keeps the mail in hold dir and after say few minutes, some times hours later releases the mail for delivery. due to this inconsistency we face delay mail issue. To overcome these issue, we also tried upgrading the mailscanner version. current version is 4.77... . Server has 4gb of physical memory 8gb of swap memory. We would request you to assist us on the same & how to come the mentioned above issue. Thanks & Regards Dharmesh Shah. -- **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Netmagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Netmagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Netmagic Solutions Pvt. Ltd.'s e-mail system. ***************** End of Disclaimer ******************* From sbanderson at impromed.com Fri Nov 27 15:08:34 2009 From: sbanderson at impromed.com (Scott B. Anderson) Date: Fri Nov 27 15:11:21 2009 Subject: OT: Exchange vs MS question In-Reply-To: <8CE325B1-04D7-4885-AF28-9A1A6B49522B@rtpty.com> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0FB361.4000300@elasticmind.net> <8CE325B1-04D7-4885-AF28-9A1A6B49522B@rtpty.com> Message-ID: <4B16C177313C70448BFF4C80789335B30AC954DB9F@ES1.impromed.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Friday, November 27, 2009 5:57 AM > To: MailScanner discussion > Subject: Re: OT: Exchange vs MS question > > That's more difficult than it sounds, since the way Exchange accounts are set > up you usually don't have the ability to change the outgoing server. > > What you *could* do is tell one server that outgoing e-mail should go to a > "smart host", in this case, one of the MailScanner servers. Either that or a > "mailertable" like entry somewhere that states that mail to a particular > domain should go to a particular MailScanner host. > > On Nov 27, 2009, at 6:09 AM, mog wrote: > > > Can't you get your users to send their outgoing mail through a MailScanner > SMTP server, which can check the mail for infection and such, and then send > it on to the Exchange server for final delivery? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! One other solution you may want to look into is Microsoft's own Forefront for Exchange. I won't go into details but it can utilize more than one AV scan engine (I think 6 of the biggest are built in) as well as do content and file filtering between your users with (in Exchange terms) relatively small additional resource usage. I used to use McAfee Groupshield for Exchange but found that the overhead was higher, had only one (McAfee) AV engine, and similar licensing fees and features. After a long term trial I switched. Any way you look at it, you will want a AV/Anti-Spam solution for your Exchange server. Please note that basic anti-spam support is built-in to Exchange 2007 and 2010 via a mechanism very similar (read - near copy of) to SpamAssasin with sender confidence level (SCL) blocking and DNS RBL support. Scott Anderson From fcusack at fcusack.com Fri Nov 27 17:44:55 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Nov 27 17:45:11 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> Message-ID: <459F86471B05563D58914FD9@rdf.local> On November 23, 2009 10:23:41 PM -0500 Rick Cooper wrote: > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank > Cusack Sent: Monday, November 23, 2009 8:56 PM To: > mailscanner@lists.mailscanner.info Subject: virus scan not available -> no > virus check! > >> I can't believe this is the default behavior. Also, I can't find a >> way to change it. >> >>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content >>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: Cannot >>> find Socket (/tmp/clamd.socket) Exiting! >> >> and then mailscanner goes on to bless the email as "clean". Note that >> I do not have virus scanning set to "auto", I have it explicitly set >> to "clamd". >> >> My preferred behavior would be to send an email to postmaster (or >> whoever) at some regular interval if the virus scanner is not available. >> Anyway to get some semblance of that configured? >> >> -frank > > As with any Daemon including MailScanner it's self you should have some > kind of monitoring installed that restarts and notifies you that is not > MailScanner's job. Of course. I run Solaris 10 and using the built-in svcadm facility this all works automatically. > Should it send an email for each issue with all > externals and internals to the postmaster? No. As I suggested, it "should" send an email to postmaster at some regular interval. Like swatch but built-in. > It did the best thing I could > think of, it issues an error to the log and moves on. That is my point. The best thing it could think of is not very good. It is simply not checking viruses when this happens. > I guess it could shut MailScanner down I suppose. I don't know about shut down -- but at least mails should not be marked clean. At the *very least*, the signature it puts on the bottom should say "this message was not checked for viruses" rather than saying it is clean. That doesn't help me since I do not put a signature on clean messages, so I'm just noting it for completeness. > It would appear to be a configuration > error since clam doesn't remove it's socket if it crashes and MailScanner > --lint would have caught it. Monit, Webmin, PingClamd.pl in a cron job, > some kind of monitoring should be in place for both ClamD and MailScanner > it's self, and what ever mta you are using... Yup, as I said I do have the built-in OS facilities doing the monitoring. And through dependencies, it is capable of disabling MailScanner if clamd is not running. But that doesn't put MailScanner in the clear. My point is that in a software of this type, ie security software, there can't be vague external requirements like "your monitoring system must stop the flow of mail". MailScanner itself is in a position to know if the configured virus check actually occurred and should not be passing unchecked mail on, and at the very least should not be claiming that it was checked. Judging from the responses, it seems this is simply how MailScanner works today. I am surprised that more folks here haven't jumped in to agree with me that this failure mode is not a good one. I strongly suggest that this be changed for future versions. -frank From fcusack at fcusack.com Fri Nov 27 17:59:31 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Nov 27 17:59:43 2009 Subject: clamav not working? In-Reply-To: References: <765892CD1A77238CE4BC8F42@rdf.local> <4B0BA928.7030205@ecs.soton.ac.uk> Message-ID: <35BE910E9EEFB85CE22A0C99@rdf.local> On November 24, 2009 9:36:40 AM +0000 Julian Field wrote: > > > On 24/11/2009 02:00, Frank Cusack wrote: >> Looking at ProcessClamAVOutput() in SweepViruses.pm I see a lot of >> pattern matching which is hurting my brain. Ok, that is fine for >> logging but why doesn't it just check the return value of clamav-wrapper >> (which passes the return value of clamscan) to determine success? > For the very good reason that part of MailScanner's high speed comes from > the fact that it checks many messages at a time. So checking the return > value is useless as it would not tell you which message contained the > virus. If it worked in the same slow way as its competition, it would > check each message individually, at which point it could use the return > code. But scanning 5 files takes only fractionally longer than scanning 1 > file, as the largest proportion of the time in the virus scanner is when > it is starting up and reading all its virus pattern databases. So to gain > a huge increase in speed, I scan many messages at once. > > If you want to see what happens when you scan each message individually, > set the "Max Unsafe Messages Per Scan = 1" and watch how slowly it goes! > > There is method in my madness. Just because you don't see a good reason > for a design decision, it does not mean there *isn't* a good reason for > it, just that you don't see it. Right, and that's exactly why I asked ... you don't need to lecture me on what I don't understand. :) I was in no way questioning the design of MailScanner, I was just wondering why things are the way they are. Thank you for your response! But you didn't answer why it's not correctly parsing clamscan's output. Is the clamav support perhaps linked to an older version of clamav? I really hate pattern matching textual output from other programs and this is one reason why. It sounds like you are restricted here for efficiency's sake though. Or is something wrong with my config? I've added my own debug as clamscan is being run and is detecting a virus, it's just that MailScaner isn't picking that up. -frank From fcusack at fcusack.com Fri Nov 27 18:12:50 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Fri Nov 27 18:13:02 2009 Subject: clamav not working? In-Reply-To: <35BE910E9EEFB85CE22A0C99@rdf.local> References: <765892CD1A77238CE4BC8F42@rdf.local> <4B0BA928.7030205@ecs.soton.ac.uk> <35BE910E9EEFB85CE22A0C99@rdf.local> Message-ID: On November 27, 2009 9:59:31 AM -0800 Frank Cusack wrote: > I've added my own debug as clamscan > is being run and is detecting a virus, it's just that MailScaner isn't > picking that up. That should have read: I've added my own debug and verified that clamscan is being run and is detecting a virus ... -frank From edward at tdcs.com.au Fri Nov 27 22:52:34 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Fri Nov 27 23:02:02 2009 Subject: Messages in loop In-Reply-To: <200911261538.49142.alessandro.fachin@qnet.it> References: <200911261538.49142.alessandro.fachin@qnet.it> Message-ID: > Hi, > I've notice that I have some messages stuck in Mailscanner queue. They > are in > loop and doesn't go out from Mailscanner. Anyway, it "works" good with > new > mails but doesn't finish to process the old others (There are mails > from 2-3 > days ago). Maybe the proble is with clamav ? > Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner > clamavmodule timed > out! > Thanks for help. > > Some logs: > > Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Found 4 messages > waiting > Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Scanning 1 > messages, 8401 > bytes > Nov 26 15:35:17 mail MailScanner[13159]: Virus and Content Scanning: > Starting > Nov 26 15:35:18 mail MailScanner[13159]: Requeue: E98721C51F7.3F64F to > C10C21C778A > Nov 26 15:35:18 mail MailScanner[13159]: Uninfected: Delivered 1 > messages > Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Found 4 messages > waiting > Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Scanning 1 > messages, 3080 > bytes > Nov 26 15:36:07 mail MailScanner[13159]: Virus and Content Scanning: > Starting > Nov 26 15:36:07 mail MailScanner[13159]: Requeue: 2E4FB1C51F7.76BB2 to > AED6E1C778A > Nov 26 15:36:07 mail MailScanner[13159]: Uninfected: Delivered 1 > messages > Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner > clamavmodule timed > out! > Nov 26 15:37:44 mail MailScanner[12628]: Virus Scanning: Denial Of > Service > attack detected! I'm seeing similar issues still, and I sent a detailed debug yesterday to the list, with attached offending messages (slightly different symptoms), but it got delayed till the moderator of the list lets it through, because apparently it's too big. Fair enough - one attached message is 126KB, the other 698. I'm not sure whether it will ever actually get to the list. Is there any where I can upload to attachments instead and just send the body of the e-mail with links? Regards, Ed. From maxsec at gmail.com Sat Nov 28 10:09:10 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Nov 28 10:09:20 2009 Subject: Mails getting stuck in hold dir by MailScanner In-Reply-To: <4B0FCD8F.3090205@netmagicsolutions.com> References: <4B0FCD8F.3090205@netmagicsolutions.com> Message-ID: <72cf361e0911280209i2a016d4fx98aa43fb7194c144@mail.gmail.com> Perhaps you can send some logs showing the messages-ids and what happens to those problem messages. Martin On 27/11/2009, Dharmesh Shah wrote: > Dear Team, > > We are using MailScanner+postfix+Spamassassin on our server to receive > incoming mails. Problem we are facing is many a times when mail hits on > the server, once mail get in to the Hold dir by mailscanner, it takes > longer time to deliver the same. > Mailscanner keeps the mail in hold dir and after say few minutes, some > times hours later releases the mail for delivery. due to this > inconsistency we face delay mail issue. > > To overcome these issue, we also tried upgrading the mailscanner > version. current version is 4.77... . Server has 4gb of physical memory > 8gb of swap memory. > > We would request you to assist us on the same & how to come the > mentioned above issue. > > Thanks & Regards > Dharmesh Shah. > > > > > > -- > **************** CAUTION - Disclaimer ***************** > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely > for the use of the addressee(s). If you are not the intended recipient, > please > notify the sender by e-mail and delete the original message. Further, you > are > not to copy, disclose, or distribute this e-mail or its contents to any > other > person and any such actions are unlawful. This e-mail may contain viruses. > Netmagic Solutions Pvt. Ltd. has taken every reasonable precaution to > minimize > this risk, but is not liable for any damage you may sustain as a result of > any > virus in this e-mail. You should carry out your own virus checks before > opening the e-mail or attachment. Netmagic Solutions Pvt. Ltd. reserves the > right to monitor and review the content of all messages sent to or from this > e-mail address. > > Messages sent to or from this e-mail address may be stored on the Netmagic > Solutions Pvt. Ltd.'s e-mail system. > ***************** End of Disclaimer ******************* > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From maxsec at gmail.com Sat Nov 28 10:13:11 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Nov 28 10:13:21 2009 Subject: OT: Exchange vs MS question In-Reply-To: <4B0EFB33.2010008@USherbrooke.ca> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> <4B0EFB33.2010008@USherbrooke.ca> Message-ID: <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> Dennis If your internal pc gets infected it will us smtp to send out mugs not exchange so normal rules apply. Martin On 26/11/2009, Denis Beauchemin wrote: > Pete Russell a ?crit : >> Easiest way is to buy an Exchange antispam/virus software. The >> complication you would add would offer little value compared to the >> effort. >> >> If you have that many problems on your internal email network i would >> be looking to solve those than change the way exchange works. Why are >> your exchange users sending spam? >> >> > > Pete, > > We don't have problems with our internal email network but we have > nonetheless scanned all internal and outgoing mail for many years > because we want to be part of the solution, not the problem. > > Once in a while a PC gets infected and sends loads of spam and malware. > It it were to send directly to other internal users I think it could get > ugly real fast... > > Denis >> >> Denis Beauchemin wrote: >>> Martin Hepworth a ?crit : >>>> Denis >>>> >>>> there aren't that many virus emails these days, most are drive-by >>>> web sites, so sending all you email for extra scanning seems to be a >>>> little over the top given the risk. >>>> >>>> The problem is still the PC and that's where you need the >>>> protection, not just gateway machines IMHO. >>>> >>> >>> Martin, >>> >>> I know but I prefer to have multiple checks done with different >>> software. On my MS gateways I also scan for phishing, scam and more. >>> That's why I would like to route all emails to my MS boxes... >>> >>> Most PCs are running McAfee; my MS gateways also run ClamAV, which >>> make them more valuable than running McAfee on the Exchange box also. >>> >>> Thanks! >>> >>> Denis >>>> >>>> >>>> 2009/11/26 Denis Beauchemin >>> > >>>> >>>> Hello all, >>>> >>>> We are considering deploying an Exchange 2010 server for our >>>> Outlook users. We were told that an email from one Exchange user >>>> to another Exchange user would be handled internally by Exchange, >>>> thus bypassing our MS servers. >>>> >>>> Is this true? If so, is there a way to configure Outlook and/or >>>> Exchange to force them to route all emails through our MS gateways? >>>> >>>> I'm asking because we are having problems virus-scanning emails >>>> wich McAfee on our current Exchange server (small workgroup) and >>>> the Exchange admins would like to rely on people's local antivirus >>>> software, which, I think, is a bad idea... >>>> >>>> Thanks! >>>> >>>> Denis >>>> >>>> -- _ >>>> ?v? Denis Beauchemin, analyste >>>> /(_)\ Universit? de Sherbrooke, S.T.I. >>>> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 >>>> >>>> -- MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>>> >>>> -- >>>> Martin Hepworth >>>> Oxford, UK >>> >>> >> > > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK From alex at rtpty.com Sat Nov 28 13:14:06 2009 From: alex at rtpty.com (Alex Neuman) Date: Sat Nov 28 13:14:37 2009 Subject: OT: Exchange vs MS question In-Reply-To: <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> <4B0EFB33.2010008@USherbrooke.ca> <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> Message-ID: <0A83D53E-5C43-48B9-ACD0-216EBF8EB7AA@rtpty.com> Aren't there some infections that use MAPI? On Nov 28, 2009, at 5:13 AM, Martin Hepworth wrote: > If your internal pc gets infected it will us smtp to send out mugs not > exchange so normal rules apply. From MailScanner at ecs.soton.ac.uk Sat Nov 28 13:56:21 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Nov 28 13:56:41 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <459F86471B05563D58914FD9@rdf.local> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <459F86471B05563D58914FD9@rdf.local> <4B112C05.2060501@ecs.soton.ac.uk> Message-ID: Frank, I quite understand your point, and will see what I can do to address it. It's only really a problem with clamd and the other "daemon-based" virus scanners. I can't promise anything, but I will take a look. What exactly would you like MailScanner to do in such a situation? And, believe it or not, I can't remember anyone ever bringing this up before as a major point. Basically you currently have to be sure your daemons are running properly for it to work correctly. If the daemon cannot be contacted, what would you prefer? a) mail stops flowing b) mail is all quarantined c) something else (a) is possibly preferred, I don't think (b) is a good idea. It needs to be some fairly simple action, I don't want to have to write reams of code for this unlikely event. Jules. On 27/11/2009 17:44, Frank Cusack wrote: > On November 23, 2009 10:23:41 PM -0500 Rick Cooper > wrote: >> ----Original Message---- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank >> Cusack Sent: Monday, November 23, 2009 8:56 PM To: >> mailscanner@lists.mailscanner.info Subject: virus scan not available >> -> no >> virus check! >> >>> I can't believe this is the default behavior. Also, I can't find a >>> way to change it. >>> >>>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content >>>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: >>>> Cannot >>>> find Socket (/tmp/clamd.socket) Exiting! >>> >>> and then mailscanner goes on to bless the email as "clean". Note that >>> I do not have virus scanning set to "auto", I have it explicitly set >>> to "clamd". >>> >>> My preferred behavior would be to send an email to postmaster (or >>> whoever) at some regular interval if the virus scanner is not >>> available. >>> Anyway to get some semblance of that configured? >>> >>> -frank >> >> As with any Daemon including MailScanner it's self you should have some >> kind of monitoring installed that restarts and notifies you that is not >> MailScanner's job. > > Of course. I run Solaris 10 and using the built-in svcadm facility > this all works automatically. > >> Should it send an email for each issue with all >> externals and internals to the postmaster? > > No. As I suggested, it "should" send an email to postmaster at some > regular interval. Like swatch but built-in. > >> It did the best thing I could >> think of, it issues an error to the log and moves on. > > That is my point. The best thing it could think of is not very good. > It is simply not checking viruses when this happens. > >> I guess it could shut MailScanner down I suppose. > > I don't know about shut down -- but at least mails should not be > marked clean. At the *very least*, the signature it puts on the bottom > should say "this message was not checked for viruses" rather than > saying it is clean. That doesn't help me since I do not put a signature > on clean messages, so I'm just noting it for completeness. > >> It would appear to be a configuration >> error since clam doesn't remove it's socket if it crashes and >> MailScanner >> --lint would have caught it. Monit, Webmin, PingClamd.pl in a cron job, >> some kind of monitoring should be in place for both ClamD and >> MailScanner >> it's self, and what ever mta you are using... > > Yup, as I said I do have the built-in OS facilities doing the monitoring. > And through dependencies, it is capable of disabling MailScanner if clamd > is not running. But that doesn't put MailScanner in the clear. > > My point is that in a software of this type, ie security software, there > can't be vague external requirements like "your monitoring system must > stop the flow of mail". MailScanner itself is in a position to know if > the configured virus check actually occurred and should not be passing > unchecked mail on, and at the very least should not be claiming that it > was checked. > > Judging from the responses, it seems this is simply how MailScanner works > today. I am surprised that more folks here haven't jumped in to agree > with me that this failure mode is not a good one. > > I strongly suggest that this be changed for future versions. > > -frank Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Nov 28 13:58:30 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Nov 28 13:58:51 2009 Subject: Messages in loop In-Reply-To: References: <200911261538.49142.alessandro.fachin@qnet.it> <4B112C86.4040801@ecs.soton.ac.uk> Message-ID: On 27/11/2009 22:52, Edward Dekkers wrote: >> Hi, >> I've notice that I have some messages stuck in Mailscanner queue. They >> are in >> loop and doesn't go out from Mailscanner. Anyway, it "works" good with >> new >> mails but doesn't finish to process the old others (There are mails >> from 2-3 >> days ago). Maybe the proble is with clamav ? >> Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner >> clamavmodule timed >> out! >> Thanks for help. >> >> Some logs: >> >> Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Found 4 messages >> waiting >> Nov 26 15:35:17 mail MailScanner[13159]: New Batch: Scanning 1 >> messages, 8401 >> bytes >> Nov 26 15:35:17 mail MailScanner[13159]: Virus and Content Scanning: >> Starting >> Nov 26 15:35:18 mail MailScanner[13159]: Requeue: E98721C51F7.3F64F to >> C10C21C778A >> Nov 26 15:35:18 mail MailScanner[13159]: Uninfected: Delivered 1 >> messages >> Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Found 4 messages >> waiting >> Nov 26 15:36:06 mail MailScanner[13159]: New Batch: Scanning 1 >> messages, 3080 >> bytes >> Nov 26 15:36:07 mail MailScanner[13159]: Virus and Content Scanning: >> Starting >> Nov 26 15:36:07 mail MailScanner[13159]: Requeue: 2E4FB1C51F7.76BB2 to >> AED6E1C778A >> Nov 26 15:36:07 mail MailScanner[13159]: Uninfected: Delivered 1 >> messages >> Nov 26 15:37:44 mail MailScanner[12628]: Commercial scanner >> clamavmodule timed >> out! >> Nov 26 15:37:44 mail MailScanner[12628]: Virus Scanning: Denial Of >> Service >> attack detected! >> > I'm seeing similar issues still, and I sent a detailed debug yesterday to > the list, with attached offending messages (slightly different symptoms), > but it got delayed till the moderator of the list lets it through, because > apparently it's too big. Fair enough - one attached message is 126KB, the > other 698. > > I'm not sure whether it will ever actually get to the list. > > Is there any where I can upload to attachments instead and just send the > body of the e-mail with links? > Put large files in one of the pastebins on the net, then just send a link to it in your submission to the mailing list. pastebin.com works perfectly well. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maxsec at gmail.com Sat Nov 28 15:51:53 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Nov 28 15:52:03 2009 Subject: clamav not working? In-Reply-To: References: <765892CD1A77238CE4BC8F42@rdf.local> <4B0BA928.7030205@ecs.soton.ac.uk> <35BE910E9EEFB85CE22A0C99@rdf.local> Message-ID: <72cf361e0911280751s79aafc24r8d179ae3b976fc72@mail.gmail.com> 2009/11/27 Frank Cusack > On November 27, 2009 9:59:31 AM -0800 Frank Cusack > wrote: > >> I've added my own debug as clamscan >> is being run and is detecting a virus, it's just that MailScaner isn't >> picking that up. >> > > That should have read: I've added my own debug and verified that clamscan > is being run and is detecting a virus ... > > > -frank > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Frank log messages please Also if you put in a mail into the queue with a virus (eicar) and then run mailScanner in debug. Pastbin the output and send the link. That way Jules has a chance to see what's happening. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091128/203eb1d6/attachment.html From fcusack at fcusack.com Sat Nov 28 19:29:11 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Sat Nov 28 19:29:29 2009 Subject: OT: Exchange vs MS question In-Reply-To: <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> <4B0EFB33.2010008@USherbrooke.ca> <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> Message-ID: <20F9CC17DD6FC5282ED9B418@rdf.local> On November 28, 2009 10:13:11 AM +0000 Martin Hepworth wrote: > Dennis > If your internal pc gets infected it will us smtp to send out mugs not > exchange so normal rules apply. good point, but if using smtp it probably contacts remote smtp servers directly, not via your internal gateway. therefore blocking port 25 outbound should be sufficient (and should be SOP anyway). my internal gateway does not do any spam/virus checking however i am reconsidering. it sucks to get blacklisted. -frank From fcusack at fcusack.com Sat Nov 28 19:38:02 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Sat Nov 28 19:38:14 2009 Subject: virus scan not available -> no virus check! In-Reply-To: References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <459F86471B05563D58914FD9@rdf.local> <4B112C05.2060501@ecs.soton.ac.uk> Message-ID: <183EF2AD980AD41D7679C85F@rdf.local> On November 28, 2009 1:56:21 PM +0000 Jules Field wrote: > Frank, > > I quite understand your point, and will see what I can do to address it. > It's only really a problem with clamd and the other "daemon-based" virus > scanners. I can't promise anything, but I will take a look. > > What exactly would you like MailScanner to do in such a situation? > > And, believe it or not, I can't remember anyone ever bringing this up > before as a major point. Basically you currently have to be sure your > daemons are running properly for it to work correctly. > > If the daemon cannot be contacted, what would you prefer? > a) mail stops flowing > b) mail is all quarantined > c) something else > > (a) is possibly preferred, I don't think (b) is a good idea. It needs to > be some fairly simple action, I don't want to have to write reams of code > for this unlikely event. (a) would be my preference. An alert wouldn't even need to be sent -- when mail stops it will be noticed rather quickly. And as someone else pointed out, an email alert may not make it anyway (it probably gets routed through MailScanner). There's also the question of whether mail should stop if ANY of the virus scanners are unavailable or only if ALL scanners are unavailable. I don't have a suggestion for that. If you have only 1 virus scanner than both conditions are met so it's obvious what to do there. -frank From alex at rtpty.com Sat Nov 28 21:45:10 2009 From: alex at rtpty.com (Alex Neuman) Date: Sat Nov 28 21:45:38 2009 Subject: OT: Exchange vs MS question In-Reply-To: <20F9CC17DD6FC5282ED9B418@rdf.local> References: <4B0ED836.200@USherbrooke.ca> <72cf361e0911261200g7b47294cyf12b3e26fe4b2aba@mail.gmail.com> <4B0EE083.1090803@USherbrooke.ca> <4B0EF2F7.6050709@iinet.net.au> <4B0EFB33.2010008@USherbrooke.ca> <72cf361e0911280213r1afd88ecqebe529912d5026d8@mail.gmail.com> <20F9CC17DD6FC5282ED9B418@rdf.local> Message-ID: <197BBE05-3290-4CA9-8E5C-31687D50D094@rtpty.com> Also important "should-be-SOP" is to manage your outgoing connections in such a way so that getting blacklisted is more difficult. On Nov 28, 2009, at 2:29 PM, Frank Cusack wrote: > my internal > gateway does not do any spam/virus checking however i am reconsidering. > it sucks to get blacklisted. From edward at tdcs.com.au Sun Nov 29 01:00:38 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Sun Nov 29 01:01:29 2009 Subject: MailScanner Looping? - REVISITED with more info In-Reply-To: <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> Message-ID: ***UPDATE*** attachment files linked here because message size was too big for mailing list: http://www.mediafire.com/file/tizj1mmgtnt/9FC8FC702F1 http://www.mediafire.com/file/43z2n41mzox/C8A3CC70115 P.S. I HAVE notice Alessandro has a similar problem - perhaps he can elaborate as well and compare notes? RECAP - MailScanner is looping - it runs on a batch of messages, and one or two will break something and cause MS to NOT clear the queue, resulting in a loop. Unfortunately it doesn't seem to process the messages that are fine causing non-problematic to pile up in the HOLD queue. Configuration: Upgrade Ubuntu Server from 9.04 to 9.10 recently - never any issues before. Previously Glenn has asked me to keep an eye on this and give some more debugging information: > The lint can be done with MailScanner live, but the debug is better > run with the system "quiscent"... That way you have better control and > can inspect the queue files in the "incoming" (PF "out";-) > directory... If any. The debug will take one batch from hold, so if > one want to check one message at a time... ;-) > > > Regards, > > Ed. > > > Cheers > -- > -- Glenn Herewith I present the results of MailScanner --lint: ======================================================= root@ubuntu:/usr/share/MailScanner/bin# MailScanner --lint Trying to setlogsock(unix) Read 856 hostnames from the phishing whitelist Read 8708 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (121) MailScanner setting UID to (113) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamd =========================================================================== Insecure dependency in chown while running with -T switch at /usr/share/MailScanner//MailScanner/Message.pm line 2407. ============================================================================ =========================================== I then place message 9FC8FC702F1 in the queue and get this with MailScanner --debug: ============================================================================ ========= root@ubuntu:/usr/share/MailScanner/bin# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. max message size is '200k' Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. ============================================================================ ======================== I remove that message from the queue, and enter message C8A3CC70115: ====================================================================== root@ubuntu:/usr/share/MailScanner/bin# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. ============================================================================ ====================== The above two messages will cause MailScanner to fail. The thing about the -T switch doesn't seem to affect the messages without a problem, but if you guys have a clue about how to get rid of that error messages, I'd be grateful. I've attached the problematic messages. Hopefully I've provided you guys with a lot more this time. Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fcusack at fcusack.com Sun Nov 29 08:00:47 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Sun Nov 29 08:01:04 2009 Subject: clamav not working? In-Reply-To: <72cf361e0911280751s79aafc24r8d179ae3b976fc72@mail.gmail.com> References: <765892CD1A77238CE4BC8F42@rdf.local> <4B0BA928.7030205@ecs.soton.ac.uk> <35BE910E9EEFB85CE22A0C99@rdf.local> <72cf361e0911280751s79aafc24r8d179ae3b976fc72@mail.gmail.com> Message-ID: On November 28, 2009 3:51:53 PM +0000 Martin Hepworth wrote: > log messages please before I do that I would like to hear from a single person who is successfully using the clamav module From lists at elasticmind.net Sun Nov 29 12:38:08 2009 From: lists at elasticmind.net (mog) Date: Sun Nov 29 12:38:39 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <183EF2AD980AD41D7679C85F@rdf.local> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <459F86471B05563D58914FD9@rdf.local> <4B112C05.2060501@ecs.soton.ac.uk> <183EF2AD980AD41D7679C85F@rdf.local> Message-ID: <4B126B30.9090809@elasticmind.net> Frank Cusack wrote: > On November 28, 2009 1:56:21 PM +0000 Jules Field > wrote: >> Frank, >> >> I quite understand your point, and will see what I can do to address it. >> It's only really a problem with clamd and the other "daemon-based" virus >> scanners. I can't promise anything, but I will take a look. >> >> What exactly would you like MailScanner to do in such a situation? >> >> And, believe it or not, I can't remember anyone ever bringing this up >> before as a major point. Basically you currently have to be sure your >> daemons are running properly for it to work correctly. >> >> If the daemon cannot be contacted, what would you prefer? >> a) mail stops flowing >> b) mail is all quarantined >> c) something else >> >> (a) is possibly preferred, I don't think (b) is a good idea. It needs to >> be some fairly simple action, I don't want to have to write reams of >> code >> for this unlikely event. > > (a) would be my preference. An alert wouldn't even need to be sent -- > when mail stops it will be noticed rather quickly. And as someone else > pointed out, an email alert may not make it anyway (it probably gets > routed through MailScanner). > > There's also the question of whether mail should stop if ANY of the virus > scanners are unavailable or only if ALL scanners are unavailable. I > don't have a suggestion for that. If you have only 1 virus scanner > than both conditions are met so it's obvious what to do there. > > -frank Agreed. (a) seems to make the most sense and hopefully isn't too difficult to implement. I think quarantining all the mail would be really annoying. I believe that if people are running more than one virus scanner and one stops working, MailScanner should not treat this as a critical error and stop processing mail. To me, having more than one virus scanner is just like having redundancy of some kind. One failing doesn't mean all operations should stop, since messages are still being scanned for viruses, just not as well as they might be normally. mog From MailScanner at ecs.soton.ac.uk Sun Nov 29 13:19:32 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 29 13:19:52 2009 Subject: MailScanner Looping? - REVISITED with more info In-Reply-To: References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> <4B1274E4.70000@ecs.soton.ac.uk> Message-ID: Do this on the latest release. You may well find the behaviour has changed. On 29/11/2009 01:00, Edward Dekkers wrote: > ***UPDATE*** attachment files linked here because message size was too big > for mailing list: > > http://www.mediafire.com/file/tizj1mmgtnt/9FC8FC702F1 > > http://www.mediafire.com/file/43z2n41mzox/C8A3CC70115 > > P.S. I HAVE notice Alessandro has a similar problem - perhaps he can > elaborate as well and compare notes? > > RECAP - MailScanner is looping - it runs on a batch of messages, and one or > two will break something and cause MS to NOT clear the queue, resulting in a > loop. Unfortunately it doesn't seem to process the messages that are fine > causing non-problematic to pile up in the HOLD queue. > > Configuration: > > Upgrade Ubuntu Server from 9.04 to 9.10 recently - never any issues before. > > Previously Glenn has asked me to keep an eye on this and give some more > debugging information: > > >> The lint can be done with MailScanner live, but the debug is better >> run with the system "quiscent"... That way you have better control and >> can inspect the queue files in the "incoming" (PF "out";-) >> directory... If any. The debug will take one batch from hold, so if >> one want to check one message at a time... ;-) >> >> >>> Regards, >>> Ed. >>> >>> >> Cheers >> -- >> -- Glenn >> > Herewith I present the results of MailScanner --lint: > > ======================================================= > root@ubuntu:/usr/share/MailScanner/bin# MailScanner --lint > Trying to setlogsock(unix) > Read 856 hostnames from the phishing whitelist > Read 8708 hostnames from the phishing blacklist > Checking version numbers... > Version number in MailScanner.conf (4.74.16) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (121) > MailScanner setting UID to (113) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamd > =========================================================================== > Insecure dependency in chown while running with -T switch at > /usr/share/MailScanner//MailScanner/Message.pm line 2407. > ============================================================================ > =========================================== > > I then place message 9FC8FC702F1 in the queue and get this with MailScanner > --debug: > > ============================================================================ > ========= > root@ubuntu:/usr/share/MailScanner/bin# MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 1 message. > max message size is '200k' > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.10/IO/File.pm line 63. > ============================================================================ > ======================== > > I remove that message from the queue, and enter message C8A3CC70115: > > ====================================================================== > root@ubuntu:/usr/share/MailScanner/bin# MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 1 message. > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.10/IO/File.pm line 63. > ============================================================================ > ====================== > > The above two messages will cause MailScanner to fail. The thing about the > -T switch doesn't seem to affect the messages without a problem, but if you > guys have a clue about how to get rid of that error messages, I'd be > grateful. > > I've attached the problematic messages. > > Hopefully I've provided you guys with a lot more this time. > > Regards, > Ed. > > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Nov 29 15:03:13 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Nov 29 15:03:40 2009 Subject: virus scan not available -> no virus check! In-Reply-To: <4B126B30.9090809@elasticmind.net> References: <5D849B8D11C14063B57E3E18D7F01FCB@SAHOMELT> <459F86471B05563D58914FD9@rdf.local> <4B112C05.2060501@ecs.soton.ac.uk> <183EF2AD980AD41D7679C85F@rdf.local> <4B126B30.9090809@elasticmind.net> <4B128D31.7000500@ecs.soton.ac.uk> Message-ID: On 29/11/2009 12:38, mog wrote: > > > Frank Cusack wrote: >> On November 28, 2009 1:56:21 PM +0000 Jules Field >> wrote: >>> Frank, >>> >>> I quite understand your point, and will see what I can do to address >>> it. >>> It's only really a problem with clamd and the other "daemon-based" >>> virus >>> scanners. I can't promise anything, but I will take a look. >>> >>> What exactly would you like MailScanner to do in such a situation? >>> >>> And, believe it or not, I can't remember anyone ever bringing this up >>> before as a major point. Basically you currently have to be sure your >>> daemons are running properly for it to work correctly. >>> >>> If the daemon cannot be contacted, what would you prefer? >>> a) mail stops flowing >>> b) mail is all quarantined >>> c) something else >>> >>> (a) is possibly preferred, I don't think (b) is a good idea. It >>> needs to >>> be some fairly simple action, I don't want to have to write reams of >>> code >>> for this unlikely event. >> >> (a) would be my preference. An alert wouldn't even need to be sent -- >> when mail stops it will be noticed rather quickly. And as someone else >> pointed out, an email alert may not make it anyway (it probably gets >> routed through MailScanner). >> >> There's also the question of whether mail should stop if ANY of the >> virus >> scanners are unavailable or only if ALL scanners are unavailable. I >> don't have a suggestion for that. If you have only 1 virus scanner >> than both conditions are met so it's obvious what to do there. >> >> -frank > > Agreed. (a) seems to make the most sense and hopefully isn't too > difficult to implement. I think quarantining all the mail would be > really annoying. > > I believe that if people are running more than one virus scanner and > one stops working, MailScanner should not treat this as a critical > error and stop processing mail. To me, having more than one virus > scanner is just like having redundancy of some kind. One failing > doesn't mean all operations should stop, since messages are still > being scanned for viruses, just not as well as they might be normally. This is all implemented in the latest beta I have just released, 4.79.4. Please test it out for me and check that it does work. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nats at sscrmnl.edu.ph Mon Nov 30 02:11:18 2009 From: nats at sscrmnl.edu.ph (Jose Nathaniel Nengasca) Date: Mon Nov 30 02:12:52 2009 Subject: (no subject) Message-ID: <000c01ca7162$6712cee0$35386ca0$@edu.ph> Hi, Is there any solution (aside from formatting 1000 windows workstations) that can stop worms from using my mail server? It is sending email using ambiguous email addresses like alsdfjasdfj@mydomain.com to AOL email servers. Can Mailscanner check the /etc/passwd to check if the user does exist before sending out email to the internet? Thank you very much. Jose Nathaniel G. Nengasca --------------------------------------------------- This message is solely intended to the person(s) indicated on the header and has been scanned for viruses and dangerous content by MailScanner. If any malware detected on this transmission, please email the postmaster at admin@sscrmnl.edu.ph. Providing Quality Catholic Education for the Masses for more info visit us at http://www.sscrmnl.edu.ph -------------- next part -------------- Hi,   Is there any solution (aside from formatting 1000 windows workstations) that can stop worms from using my mail server? It is sending email using ambiguous email addresses like mailto:alsdfjasdfj@mydomain.com alsdfjasdfj@mydomain.com to AOL email servers.  Can Mailscanner check the /etc/passwd to check if the user does exist before sending out email to the internet?   Thank you very much.   Jose Nathaniel G. Nengasca   __________ Information from ESET NOD32 Antivirus, version of virus signature database 4647 (20091129) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com http://www.eset.com --------------------------------------------------- This message is solely intended to the person(s) indicated on the header and has been scanned for viruses and dangerous content by MailScanner. If any malware detected on this transmission, please email the postmaster at admin@sscrmnl.edu.ph. Providing Quality Catholic Education for the Masses for more info visit us at http://www.sscrmnl.edu.ph From alex at rtpty.com Mon Nov 30 02:50:38 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 30 02:50:51 2009 Subject: (no subject) In-Reply-To: <000c01ca7162$6712cee0$35386ca0$@edu.ph> References: <000c01ca7162$6712cee0$35386ca0$@edu.ph> Message-ID: Your server should authenticate them first. Read about SMTP authentication and open relays. If you need help you'll have to be more specific about what your setup is like. On Nov 29, 2009, at 9:11 PM, Jose Nathaniel Nengasca wrote: > Is there any solution (aside from formatting 1000 windows workstations) that can stop worms from using my mail server? It is sending email using ambiguous email addresses likemailto:alsdfjasdfj@mydomain.com alsdfjasdfj@mydomain.com > to AOL email servers. Can Mailscanner check the /etc/passwd to check if the user does exist before sending out email to the internet? > > Thank you very much. > > Jose Nathaniel G. Nengasca From alex at rtpty.com Mon Nov 30 02:54:33 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Nov 30 02:54:46 2009 Subject: (no subject) In-Reply-To: <000c01ca7162$6712cee0$35386ca0$@edu.ph> References: <000c01ca7162$6712cee0$35386ca0$@edu.ph> Message-ID: <4F49753D-DC54-4362-9F64-A2929CB82A5E@rtpty.com> It's not a completely open relay. It *is* postfix, which is a bit difficult to set up the wrong way but you may have succeeded in doing so. It looks like you've added an "allow anyone from my internal network to relay through me without any checking whatsoever". You need to take that out so that only authenticated users can do that. And you *do* need to go into every machine's MUA and enable authentication - which you should have done in the first place. Also you need to set up proper port 25 filtering in your firewall so that noone can go out using port 25 without going through your server first - and thus having to authenticate. On Nov 29, 2009, at 9:11 PM, Jose Nathaniel Nengasca wrote: > Is there any solution (aside from formatting 1000 windows workstations) that can stop worms from using my mail server? It is sending email using ambiguous email addresses likemailto:alsdfjasdfj@mydomain.com alsdfjasdfj@mydomain.com > to AOL email servers. Can Mailscanner check the /etc/passwd to check if the user does exist before sending out email to the internet? > > Thank you very much. > > Jose Nathaniel G. Nengasca From rcooper at dwford.com Mon Nov 30 03:46:50 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Nov 30 03:47:06 2009 Subject: (no subject) In-Reply-To: <000c01ca7162$6712cee0$35386ca0$@edu.ph> References: <000c01ca7162$6712cee0$35386ca0$@edu.ph> Message-ID: ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jose Nathaniel Nengasca Sent: Sunday, November 29, 2009 9:11 PM To: mailscanner@lists.mailscanner.info Subject: (no subject) > Hi, > > > > Is there any solution (aside from formatting 1000 windows workstations) > that > can stop worms from using my mail server? It is sending email using > ambiguous email addresses like alsdfjasdfj@mydomain.com to AOL email > servers. Can Mailscanner check the /etc/passwd to check if the user does > exist before sending out email to the internet? > > > Are you sure it's actually going out via the mail server? Most worms send direct. I personally do not allow any out bound attempts to reach something on 25, 110,143, etc to any host, other than our own servers, unless it's one of our servers that should be sending. All users must authenticate even from the local network. And yes that means they cannot reach legitimate mail services with whom they may have personal access to... Tough. I let them know if they want to track their personal mail from work they need to setup up their mail service to forward a copy to their work address. ( and no yahoo, gmail, hotmail/livemail and such either). This is your mta's job, not MailScanner... Checking passwd would do no good for me, and many others, as all of my mail accounts are virtual, there are no users on any of our mail servers exept me. So to implement that idea MS would pretty much have to satisy the many methods of handling users on mail servers, from flat files to ldap. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fcusack at fcusack.com Mon Nov 30 04:09:49 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Mon Nov 30 04:10:03 2009 Subject: clamav MaxThreads? Message-ID: Should the clamav (clamd.conf) MaxThreads number match the number of children that MailScanner is configured to run? Sorry if this is documented somewhere. -frank From rcooper at dwford.com Mon Nov 30 18:05:36 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Nov 30 18:05:56 2009 Subject: clamav MaxThreads? In-Reply-To: References: Message-ID: <77EFE2DC66B04BFAB79329BDB1BF05EB@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Sunday, November 29, 2009 11:10 PM To: MailScanner discussion Subject: clamav MaxThreads? > Should the clamav (clamd.conf) MaxThreads number match the number > of children that MailScanner is configured to run? > > Sorry if this is documented somewhere. > Max threads should be set to a value => the maximum parallel scans you expect to see, if MailScanner is the only process scanning then matching the number of MS children or maybe one more. Bear in mind the real memory used per clamd child process is actually small as the virus data is shared among them so the default should be fine unless you are running more MS children than 10 Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From fcusack at fcusack.com Mon Nov 30 18:19:04 2009 From: fcusack at fcusack.com (Frank Cusack) Date: Mon Nov 30 18:19:18 2009 Subject: clamav MaxThreads? In-Reply-To: <77EFE2DC66B04BFAB79329BDB1BF05EB@SAHOMELT> References: <77EFE2DC66B04BFAB79329BDB1BF05EB@SAHOMELT> Message-ID: <9F15E3634A160FC056748791@rdf.local> On November 30, 2009 1:05:36 PM -0500 Rick Cooper wrote: > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank > Cusack Sent: Sunday, November 29, 2009 11:10 PM To: MailScanner discussion > Subject: clamav MaxThreads? > >> Should the clamav (clamd.conf) MaxThreads number match the number >> of children that MailScanner is configured to run? >> >> Sorry if this is documented somewhere. >> > > Max threads should be set to a value => the maximum parallel scans you > expect to see, if MailScanner is the only process scanning then matching > the number of MS children or maybe one more. Bear in mind the real memory > used per clamd child process is actually small as the virus data is > shared among them so the default should be fine unless you are running > more MS children than 10 So I was planning on running 40 MS children -- not because I have high mail volume or anything, but because the documentation suggested 5 children per CPU and I have 8 cores. Is that too many for my smallish setup (150 mail accounts, typical small medium business email). The machine running MS is also doing other stuff so I wouldn't want MS to run away with all the CPU. -frank From Garrod.Alwood at lorodoes.com Mon Nov 30 18:26:23 2009 From: Garrod.Alwood at lorodoes.com (Garrod M. Alwood) Date: Mon Nov 30 18:32:25 2009 Subject: clamav MaxThreads? In-Reply-To: <9F15E3634A160FC056748791@rdf.local> References: <77EFE2DC66B04BFAB79329BDB1BF05EB@SAHOMELT>, <9F15E3634A160FC056748791@rdf.local> Message-ID: Yes thats to much. You should probably use the typical setup. That would be a waste of resources. Garrod M. Alwood Consultant garrod.alwood@lorodoes.com 904.738.4988 ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack [fcusack@fcusack.com] Sent: Monday, November 30, 2009 1:19 PM To: MailScanner discussion Subject: RE: clamav MaxThreads? On November 30, 2009 1:05:36 PM -0500 Rick Cooper wrote: > ----Original Message---- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank > Cusack Sent: Sunday, November 29, 2009 11:10 PM To: MailScanner discussion > Subject: clamav MaxThreads? > >> Should the clamav (clamd.conf) MaxThreads number match the number >> of children that MailScanner is configured to run? >> >> Sorry if this is documented somewhere. >> > > Max threads should be set to a value => the maximum parallel scans you > expect to see, if MailScanner is the only process scanning then matching > the number of MS children or maybe one more. Bear in mind the real memory > used per clamd child process is actually small as the virus data is > shared among them so the default should be fine unless you are running > more MS children than 10 So I was planning on running 40 MS children -- not because I have high mail volume or anything, but because the documentation suggested 5 children per CPU and I have 8 cores. Is that too many for my smallish setup (150 mail accounts, typical small medium business email). The machine running MS is also doing other stuff so I wouldn't want MS to run away with all the CPU. -frank -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Mon Nov 30 18:39:55 2009 From: rcooper at dwford.com (Rick Cooper) Date: Mon Nov 30 18:40:13 2009 Subject: clamav MaxThreads? In-Reply-To: <9F15E3634A160FC056748791@rdf.local> References: <77EFE2DC66B04BFAB79329BDB1BF05EB@SAHOMELT> <9F15E3634A160FC056748791@rdf.local> Message-ID: <39460C6817EC4F3B9C054BA73D078F4D@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank Cusack Sent: Monday, November 30, 2009 1:19 PM To: MailScanner discussion Subject: RE: clamav MaxThreads? > On November 30, 2009 1:05:36 PM -0500 Rick Cooper > wrote: >> ----Original Message---- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Frank >> Cusack Sent: Sunday, November 29, 2009 11:10 PM To: MailScanner >> discussion Subject: clamav MaxThreads? >> >>> Should the clamav (clamd.conf) MaxThreads number match the number >>> of children that MailScanner is configured to run? >>> >>> Sorry if this is documented somewhere. >>> >> >> Max threads should be set to a value => the maximum parallel scans you >> expect to see, if MailScanner is the only process scanning then matching >> the number of MS children or maybe one more. Bear in mind the real memory >> used per clamd child process is actually small as the virus data is >> shared among them so the default should be fine unless you are running >> more MS children than 10 > > So I was planning on running 40 MS children -- not because I have high > mail volume or anything, but because the documentation suggested 5 > children per CPU and I have 8 cores. Is that too many for my smallish > setup (150 mail accounts, typical small medium business email). > > The machine running MS is also doing other stuff so I wouldn't want > MS to run away with all the CPU. > 150 mail accounts is a pretty small load, I think 40 children would be way (multiples) too high. Think in terms of volume as it relates to mailscanner batches. I would start at 3 - 5 and see how that works out. If the queue tends to back up then add another one or two. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From edward at tdcs.com.au Mon Nov 30 22:00:02 2009 From: edward at tdcs.com.au (Edward Dekkers) Date: Mon Nov 30 22:00:40 2009 Subject: MailScanner Looping? - REVISITED with more info In-Reply-To: References: <223f97700911120529g7dc2410blcd2b3bb0727519a6@mail.gmail.com> <223f97700911130045v716f0630w45a76061b70fc506@mail.gmail.com> <4B1274E4.70000@ecs.soton.ac.uk> Message-ID: > Do this on the latest release. You may well find the behaviour has > changed. OK, happy to try this. Is there a nice dpkg way to do this for Ubuntu? (Can't seem to find it). Reason I ask is because all the MailScanner documentation seems to have its directories in different places than the Ubuntu dpkg install of MailScanner. It was always running so well and the only thing I'm a guru at is messing things up. Should I remove the dpkg version and start from scratch with the tarball? How does this affect spamassassin/clamav? Regards, Ed. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul.welsh.3 at googlemail.com Mon Nov 30 23:04:41 2009 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Mon Nov 30 23:04:52 2009 Subject: OT: PGP Message-ID: <49df20710911301504m47d979abx85b00efa7d9383fd@mail.gmail.com> Hi all Apologies that this is somewhat off-topic but could anyone recommend a PGP solution for commercial use, ie, not a "free for personal use only" application? A supplier will be sending PGP encrypted email to a single address in our company. It may be that a handful of users rather than just one will need to read it. I don't envisage the volumes to be high. I don't think my users will need to send PGP encrypted mail. The users are running Windows XP and Outlook 2003 connected to an Exchange server with MailScanner feeding it so a product with plugins for Outlook would be handy. I found a few solutions today: PGP Desktop Email - http://www.pgp.com/products/desktop_email/index.html ?149 per user. I see the trial version becomes free for personal use only after 30 days. Haven't tried it yet. Would have tried it first but for the fact that I couldn't find the link for the trial version. GPG4Win - http://www.gpg4win.org/ - free but I tried it today and it did seem a bit awkward to use for your average user. cGeep - http://www.cgeep.com/ - ?70. Started to try it. Are any of these the obvious choice? Is there a product you'd recommend that I haven't found? Thanks for any pointers you can give me. Paul