From MailScanner at ecs.soton.ac.uk Thu Oct 1 09:03:07 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 1 09:03:45 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules In-Reply-To: References: <4AC4623B.4030901@ecs.soton.ac.uk> Message-ID: On 30/09/2009 21:19, Christopher Fisk wrote: >> Christopher Fisk wrote: >> > Quick question on these. If I change these files do I >> need to >> > restart MailScanner? >> > >> You can do a "MailScanner reload" which rereads the >> config w/o stopping the critter... >> > > Can I do a > > killall -HUP MailScanner > > Safely to force a reload? Yes. > I don't have an init script setup currently for these systems, and I'm trying to write a script to create the spam.blacklist.rules and spam.whitelist.rules list from a MySQL database. > > > I just tested it and it reloaded fine, but I want to make sure I'm not breaking anything. It would only when I add or remove a whitelist or blacklist entry, a few times a week. > That will work fine. It's what a "service MailScanner reload" actually does anyway (more or less) :-) > > > Christopher Fisk > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jens.potthast at innovation.uni-bremen.de Thu Oct 1 13:49:52 2009 From: jens.potthast at innovation.uni-bremen.de (Jens Potthast) Date: Thu Oct 1 13:50:27 2009 Subject: Broken (mailwatch) quarantine_maint.php? Or broken system? Message-ID: <4AC4A570.80501@innovation.uni-bremen.de> Hi, can someone please point me in the right direction? It might be a general issue because the scripts quarantine_report.php and db_clean.php do exactly the same - nothing. I'm worried that I do not even get some kind of error message. The scripts gets executed (using first line #!/usr/bin/php) but no feedback whatsoever. Echoing my cmd args will work (and stop the script with an error) just as long I place it before the included 'functions.php'. My system: mailwatch 1.0.4 on CentOS 5.3. My php is with zend extension. Please help. Jens -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4296 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091001/80cd01d4/smime.bin From timb at vwg.com Thu Oct 1 15:15:01 2009 From: timb at vwg.com (Timothy Barhorst) Date: Thu Oct 1 15:15:17 2009 Subject: Notify Recipient of Blocked ZIP Attachment Message-ID: Hello, Our company uses MailScanner to block zip files and many do get blocked. However, some of our users wish to be notified when one has been put in quarantine. What is the best way to accomplish this or should I just allow all zip files though? Anyone have an opinion about this? Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091001/5928cc06/attachment.html From mark at msapiro.net Thu Oct 1 18:54:03 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Oct 1 18:54:19 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> <20090930153936.GA1856@msapiro> <4AC380FC.60902@ecs.soton.ac.uk> Message-ID: <20091001175403.GA3484@msapiro> On Wed, Sep 30, 2009 at 05:02:04PM +0100, Jules Field wrote: > > > On 30/09/2009 16:39, Mark Sapiro wrote: > > > >I don't have any problem with certain characters being escaped as %nn, > >but I do think that dropping pieces of the name, in particular in some > >cases entire 'extensions' is a problem. > > > It all depends on the length of the filename after the last filename > extension has been removed. This is truncated at a fixed point. So some > other "extensions" may be lost. I'm not sure there is any easy way, > heuristically, of trimming the filename while leaving *all* the > extensions, as it's unknown what is and is not an extension, and what is > just a dot in the middle of the text of the "main" bit of the filename. I understand. I didn't realize that the issue was because of a simple truncation based on length. Given that, and the desire to not report overly long names, I think it's OK the way it is, and mail admins will just have to realize they need to see the original message or the Filename Checks: MailScanner log message to see the original name. I agree that trying to give priority to certain portions of the name while shortening it is futile. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Thu Oct 1 19:14:15 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Oct 1 19:14:32 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: <20091001175403.GA3484@msapiro> References: <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> <20090930153936.GA1856@msapiro> <4AC380FC.60902@ecs.soton.ac.uk> <20091001175403.GA3484@msapiro> <4AC4F177.9030904@ecs.soton.ac.uk> Message-ID: On 01/10/2009 18:54, Mark Sapiro wrote: > On Wed, Sep 30, 2009 at 05:02:04PM +0100, Jules Field wrote: > >> >> On 30/09/2009 16:39, Mark Sapiro wrote: >> >>> I don't have any problem with certain characters being escaped as %nn, >>> but I do think that dropping pieces of the name, in particular in some >>> cases entire 'extensions' is a problem. >>> >>> >> It all depends on the length of the filename after the last filename >> extension has been removed. This is truncated at a fixed point. So some >> other "extensions" may be lost. I'm not sure there is any easy way, >> heuristically, of trimming the filename while leaving *all* the >> extensions, as it's unknown what is and is not an extension, and what is >> just a dot in the middle of the text of the "main" bit of the filename. >> > > I understand. I didn't realize that the issue was because of a simple > truncation based on length. Given that, and the desire to not report > overly long names, I think it's OK the way it is, and mail admins will > just have to realize they need to see the original message or the > Filename Checks: MailScanner log message to see the original name. > > I agree that trying to give priority to certain portions of the name > while shortening it is futile. > Thanks for understanding that. I have to draw a line somewhere. Now we've got that one rectified, I will do a stable release. Expect a stable release in the next few minutes. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Oct 1 19:29:50 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Oct 1 19:30:09 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: Evening all! I have just released a new stable release of MailScanner 4.78. There are many new features this time around, including - "host:" and "host-nocheck:" specifiers in rulesets to allow you to specify hostnames the mail came from, as well as IP addresses and sender e-mail addresses. - virus scanning is now done before spam scanning. - new support for "spam-viruses" which are spam messages detected by your virus scanner (such as with the extra ClamAV signature databases, or F-Prot). This is managed by the new MailScanner.conf settings "Spam-Virus Header" and "Virus Names Which Are Spam". See the ChangeLog for more information. - several installer improvements, in particular for Fedora Core 11 and better RPM management. - "include" directive in MailScanner.conf files, so you can avoid modifying the shipped MailScanner.conf file at all, making upgrades easier. This also makes large installations easier as you can just specify your local modifications in a set of files stored in /etc/MailScanner/conf.d. "Include" directives can be nested to arbitrary depths, so included files can include other files to any complexity you require. - Many fixes. For more information on any of the above, see the Change Log and the MailScanner.conf file as they describe them in more depth. Download as usual from www.mailscanner.info. The full Change Log is here: * New Features and Improvements * 1 Improved handling of Postfix messages with complex structures caused by some milters. 2 In addition to the previous 'host:hostname.domain.com' method of providing a hostname in rulesets, you can now also specify host-nocheck:hostname.domain.com which is the same thing but no anti-spoof checks are made. This is only useful if you have a 'PTR' record for providing the IP address of the hostname but no forward 'A' record for translating the IP address into a hostname. This is frequently the situation when using dynamic IP addresses. 3 Swapped over virus-scanning and spam-scanning code completely, so all virus-scanning code is done before spam-scanning code. It won't virus- scan "Silent Viruses" which is pretty much all of them now, so it should work okay. This allows me to introduce... 3 New feature to allow detection of "spam-viruses" which are items of spam that are reported by your virus scanner. You can set 2 new configuration options: Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* The names of the "spam-viruses" found are those viruses reported by your virus scanners which match any of the strings given in "Virus Names Which Are Spam". These "spam-virus" names are added to the header set by "Spam-Virus Header". You can then write a SpamAssassin rule in spam.assassin.prefs.conf which gives a score for the presence or contents of this header. I supply an example rule which adds a score of 3 if the header exists. Feel free to re-write and extend that rule! It will not work unless you customise it. You could even write a "SpamAssassin Rule Action" to handle this rule specially! 6 Improved installer for Fedora Core 11. 7 Improved RPM installer so when it needs to, it only removes RPMs I installed. 7-2 Added an "export HOSTNAME" to the init.d script. Should resolve some issues where using "$HOSTNAME" or "${HOSTNAME}" in MailScanner.conf did not work. 8 Added support for "include path-to-conf-files" lines in MailScanner.conf. You can now put your site-specific customisations in separate files, to make upgrading of many servers a lot easier. You can nest "include" files, which means that an "include"d file can "include" other files. The "path-to-conf-files" can use the normal shell wildcard characters such as "*" so a valid line might be include /etc/MailScanner/config/*.conf to read all the *.conf files in that directory in turn. The *last* value read for each MailScanner.conf setting will be used. 8 Added support for "include" lines in upgrade_MailScanner_conf. If you treat them as comments, the whole problem quietly disappears! 10 Added /etc/MailScanner/conf.d directory to RPM and added a default include line in shipped MailScanner.conf. Put a README in the conf.d directory. 11 Improved notes in conf.d/README file. 13 Added "Quick.Peek" script to distribution to read configuration settings from shell scripts, which correctly handles included files. * Fixes * 2 Minor fix to phishing net for servers on port numbers that start with "80" but are not 80. 2 Fixed issue of spam report not appearing in rare cases. 4 Fixed problem of silent viruses not being quarantined when requested. 5 Fixed issue where spam-viruses would be quarantined and found as silent. 5-3 Renamed subroutine. 6 Fixed installer for Perl-IO, Perl-DBI, Perl-DBD-SQLite, Perl-Filesys-Df, Perl-Net-DNS for Fedora 11. 7 Fixed installer for Perl-Digest-SHA1 for Fedora 11. 9 Fixed problem where "Scan Messages = no" was ignored. 9 Fixed problem where multiply-infected files in the same archive may not always be removed correctly. 10 Fixed issues with "include" files where they wouldn't be used for a few variables, and "%variable%" definitions in include files were ignored. 11 Fixed problem where settings found in included conf files would be ignored sometimes when starting up. 14 Rulesets used within Custom Functions should work again now. 15 Fixed crash when "Expand TNEF = replace". 16 Improved processing_messages_alert so it behaves better in the face of a ruleset defining "Notices To =". 16 Fixed problem in Exim where duplicate headers could appear due to DeleteHeader not finding them correctly. 16 Improved handling of Unicode and foreign character sets used in attachment filenames. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lorodoes.com Thu Oct 1 21:35:49 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Thu Oct 1 21:36:04 2009 Subject: Debain Builds (Please Help soon) Message-ID: I am using Ubuntu and I really really really want to use the new version of mailscanner, but I already have it installed through the debian packages and I would prefer just updating the debian packages, UNLESS someone has another CLEAN method for me to remove old, install and run then new mailscanner. I really need help on this. Thank you everyone in advance. From bill at bfccomputing.com Thu Oct 1 21:53:03 2009 From: bill at bfccomputing.com (Bill McGonigle) Date: Thu Oct 1 21:53:36 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: <4AC516AF.3090401@bfccomputing.com> On 10/01/2009 02:29 PM, Jules Field wrote: > - "include" directive in MailScanner.conf files, so you can avoid > modifying the shipped MailScanner.conf file at all, making upgrades > easier. This also makes large installations easier as you can just > specify your local modifications in a set of files stored in > /etc/MailScanner/conf.d. "Include" directives can be nested to arbitrary > depths, so included files can include other files to any complexity you > require. This is _very_ nice. Mailscanner's upgrader has always been excellent - can it be coerced into revealing modifications (non-default settings) for stashing into one of the new Include files? -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: bill@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle From alex at rtpty.com Thu Oct 1 22:08:30 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 1 22:08:41 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: <6FD7E2DE-8A19-480F-86AF-AE8111588139@rtpty.com> You are the greatest! On Oct 1, 2009, at 1:29 PM, Jules Field wrote: > - "include" directive in MailScanner.conf files, so you can avoid > modifying the shipped MailScanner.conf file at all, making upgrades > easier. This also makes large installations easier as you can just > specify your local modifications in a set of files stored in /etc/ > MailScanner/conf.d. "Include" directives can be nested to arbitrary > depths, so included files can include other files to any complexity > you require. From Neal at Morgan-Systems.com Thu Oct 1 22:11:20 2009 From: Neal at Morgan-Systems.com (Neal Morgan) Date: Thu Oct 1 22:12:05 2009 Subject: Debain Builds (Please Help soon) In-Reply-To: References: Message-ID: <6557A87A5B462247861990180A542B1450F9@server-16.MorganSys.net> > I am using Ubuntu and I really really really want to use the new version > of mailscanner, but I already have it installed through the debian > packages and I would prefer just updating the debian packages, UNLESS > someone has another CLEAN method for me to remove old, install and run > then new mailscanner. I really need help on this. Thank you everyone in > advance. > -- I'm sure one of the smarter folks on the list has a better answer - but just in case: Have you looked into using the package "alien" to simply create a deb from the rpm? From chris at techquility.net Thu Oct 1 22:37:44 2009 From: chris at techquility.net (Chris Barber) Date: Thu Oct 1 22:38:41 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net> On 10/01/2009 02:29 PM, Jules Field wrote: >- virus scanning is now done before spam scanning. >- new support for "spam-viruses" which are spam messages detected by >your virus scanner (such as with the extra ClamAV signature databases, >or F-Prot). This is managed by the new MailScanner.conf settings >"Spam-Virus Header" and "Virus Names Which Are Spam". See the ChangeLog >for more information. Does this mean that spams caught by the virus scanner will not be deleted anymore? I.E. We can have SA assign a score and the user will see the message in the quarantine report for instance? Also, will whitelisting work as well? Thanks! Chris Barber techQuility From donald.dawson at bakerbotts.com Thu Oct 1 23:26:17 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Thu Oct 1 23:26:29 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 version). We installed clam via the MS tar ball. Clam is our only AV and is called by MS via /usr/lib/MailScanner/clamav-wrapper. We have been getting FPs on some newsletters due to Phishing Heuristics in clam. We also found that MS does not appear to use a clamd.conf or freshclam.conf file. To get around the FP Phishing Heuristics problem, we modified the clamav-wrapper to turn off heuristic url scans (line 152 added in clamav-wrapper script): ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" I would rather not edit the delivered MS script. Is there a clam config file used by MS? Where would I put the '--phishing-scan-urls=no' option? Lastly, is it preferable to install clamav, clamav-db and clamd RPMs versus letting MS load clamscan for every email? ...from the tarball clam/SA install.sh script: echo 'There are 2 recommended ways of installing ClamAV, depending on' echo 'various factors.' echo 'If you want to use MailScanners support for Clamd (virus-scanning' echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' echo 'and install the RPMs for clamav, clamav-db and clamd from' echo ' http://packages.sw.be/clamav/' echo 'Then re-run this script and tell me that clamscan is installed in' echo '/usr/bin. This will set up your virus.scanners.conf file for you.' echo echo 'Otherwise you probably want me to install ClamAV now. So answer y.' Jules - thank you for a great product! Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091001/35f0bc9d/attachment.html From ssilva at sgvwater.com Thu Oct 1 23:49:31 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Oct 1 23:50:10 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net> Message-ID: on 10-1-2009 3:26 PM donald.dawson@bakerbotts.com spake the following: > We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 > version). We installed clam via the MS tar ball. Clam is our only AV > and is called by MS via /usr/lib/MailScanner/clamav-wrapper. > > We have been getting FPs on some newsletters due to Phishing Heuristics > in clam. We also found that MS does not appear to use a clamd.conf or > freshclam.conf file. To get around the FP Phishing Heuristics problem, > we modified the clamav-wrapper to turn off heuristic url scans (line 152 > added in clamav-wrapper script): > > ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" > > I would rather not edit the delivered MS script. Is there a clam config > file used by MS? > > Where would I put the '--phishing-scan-urls=no' option? > > Lastly, is it preferable to install clamav, clamav-db and clamd RPMs > versus letting MS load clamscan for every email? > > ...from the tarball clam/SA install.sh script: > > echo 'There are 2 recommended ways of installing ClamAV, depending on' > echo 'various factors.' > echo 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' _http://packages.sw.be/clamav/_' > echo 'Then re-run this script and tell me that clamscan is installed in' > echo '/usr/bin. This will set up your virus.scanners.conf file for you.' > echo > echo 'Otherwise you probably want me to install ClamAV now. So answer y.' > > Jules - thank you for a great product! > The most efficient way is to run clamd. There is a smaller memory footprint, and you can update clam as soon as it comes out instead of waiting for the perl module to be updated. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091001/d3145c8e/signature.bin From admin at lorodoes.com Fri Oct 2 00:06:45 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Oct 2 00:07:01 2009 Subject: Debain Builds (Please Help soon) In-Reply-To: <6557A87A5B462247861990180A542B1450F9@server-16.MorganSys.net> References: <6557A87A5B462247861990180A542B1450F9@server-16.MorganSys.net> Message-ID: <7d8a78597226c605d38a30fd4f4e020d.squirrel@www.lorodoes.com> FYI, I was able to install the new Mailscanner by using alien on the actual mailscanner rpm, which is inside the first rpm. It works great I just have to do some updating of the Mailscanner.conf and everything will work great. >> I am using Ubuntu and I really really really want to use the new > version >> of mailscanner, but I already have it installed through the debian >> packages and I would prefer just updating the debian packages, UNLESS >> someone has another CLEAN method for me to remove old, install and run >> then new mailscanner. I really need help on this. Thank you everyone > in >> advance. >> -- > > I'm sure one of the smarter folks on the list has a better answer - but > just in case: > > Have you looked into using the package "alien" to simply create a deb > from the rpm? > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From goetz.reinicke at filmakademie.de Fri Oct 2 07:53:56 2009 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2UgLSBJVC1Lb29yZGluYXRvcg==?=) Date: Fri Oct 2 07:54:08 2009 Subject: Virus report and german umlaut Message-ID: <4AC5A384.2050406@filmakademie.de> Hi, I got an error while sending an attachement with a "double" filename extension. This is correct as mailscanner is configured to check and disinfect this. But, the filename showen in the report is somehow confusing as it is not the real name of the file: Report: Achtung: MailScanner: Attempt to hide real filename extension (Basiskurs Einf.pdf) The realname is Basiskurs Einfu?hrung IT 2009 - 2010.key.pdf So there is may be a problem with the german umlaut. Bug? Feature? or misconfiguration? mailscanner-4.78.17-1 Red Hat Enterprise Linux Server release 5.4 (Tikanga) perl-5.8.8-27.el5 Thanks an best regards, G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From MailScanner at ecs.soton.ac.uk Fri Oct 2 08:32:15 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 08:32:34 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <4AC516AF.3090401@bfccomputing.com> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <4AC516AF.3090401@bfccomputing.com> <4AC5AC7F.2070203@ecs.soton.ac.uk> Message-ID: On 01/10/2009 21:53, Bill McGonigle wrote: > On 10/01/2009 02:29 PM, Jules Field wrote: > >> - "include" directive in MailScanner.conf files, so you can avoid >> modifying the shipped MailScanner.conf file at all, making upgrades >> easier. This also makes large installations easier as you can just >> specify your local modifications in a set of files stored in >> /etc/MailScanner/conf.d. "Include" directives can be nested to arbitrary >> depths, so included files can include other files to any complexity you >> require. >> > This is _very_ nice. Mailscanner's upgrader has always been excellent - > can it be coerced into revealing modifications (non-default settings) > for stashing into one of the new Include files? > Yes, it can. "MailScanner --changed" will do the job for you. It prints out a table of all the values that have been changed from the defaults. Shouldn't take you much work to turn that into a conf.d file. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 2 08:33:59 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 08:34:17 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net> <4AC5ACE7.3020504@ecs.soton.ac.uk> Message-ID: On 01/10/2009 22:37, Chris Barber wrote: > On 10/01/2009 02:29 PM, Jules Field wrote: > >> - virus scanning is now done before spam scanning. >> - new support for "spam-viruses" which are spam messages detected by >> your virus scanner (such as with the extra ClamAV signature databases, >> or F-Prot). This is managed by the new MailScanner.conf settings >> "Spam-Virus Header" and "Virus Names Which Are Spam". See the ChangeLog >> > >> for more information. >> > > Does this mean that spams caught by the virus scanner will not be > deleted anymore? I.E. We can have SA assign a score and the user will > see the message in the quarantine report for instance? Also, will > whitelisting work as well? > Correct. Should be correct on all counts. The "Spam-Virus Header" is added *before* the message goes into SpamAssassin, so you can write an SA rule that will catch entries in this header and assign a score to them. Then the resulting score can be handled as normal. Jules Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 2 08:35:14 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 08:35:35 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net> <4AC5AD32.6010609@ecs.soton.ac.uk> Message-ID: As you are clearly trying to use a new feature ("Spam-Virus"es) that I just introduced, I think you will find all your problems are solved using the new "Spam-Virus" feature in 4.78. On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > > We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 > version). We installed clam via the MS tar ball. Clam is our only AV > and is called by MS via /usr/lib/MailScanner/clamav-wrapper. > > We have been getting FPs on some newsletters due to Phishing > Heuristics in clam. We also found that MS does not appear to use a > clamd.conf or freshclam.conf file. To get around the FP Phishing > Heuristics problem, we modified the clamav-wrapper to turn off > heuristic url scans (line 152 added in clamav-wrapper script): > > ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" > > I would rather not edit the delivered MS script. Is there a clam > config file used by MS? > > Where would I put the '--phishing-scan-urls=no' option? > > Lastly, is it preferable to install clamav, clamav-db and clamd RPMs > versus letting MS load clamscan for every email? > > ...from the tarball clam/SA install.sh script: > > echo 'There are 2 recommended ways of installing ClamAV, depending on' > echo 'various factors.' > echo 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' _http://packages.sw.be/clamav/_' > echo 'Then re-run this script and tell me that clamscan is installed in' > echo '/usr/bin. This will set up your virus.scanners.conf file for you.' > echo > echo 'Otherwise you probably want me to install ClamAV now. So answer y.' > > Jules - thank you for a great product! > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 2 08:37:16 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 08:37:38 2009 Subject: Virus report and german umlaut In-Reply-To: <4AC5A384.2050406@filmakademie.de> References: <4AC5A384.2050406@filmakademie.de> <4AC5ADAC.1020003@ecs.soton.ac.uk> Message-ID: This behaviour is by design. I never include the original filename in any reports unless I can be 100% sure that it is safe to do so. If you want to see the original filename, look at the message in the quarantine. You would be amazed by the security problems you open yourself up to by using user input in any of your software's output, without sanitising it first! On 02/10/2009 07:53, G?tz Reinicke - IT-Koordinator wrote: > Hi, > > I got an error while sending an attachement with a "double" filename > extension. This is correct as mailscanner is configured to check and > disinfect this. > > But, the filename showen in the report is somehow confusing as it is not > the real name of the file: > > Report: Achtung: MailScanner: Attempt to hide real filename extension > (Basiskurs Einf.pdf) > > The realname is > > Basiskurs Einfu?hrung IT 2009 - 2010.key.pdf > > So there is may be a problem with the german umlaut. > > Bug? Feature? or misconfiguration? > > mailscanner-4.78.17-1 > Red Hat Enterprise Linux Server release 5.4 (Tikanga) > perl-5.8.8-27.el5 > > > Thanks an best regards, > > G?tz > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From goetz.reinicke at filmakademie.de Fri Oct 2 09:29:14 2009 From: goetz.reinicke at filmakademie.de (=?UTF-8?B?R8O2dHogUmVpbmlja2UgLSBJVC1Lb29yZGluYXRvcg==?=) Date: Fri Oct 2 09:29:36 2009 Subject: Virus report and german umlaut In-Reply-To: References: <4AC5A384.2050406@filmakademie.de> <4AC5ADAC.1020003@ecs.soton.ac.uk> Message-ID: <4AC5B9DA.30507@filmakademie.de> O.K. Thanks, so it is a feature. At first, I was surprised that the message was cleaned, as the reported filename only showed .pdf . /G?tz Jules Field schrieb: > This behaviour is by design. I never include the original filename in > any reports unless I can be 100% sure that it is safe to do so. If you > want to see the original filename, look at the message in the > quarantine. You would be amazed by the security problems you open > yourself up to by using user input in any of your software's output, > without sanitising it first! > > On 02/10/2009 07:53, G?tz Reinicke - IT-Koordinator wrote: >> Hi, >> >> I got an error while sending an attachement with a "double" filename >> extension. This is correct as mailscanner is configured to check and >> disinfect this. >> >> But, the filename showen in the report is somehow confusing as it is not >> the real name of the file: >> >> Report: Achtung: MailScanner: Attempt to hide real filename extension >> (Basiskurs Einf.pdf) >> >> The realname is >> >> Basiskurs Einfu?hrung IT 2009 - 2010.key.pdf >> >> So there is may be a problem with the german umlaut. >> >> Bug? Feature? or misconfiguration? >> >> mailscanner-4.78.17-1 >> Red Hat Enterprise Linux Server release 5.4 (Tikanga) >> perl-5.8.8-27.el5 >> >> >> Thanks an best regards, >> >> G?tz >> > > Jules > -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From support-lists at petdoctors.co.uk Fri Oct 2 12:37:56 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Oct 2 12:47:57 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <4AC516AF.3090401@bfccomputing.com> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <4AC516AF.3090401@bfccomputing.com> Message-ID: On 10/01/2009 02:29 PM, Jules Field wrote: > - "include" directive in MailScanner.conf files, so you can avoid > modifying the shipped MailScanner.conf file at all, making upgrades > easier. This also makes large installations easier as you can just > specify your local modifications in a set of files stored in > /etc/MailScanner/conf.d. "Include" directives can be nested to arbitrary > depths, so included files can include other files to any complexity you > require. Excellent! I could kiss you - but I won't! Nigel Kendrick From davejones70 at gmail.com Fri Oct 2 13:16:35 2009 From: davejones70 at gmail.com (Dave Jones) Date: Fri Oct 2 13:16:46 2009 Subject: High DCC_CHECK hits on Spanish and Japanese email Message-ID: <67a55ed50910020516l38cfceb2u86fb16e4837077be@mail.gmail.com> Is anyone else seeing higher than normal hits on DCC_CHECK with extended character emails? I have tried to disable DCC checks for internal email servers to prevent blocking of these valid emails routed via internal WAN connections but the whiteclnt settings do not appear to be working: /var/dcc/whiteclnt ----------------------------- # List statically allocated IP addresses that you trust to never send # or forward unsolicited bulk email ok ip 135.42.204.0/24 ok ip 135.42.206.0/24 ok ip 10.0.0.0/8 ok ip 172.0.0.0/8 How can I make sure that SA is launching DCC so that it is actually using /var/dcc/whitecnt? I want to make sure that I am using the proper whiteclnt file location. The emails that are being blocked originate internally so they shouldn't have DCC_CHECK hits at all, correct? I don't want to waste the time/bandwidth checking internal email. -- Dave Jones From chris at techquility.net Fri Oct 2 14:43:19 2009 From: chris at techquility.net (Chris Barber) Date: Fri Oct 2 14:44:17 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net><4AC5ACE7.3020504@ecs.soton.ac.uk> Message-ID: <43F62CA225017044BC84CFAF92B4333B06FCBA@sbsserver.Techquility.net> >>> - virus scanning is now done before spam scanning. >>> - new support for "spam-viruses" which are spam messages detected by >>> your virus scanner (such as with the extra ClamAV signature databases, >>> or F-Prot). This is managed by the new MailScanner.conf settings >>> "Spam-Virus Header" and "Virus Names Which Are Spam". See the ChangeLog >>> >> >>> for more information. >>> >> >> Does this mean that spams caught by the virus scanner will not be >> deleted anymore? I.E. We can have SA assign a score and the user will >> see the message in the quarantine report for instance? Also, will >> whitelisting work as well? >> >Correct. Should be correct on all counts. The "Spam-Virus Header" is >added *before* the message goes into SpamAssassin, so you can write an >SA rule that will catch entries in this header and assign a score to >them. Then the resulting score can be handled as normal. > > >Jules Thanks Jules! Is there anything I need to do to the virus scanning settings to get it to stop deleting infected messages? Chris From MailScanner at ecs.soton.ac.uk Fri Oct 2 15:27:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 2 15:27:22 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <43F62CA225017044BC84CFAF92B4333B06FCBA@sbsserver.Techquility.net> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net><4AC5ACE7.3020504@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCBA@sbsserver.Techquility.net> <4AC60DB4.10908@ecs.soton.ac.uk> Message-ID: On 02/10/2009 14:43, Chris Barber wrote: >>>> - virus scanning is now done before spam scanning. >>>> - new support for "spam-viruses" which are spam messages detected by >>>> your virus scanner (such as with the extra ClamAV signature >>>> > databases, > >>>> or F-Prot). This is managed by the new MailScanner.conf settings >>>> "Spam-Virus Header" and "Virus Names Which Are Spam". See the >>>> > ChangeLog > >>>> >>>> >>> >>> >>>> for more information. >>>> >>>> >>> Does this mean that spams caught by the virus scanner will not be >>> deleted anymore? I.E. We can have SA assign a score and the user will >>> see the message in the quarantine report for instance? Also, will >>> whitelisting work as well? >>> >>> >> Correct. Should be correct on all counts. The "Spam-Virus Header" is >> added *before* the message goes into SpamAssassin, so you can write an >> SA rule that will catch entries in this header and assign a score to >> them. Then the resulting score can be handled as normal. >> >> >> Jules >> > > Thanks Jules! Is there anything I need to do to the virus scanning > settings to get it to stop deleting infected messages? > Read the documentation in the MailScanner.conf file about "Spam-Viruses", but basically no, you don't need to do anything. The defaults I supply for the new settings will do all the work for you, just run upgrade_MailScanner_conf to ensure you are picking up the correct values for the new settings. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 2 15:38:28 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 2 15:38:55 2009 Subject: Fwd: The Spamhaus CSS list References: <4AC61064.7060102@ecs.soton.ac.uk> Message-ID: Here is one you might all be interested in (with thanks to Tony Finch): Spamhaus have announced a new blacklist aimed specifically at showshoe spammers. "Snowshoe" is a technique where spammers use large numbers of superficially legitimate hosts that each send a small quantitiy of spam, in an attempt to spread the spam load and keep each host below the radar. The new CSS list is a component of the SBL (and therefore also the sbl-xbl and ZEN lists) so many setups will use it automatically. http://www.spamhaus.org/news.lasso?article=646 However note that SpamAssassin will not, since its current rules do not recognise a 127.0.0.3 result from the ZEN blacklist. You can add the following to your local.cf to treat CSS matches as equivalent to other SBL matches. header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.[23]') -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doctor at doctor.nl2k.ab.ca Fri Oct 2 15:41:01 2009 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Fri Oct 2 15:41:13 2009 Subject: Need help from Exim users Message-ID: <20091002144101.GA13108@doctor.nl2k.ab.ca> Well Postfix is not doing the anti-spam I was hoping it would do and the 'jailing' is not working. I elect to go to Exim. What do I need to get get RBLS, virtual E-mail and stuff working before adding MailScanner? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! For the latest World News go to http://www.cuttingedge.org/ From ms-list at alexb.ch Fri Oct 2 15:48:48 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 2 15:48:56 2009 Subject: Fwd: The Spamhaus CSS list In-Reply-To: References: <4AC61064.7060102@ecs.soton.ac.uk> Message-ID: <4AC612D0.3040400@alexb.ch> On 10/2/2009 4:38 PM, Julian Field wrote: > Here is one you might all be interested in (with thanks to Tony Finch): > > Spamhaus have announced a new blacklist aimed specifically at showshoe > spammers. "Snowshoe" is a technique where spammers use large numbers of > superficially legitimate hosts that each send a small quantitiy of spam, > in an attempt to spread the spam load and keep each host below the radar. > > The new CSS list is a component of the SBL (and therefore also the sbl-xbl > and ZEN lists) so many setups will use it automatically. > > http://www.spamhaus.org/news.lasso?article=646 > > However note that SpamAssassin will not, since its current rules do not > recognise a 127.0.0.3 result from the ZEN blacklist. You can add the > following to your local.cf to treat CSS matches as equivalent to other SBL > matches. > > header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.[23]') I'd suggest using the rule below instead of modifying stock SBL rule. header RCVD_IN_CSS eval:check_rbl_sub('zen', 'zen.spamhaus.org.', '127.0.0.3') describe RCVD_IN_CSS Received via a relay in Spamhaus CSS tflags RCVD_IN_CSS net #reuse RCVD_IN_CSS score RCVD_IN_CSS 1.0 That way you can score it differently according to your need. Watch out for line breaks in the rule after mailing. Alex From jethro.binks at strath.ac.uk Fri Oct 2 15:50:03 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Fri Oct 2 15:50:12 2009 Subject: Need help from Exim users In-Reply-To: <20091002144101.GA13108@doctor.nl2k.ab.ca> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: On Fri, 2 Oct 2009, The Doctor wrote: > Well Postfix is not doing the anti-spam I was hoping it would do and the > 'jailing' is not working. > > I elect to go to Exim. > > What do I need to get get RBLS, virtual E-mail and stuff working before > adding MailScanner? Wrong place to ask. Read the exim-users list archives. See the exim documentation and wiki. Consider whether learning a whole new architecture is worth it (which will take considerable time if you do not know Exim already), vs spending more time addressing the postfix issues. (But I am an Exim user, and swear by it. I like the flexible programmability rather than pre-made macro functions or add-ins). Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From admin at lorodoes.com Fri Oct 2 15:49:55 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Oct 2 15:50:13 2009 Subject: Need help from Exim users In-Reply-To: <20091002144101.GA13108@doctor.nl2k.ab.ca> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: I have postfix working great with Mailscanner and quarantining. Make sure you have Mailscanner looking at the postfix queue and have the correct permissions. > Well Postfix is not doing the anti-spam I was > hoping it would do and the 'jailing' is not working. > > I elect to go to Exim. > > What do I need to get get RBLS, virtual E-mail and stuff working > before adding MailScanner? > > -- > Member - Liberal International This is doctor@nl2k.ab.ca > Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! > Never Satan President Republic! > For the latest World News go to http://www.cuttingedge.org/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From doctor at doctor.nl2k.ab.ca Fri Oct 2 16:04:25 2009 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Fri Oct 2 16:04:36 2009 Subject: Need help from Exim users In-Reply-To: References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: <20091002150425.GA22855@doctor.nl2k.ab.ca> On Fri, Oct 02, 2009 at 03:50:03PM +0100, Jethro R Binks wrote: > On Fri, 2 Oct 2009, The Doctor wrote: > > > Well Postfix is not doing the anti-spam I was hoping it would do and the > > 'jailing' is not working. > > > > I elect to go to Exim. > > > > What do I need to get get RBLS, virtual E-mail and stuff working before > > adding MailScanner? > > Wrong place to ask. > > Read the exim-users list archives. > > See the exim documentation and wiki. > > Consider whether learning a whole new architecture is worth it (which will > take considerable time if you do not know Exim already), vs spending more > time addressing the postfix issues. (But I am an Exim user, and swear by > it. I like the flexible programmability rather than pre-made macro > functions or add-ins). > > Jethro. I already did ask the exim-uers lists ; no reply and and reading the current Exim User's Book. And yes about those postfix issues, well I have had enough. also with the Wiki, does it address any conversion issues? > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! For the latest World News go to http://www.cuttingedge.org/ From support-lists at petdoctors.co.uk Fri Oct 2 16:19:21 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Oct 2 16:20:09 2009 Subject: Need help from Exim users In-Reply-To: <20091002144101.GA13108@doctor.nl2k.ab.ca> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: <7EBB54DF883C4EBAA298FA432161C62C@SUPPORT01V> I have PDFS of the excellent howto written some time ago by Johnny Hughes (of CentOS fame) that describes setting up MailScanner with Postfix, Spamassassin, clamav and squirrelmail. For some reason, the original Web pages have disappeared and copies are hard to find (unless anyone knows different). Let me know if you want copies. I have used them as a checklist to setup many mail servers built around CentOS and MailScanner. Nigel Kendrick -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of The Doctor Sent: Friday, October 02, 2009 3:41 PM To: mailscanner@lists.mailscanner.info Subject: Need help from Exim users Well Postfix is not doing the anti-spam I was hoping it would do and the 'jailing' is not working. I elect to go to Exim. What do I need to get get RBLS, virtual E-mail and stuff working before adding MailScanner? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! For the latest World News go to http://www.cuttingedge.org/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Oct 2 16:20:20 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Oct 2 16:20:53 2009 Subject: The Spamhaus CSS list In-Reply-To: References: <4AC61064.7060102@ecs.soton.ac.uk> Message-ID: If you're using it at the MTA level, will it still drop the message? On Oct 2, 2009, at 9:38 AM, Julian Field wrote: > header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.[23]') From rcooper at dwford.com Fri Oct 2 16:37:48 2009 From: rcooper at dwford.com (Rick Cooper) Date: Fri Oct 2 16:38:04 2009 Subject: Need help from Exim users In-Reply-To: <20091002144101.GA13108@doctor.nl2k.ab.ca> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of The Doctor Sent: Friday, October 02, 2009 10:41 AM To: mailscanner@lists.mailscanner.info Subject: Need help from Exim users > Well Postfix is not doing the anti-spam I was > hoping it would do and the 'jailing' is not working. > > I elect to go to Exim. > > What do I need to get get RBLS, virtual E-mail and stuff working > before adding MailScanner? > > -- > Member - Liberal International This is doctor@nl2k.ab.ca > Ici doctor@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! > Never Satan President Republic! > For the latest World News go to http://www.cuttingedge.org/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! That depends on what you want to do and how. The relevent portion of my rcpt acl reads: deny message = rejected because $sender_host_address is in a black list \ at $dnslist_domain $dnslist_text (ADDED TO FIREWALL) hosts = !/MyRulesDir/Mail_local_net:!/MyRulesDir/mail_relay_from_domains senders = !/MyRulesDir/Mail_sender_white_list.conf dnslists = ${expand:${readfile{/MyRulesDir/mail_rbl_lists}{:}}} condition = ${run{/A_Special_Place/ExiBlockWrapper $sender_host_address 24h}\ {yes}{yes}} This acl says if the sending host is not a local machine, and it's not from a host we relay for, and the sender is not in a local whitelist (used for other rules as well) then run it through the rbls listed in /MyRulesDir/mail_rbl_lists (which is cached if the file has not changed the list is not re-read) if it's listed add the host to iptables for the next 24 hours (this is a custom program not part of exim) and deny it with the message following "deny message" which includes the results from the look up. The file /MyRulesDir/mail_rbl_lists is a text file with entries like: zen.spamhaus.org Other.rbl.list Etc.rnl.list I do this so I can add, subtract or otherwise modify rbl lists without restarting exim. I recommend you look at the exim spec section 40 (40.24+) because you can also add a lot more control if you wish, like: zen.spamhaus.org=127.0.0.2,127.0.0.3 (match only if returns 127.0.0.2 or 127.0.0.3) or zen.spamhaus.org!=127.0.0.3 (match all except 127.0.0.3) Also, priority matters as the check stops with the first hit. Read the spec, and join the exim list Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Oct 2 16:48:22 2009 From: ms-list at alexb.ch (Alex Broens) Date: Fri Oct 2 16:48:29 2009 Subject: The Spamhaus CSS list In-Reply-To: References: <4AC61064.7060102@ecs.soton.ac.uk> Message-ID: <4AC620C6.6060201@alexb.ch> On 10/2/2009 5:20 PM, Alex Neuman wrote: > If you're using it at the MTA level, will it still drop the message? yes the advantage of the SA rule is that in this case it may be desirable to also allow SA do the deep header parsing, especially in cases of abundant redirects/fetchmail, etc > On Oct 2, 2009, at 9:38 AM, Julian Field wrote: > >> header RCVD_IN_SBL eval:check_rbl_sub('zen', '127.0.0.[23]') > From donald.dawson at bakerbotts.com Fri Oct 2 17:43:59 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Oct 2 17:44:16 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Friday, October 02, 2009 2:35 AM To: MailScanner discussion Subject: Re: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain As you are clearly trying to use a new feature ("Spam-Virus"es) that I just introduced, I think you will find all your problems are solved using the new "Spam-Virus" feature in 4.78. On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > > We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 > version). We installed clam via the MS tar ball. Clam is our only AV > and is called by MS via /usr/lib/MailScanner/clamav-wrapper. > > We have been getting FPs on some newsletters due to Phishing > Heuristics in clam. We also found that MS does not appear to use a > clamd.conf or freshclam.conf file. To get around the FP Phishing > Heuristics problem, we modified the clamav-wrapper to turn off > heuristic url scans (line 152 added in clamav-wrapper script): > > ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" > > I would rather not edit the delivered MS script. Is there a clam > config file used by MS? > > Where would I put the '--phishing-scan-urls=no' option? > > Lastly, is it preferable to install clamav, clamav-db and clamd RPMs > versus letting MS load clamscan for every email? > > ...from the tarball clam/SA install.sh script: > > echo 'There are 2 recommended ways of installing ClamAV, depending on' > echo 'various factors.' > echo 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' _http://packages.sw.be/clamav/_' > echo 'Then re-run this script and tell me that clamscan is installed in' > echo '/usr/bin. This will set up your virus.scanners.conf file for you.' > echo > echo 'Otherwise you probably want me to install ClamAV now. So answer y.' > > Jules - thank you for a great product! > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -------------- Jules, would you also recommend installing the clamd rpm versus letting MS run clamscan? Thanks, Donald From mark at msapiro.net Fri Oct 2 19:35:44 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Oct 2 19:35:54 2009 Subject: Notify Recipient of Blocked ZIP Attachment In-Reply-To: References: Message-ID: <20091002183544.GA3196@msapiro> On Thu, Oct 01, 2009 at 10:15:01AM -0400, Timothy Barhorst wrote: > > Our company uses MailScanner to block zip files and many do get blocked. > > However, some of our users wish to be notified when one has been put in > quarantine. > > > > What is the best way to accomplish this or should I just allow all zip > files though? Anyone have an opinion about this? I don't understand. Isn't this the normal behavior? Does Deliver Cleaned Messages affect this? -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Fri Oct 2 20:22:14 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Oct 2 20:22:21 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: <20091002192214.GA1268@msapiro> On Thu, Oct 01, 2009 at 07:29:50PM +0100, Jules Field wrote: > Evening all! > > I have just released a new stable release of MailScanner 4.78. There seems to be an issue on the web page at http://www.mailscanner.info/downloads.html with 'nested' comment tags in and around the Beta releases section. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Fri Oct 2 21:13:54 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 21:14:15 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <20091002192214.GA1268@msapiro> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <20091002192214.GA1268@msapiro> <4AC65F02.8070606@ecs.soton.ac.uk> Message-ID: On 02/10/2009 20:22, Mark Sapiro wrote: > On Thu, Oct 01, 2009 at 07:29:50PM +0100, Jules Field wrote: > >> Evening all! >> >> I have just released a new stable release of MailScanner 4.78. >> > > There seems to be an issue on the web page at > http://www.mailscanner.info/downloads.html with 'nested' comment tags in > and around the Beta releases section. > Thanks for letting me know. Fixed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Oct 2 21:15:38 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Fri Oct 2 21:15:58 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> <4AC65F6A.2080009@ecs.soton.ac.uk> Message-ID: On 02/10/2009 17:43, donald.dawson@bakerbotts.com wrote: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Friday, October 02, 2009 2:35 AM > To: MailScanner discussion > Subject: Re: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > As you are clearly trying to use a new feature ("Spam-Virus"es) that I > just introduced, I think you will find all your problems are solved > using the new "Spam-Virus" feature in 4.78. > > On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > >> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 >> version). We installed clam via the MS tar ball. Clam is our only AV >> > >> and is called by MS via /usr/lib/MailScanner/clamav-wrapper. >> >> We have been getting FPs on some newsletters due to Phishing >> Heuristics in clam. We also found that MS does not appear to use a >> clamd.conf or freshclam.conf file. To get around the FP Phishing >> Heuristics problem, we modified the clamav-wrapper to turn off >> heuristic url scans (line 152 added in clamav-wrapper script): >> >> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" >> >> I would rather not edit the delivered MS script. Is there a clam >> config file used by MS? >> >> Where would I put the '--phishing-scan-urls=no' option? >> >> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs >> versus letting MS load clamscan for every email? >> >> ...from the tarball clam/SA install.sh script: >> >> echo 'There are 2 recommended ways of installing ClamAV, depending on' >> echo 'various factors.' >> echo 'If you want to use MailScanners support for Clamd >> > (virus-scanning' > >> echo 'daemon) then I recommend you cancel this script now (press >> > Ctrl-C)' > >> echo 'and install the RPMs for clamav, clamav-db and clamd from' >> echo ' _http://packages.sw.be/clamav/_' >> echo 'Then re-run this script and tell me that clamscan is installed >> > in' > >> echo '/usr/bin. This will set up your virus.scanners.conf file for >> > you.' > >> echo >> echo 'Otherwise you probably want me to install ClamAV now. So answer >> > y.' > >> Jules - thank you for a great product! >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> > Jules > > -------------- > > Jules, would you also recommend installing the clamd rpm versus letting > MS run clamscan? > Yes. It will be far faster. Just make sure you delete all signs of *clam* from /usr/local and its subdirectories, then install the clamd RPM, then "ldconfig" to make sure it picks up all the new shared libraries supplied by the RPMs. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rlopezcnm at gmail.com Fri Oct 2 21:57:16 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Oct 2 21:57:25 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <4ABB95D5.3090500@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> <20090930153936.GA1856@msapiro> <4AC380FC.60902@ecs.soton.ac.uk> <4AC4F177.9030904@ecs.soton.ac.uk> <20091001175403.GA3484@msapiro> Message-ID: On Thu, Oct 1, 2009 at 12:14 PM, Jules Field wrote: > > > On 01/10/2009 18:54, Mark Sapiro wrote: >> >> On Wed, Sep 30, 2009 at 05:02:04PM +0100, Jules Field wrote: >> >>> >>> On 30/09/2009 16:39, Mark Sapiro wrote: >>> >>>> >>>> I don't have any problem with certain characters being escaped as %nn, >>>> but I do think that dropping pieces of the name, in particular in some >>>> cases entire 'extensions' is a problem. >>>> >>>> >>> >>> It all depends on the length of the filename after the last filename >>> extension has been removed. This is truncated at a fixed point. So some >>> other "extensions" may be lost. I'm not sure there is any easy way, >>> heuristically, of trimming the filename while leaving *all* the >>> extensions, as it's unknown what is and is not an extension, and what is >>> just a dot in the middle of the text of the "main" bit of the filename. >>> >> >> I understand. I didn't realize that the issue was because of a simple >> truncation based on length. Given that, and the desire to not report >> overly long names, I think it's OK the way it is, and mail admins will >> just have to realize they need to see the original message or the >> Filename Checks: MailScanner log message to see the original name. >> >> I agree that trying to give priority to certain portions of the name >> while shortening it is futile. >> > > Thanks for understanding that. I have to draw a line somewhere. > Now we've got that one rectified, I will do a stable release. > > Expect a stable release in the next few minutes. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thank you both for clarifying what is happening. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From donald.dawson at bakerbotts.com Fri Oct 2 22:14:14 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Oct 2 22:14:29 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> <20091002192214.GA1268@msapiro> <4AC65F02.8070606@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> I just upgraded to the version 4.78. The install failed due to many Perl-related files being deleted by the install.sh script. I copied them back from another system and was able to continue. I am using a custom conf file in the conf.d directory. One issue though, the %org-name% variable did not replace the 'yoursite' value from MailScanner.conf. I had to edit the /etc/MailScanner/MailScanner.conf file to replace 'yoursite' with our site name: from /etc/MailScanner/conf.d/bakerbotts.ms.conf: # %org-name% = yoursite %org-name% = BakerBotts # %org-long-name% = Your Organisation Name Here %org-long-name% = Baker Botts LLP # %web-site% = www.your-organisation.com %web-site% = www.bakerbotts.com # Max Children = 5 Max Children = 9 Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Friday, October 02, 2009 3:14 PM To: MailScanner discussion Subject: Re: MailScanner ANNOUNCE: New stable release 4.78.17 On 02/10/2009 20:22, Mark Sapiro wrote: > On Thu, Oct 01, 2009 at 07:29:50PM +0100, Jules Field wrote: > >> Evening all! >> >> I have just released a new stable release of MailScanner 4.78. >> > > There seems to be an issue on the web page at > http://www.mailscanner.info/downloads.html with 'nested' comment tags in > and around the Beta releases section. > Thanks for letting me know. Fixed. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jens.potthast at innovation.uni-bremen.de Fri Oct 2 22:48:45 2009 From: jens.potthast at innovation.uni-bremen.de (Jens Potthast) Date: Fri Oct 2 22:48:58 2009 Subject: Broken (mailwatch) quarantine_maint.php? Or broken system? - SOLVED In-Reply-To: <4AC4A570.80501@innovation.uni-bremen.de> References: <4AC4A570.80501@innovation.uni-bremen.de> Message-ID: <4AC6753D.5090404@innovation.uni-bremen.de> Found it finally... Simply turn off 'SSL_ONLY' in conf.php. That's it. Somehow related to this bug: http://mailwatch.cvs.sourceforge.net/viewvc/mailwatch/mailwatch/mailscanner/functions.php?r1=1.19&r2=1.20 Jens Am 01.10.2009 14:49, schrieb Jens Potthast: > Hi, > can someone please point me in the right direction? > > It might be a general issue because the scripts quarantine_report.php > and db_clean.php do exactly the same - nothing. > > I'm worried that I do not even get some kind of error message. > The scripts gets executed (using first line #!/usr/bin/php) but no > feedback whatsoever. > Echoing my cmd args will work (and stop the script with an error) just > as long I place it before the included 'functions.php'. > > My system: mailwatch 1.0.4 on CentOS 5.3. My php is with zend extension. > > > Please help. > > Jens > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4296 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091002/15c6d4d0/smime.bin From alex at rtpty.com Fri Oct 2 22:56:37 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Oct 2 22:56:58 2009 Subject: Broken (mailwatch) quarantine_maint.php? Or broken system? - SOLVED In-Reply-To: <4AC6753D.5090404@innovation.uni-bremen.de> References: <4AC4A570.80501@innovation.uni-bremen.de> <4AC6753D.5090404@innovation.uni-bremen.de> Message-ID: <613A49D3-E82C-40A8-8DBC-E31293E44C23@rtpty.com> Why was it on in the first place? On Oct 2, 2009, at 4:48 PM, Jens Potthast wrote: > Found it finally... Simply turn off 'SSL_ONLY' in conf.php. That's it. > Somehow related to this bug: > http://mailwatch.cvs.sourceforge.net/viewvc/mailwatch/mailwatch/mailscanner/functions.php?r1=1.19&r2=1.20 > From chris at techquility.net Sat Oct 3 00:50:09 2009 From: chris at techquility.net (Chris Barber) Date: Sat Oct 3 00:51:06 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCB7@sbsserver.Techquility.net><4AC5ACE7.3020504@ecs.soton.ac.uk> <43F62CA225017044BC84CFAF92B4333B06FCBA@sbsserver.Techquility.net><4AC60DB4.10908@ecs.soton.ac.uk> Message-ID: <43F62CA225017044BC84CFAF92B4333B06FCBD@sbsserver.Techquility.net> > >Read the documentation in the MailScanner.conf file about >"Spam-Viruses", but basically no, you don't need to do anything. The >defaults I supply for the new settings will do all the work for you, >just run upgrade_MailScanner_conf to ensure you are picking up the >correct values for the new settings. > >Jules > Thanks again Jules! This is an awesome feature that I have been wanting for some time now! Great work!! -Chris Barber From lhaig at haigmail.com Sat Oct 3 08:54:00 2009 From: lhaig at haigmail.com (Lance Haig) Date: Sat Oct 3 08:56:42 2009 Subject: Need help from Exim users In-Reply-To: <7EBB54DF883C4EBAA298FA432161C62C@SUPPORT01V> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> <7EBB54DF883C4EBAA298FA432161C62C@SUPPORT01V> Message-ID: <4AC70318.8040204@haigmail.com> Hi Nigel, I would appreciate a copy of the PDFs Thanks Lance Nigel Kendrick wrote: > I have PDFS of the excellent howto written some time ago by Johnny Hughes > (of CentOS fame) that describes setting up MailScanner with Postfix, > Spamassassin, clamav and squirrelmail. For some reason, the original Web > pages have disappeared and copies are hard to find (unless anyone knows > different). > > Let me know if you want copies. I have used them as a checklist to setup > many mail servers built around CentOS and MailScanner. > > Nigel Kendrick > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of The Doctor > Sent: Friday, October 02, 2009 3:41 PM > To: mailscanner@lists.mailscanner.info > Subject: Need help from Exim users > > Well Postfix is not doing the anti-spam I was > hoping it would do and the 'jailing' is not working. > > I elect to go to Exim. > > What do I need to get get RBLS, virtual E-mail and stuff working > before adding MailScanner? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091003/6afd8607/signature-0001.bin From jens.potthast at innovation.uni-bremen.de Sat Oct 3 09:57:14 2009 From: jens.potthast at innovation.uni-bremen.de (Jens Potthast) Date: Sat Oct 3 09:57:31 2009 Subject: Broken (mailwatch) quarantine_maint.php? Or broken system? - SOLVED In-Reply-To: <613A49D3-E82C-40A8-8DBC-E31293E44C23@rtpty.com> References: <4AC4A570.80501@innovation.uni-bremen.de> <4AC6753D.5090404@innovation.uni-bremen.de> <613A49D3-E82C-40A8-8DBC-E31293E44C23@rtpty.com> Message-ID: <4AC711EA.2080307@innovation.uni-bremen.de> Thought it would be a good idea. So I turned it on at initial configuration. Wrong guess. Jens Am 02.10.2009 23:56, schrieb Alex Neuman: > Why was it on in the first place? > > On Oct 2, 2009, at 4:48 PM, Jens Potthast wrote: > >> Found it finally... Simply turn off 'SSL_ONLY' in conf.php. That's it. >> Somehow related to this bug: >> http://mailwatch.cvs.sourceforge.net/viewvc/mailwatch/mailwatch/mailscanner/functions.php?r1=1.19&r2=1.20 >> >> > -- Dipl.-Ing. (FH) Jens Potthast Universit?t Bremen Institut f?r Projektmanagement und Innovation Lehrstuhl f?r Innovation und Kompetenztransfer Wilhelm-Herbst-Stra?e 12 28359 Bremen Tel: +49 421 218 8276 Fax: +49 421 218 8222 Mail: Jens.Potthast@innovation.uni-bremen.de www: http://innovation.uni-bremen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4296 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091003/4e3f4fbf/smime.bin From mark at msapiro.net Sat Oct 3 16:21:01 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Oct 3 16:21:13 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <4AC65F02.8070606@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> Message-ID: <20091003152101.GA2924@msapiro> On Fri, Oct 02, 2009 at 04:14:14PM -0500, donald.dawson@bakerbotts.com wrote: > I just upgraded to the version 4.78. The install failed due to many > Perl-related files being deleted by the install.sh script. I copied > them back from another system and was able to continue. Jules or someone else will have to address this one. > I am using a > custom conf file in the conf.d directory. One issue though, the > %org-name% variable did not replace the 'yoursite' value from > MailScanner.conf. > > I had to edit the /etc/MailScanner/MailScanner.conf file to replace > 'yoursite' with our site name: Yes. In my case, I also change %report-dir%, so I have to change that too in MailScanner.conf. The alternative is that every use of a %xxx% variable would have to be held in abeyance until all included files are processed, and even then, there might be issues if the definition of one variable includes another variable. The current "use the current definition of the variable when it's encountered" strategy is much simpler and less prone to unintended consequences, even though it requires changes in MailScanner.conf. Here's a suggestion for Jules though. Immediately after defining the %xxx% variables in MailScanner.conf, put include /etc/MailScanner/conf.d/local_variables or some such. Then the rpm or whatever can install an empty /etc/MailScanner/conf.d/local_variables only if one doesn't already exist. This will give the site the ability to redefine the variables before they are used and allow complete configuration without touching MailScanner.conf. Perhaps even better, don't install /etc/MailScanner/conf.d/local_variables at all, since every site needs to supply at least %org-name%, %org-long-name% and %web-site% anyway, this will strongly encourage them to define these, since the include file will be missing if they don't. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Oct 3 18:13:02 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Oct 3 18:13:26 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <20091002192214.GA1268@msapiro> <4AC65F02.8070606@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> <4AC7861E.4020808@ecs.soton.ac.uk> Message-ID: On 02/10/2009 22:14, donald.dawson@bakerbotts.com wrote: > I just upgraded to the version 4.78. The install failed due to many > Perl-related files being deleted by the install.sh script. I copied > them back from another system and was able to continue. I am using a > custom conf file in the conf.d directory. One issue though, the > %org-name% variable did not replace the 'yoursite' value from > MailScanner.conf. > > I had to edit the /etc/MailScanner/MailScanner.conf file to replace > 'yoursite' with our site name: > > from /etc/MailScanner/conf.d/bakerbotts.ms.conf: > > # %org-name% = yoursite > %org-name% = BakerBotts > # %org-long-name% = Your Organisation Name Here > %org-long-name% = Baker Botts LLP > # %web-site% = www.your-organisation.com > %web-site% = www.bakerbotts.com > # Max Children = 5 > Max Children = 9 > The reason for that is very simple. The %% macro values are evaluated when the settings are processed from the .conf files. Because the %org-name% is used in the MailScanner.conf file before my "include conf.d/*" line, those settings will inherit the value from main MailScanner.conf file. Only those settings made *after* your "%org-name% = BakerBoots" line will be affected by the new value. If you want to overwrite the %macros% then you need to include a file just after their settings in MailScanner.conf, so they are set to your local values before they are used. > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Friday, October 02, 2009 3:14 PM > To: MailScanner discussion > Subject: Re: MailScanner ANNOUNCE: New stable release 4.78.17 > > > > On 02/10/2009 20:22, Mark Sapiro wrote: > >> On Thu, Oct 01, 2009 at 07:29:50PM +0100, Jules Field wrote: >> >> >>> Evening all! >>> >>> I have just released a new stable release of MailScanner 4.78. >>> >>> >> There seems to be an issue on the web page at >> http://www.mailscanner.info/downloads.html with 'nested' comment tags >> > in > >> and around the Beta releases section. >> >> > Thanks for letting me know. Fixed. > > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Oct 3 18:16:37 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Oct 3 18:16:56 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: <20091003152101.GA2924@msapiro> References: <4AC4F51E.4040100@ecs.soton.ac.uk> <4AC65F02.8070606@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> <20091003152101.GA2924@msapiro> <4AC786F5.8080102@ecs.soton.ac.uk> Message-ID: On 03/10/2009 16:21, Mark Sapiro wrote: > On Fri, Oct 02, 2009 at 04:14:14PM -0500, donald.dawson@bakerbotts.com wrote: > > >> I am using a >> custom conf file in the conf.d directory. One issue though, the >> %org-name% variable did not replace the 'yoursite' value from >> MailScanner.conf. >> >> I had to edit the /etc/MailScanner/MailScanner.conf file to replace >> 'yoursite' with our site name: >> > > Yes. In my case, I also change %report-dir%, so I have to change > that too in MailScanner.conf. > > The alternative is that every use of a %xxx% variable would have to be > held in abeyance until all included files are processed, and even then, > there might be issues if the definition of one variable includes another > variable. > > The current "use the current definition of the variable when it's > encountered" strategy is much simpler and less prone to unintended > consequences, even though it requires changes in MailScanner.conf. > > Here's a suggestion for Jules though. Immediately after defining the > %xxx% variables in MailScanner.conf, put > > include /etc/MailScanner/conf.d/local_variables > > or some such. Then the rpm or whatever can install an empty > /etc/MailScanner/conf.d/local_variables only if one doesn't already > exist. This will give the site the ability to redefine the variables > before they are used and allow complete configuration without touching > MailScanner.conf. > > Perhaps even better, don't install /etc/MailScanner/conf.d/local_variables > at all, since every site needs to supply at least %org-name%, > %org-long-name% and %web-site% anyway, this will strongly encourage > them to define these, since the include file will be missing if they > don't. > I don't want to do that as it will cause new users a strange error which they do not understand, leaving the software "broken by default" just like 99% of other software on the market :-( The "local_variables" one is a better idea, but it will cause a warning to be generated as the file will be read by both default "include" lines. And I don't want that either. If you can come up with a better idea for a solution, I'm all ears :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at mlrw.com Sat Oct 3 19:02:24 2009 From: mike at mlrw.com (Mike Wallace) Date: Sat Oct 3 19:02:34 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> <4AC65F02.8070606@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DDC@BBEXVS04.bakerbotts.net> <20091003152101.GA2924@msapiro> <4AC786F5.8080102@ecs.soton.ac.uk> Message-ID: Jules, How about if someone wants to break out the site variables they are placed in a file called "site.var" or "site.variables" in /etc/ MailScanner? You could then supply an empty file by default, that way your variable include directive in MailScanner.conf wouldn't fail. Otherwise, the only other thing I could think of would be to change the include in MailScanner.conf to "include /etc/MailScanner/conf.d/ *.conf", change "README" to "README.conf" and have a blank "site.var" or "site.variables" file located in "/etc/MailScanner/conf.d" and called by an include in MailScanner.conf. Anyone else have any other ideas? Mike On Oct 3, 2009, at 1:16 PM, Jules Field wrote: > > > On 03/10/2009 16:21, Mark Sapiro wrote: >> On Fri, Oct 02, 2009 at 04:14:14PM -0500, donald.dawson@bakerbotts.com >> wrote: >> >>> I am using a >>> custom conf file in the conf.d directory. One issue though, the >>> %org-name% variable did not replace the 'yoursite' value from >>> MailScanner.conf. >>> >>> I had to edit the /etc/MailScanner/MailScanner.conf file to replace >>> 'yoursite' with our site name: >>> >> >> Yes. In my case, I also change %report-dir%, so I have to change >> that too in MailScanner.conf. >> >> The alternative is that every use of a %xxx% variable would have to >> be >> held in abeyance until all included files are processed, and even >> then, >> there might be issues if the definition of one variable includes >> another >> variable. >> >> The current "use the current definition of the variable when it's >> encountered" strategy is much simpler and less prone to unintended >> consequences, even though it requires changes in MailScanner.conf. >> >> Here's a suggestion for Jules though. Immediately after defining the >> %xxx% variables in MailScanner.conf, put >> >> include /etc/MailScanner/conf.d/local_variables >> >> or some such. Then the rpm or whatever can install an empty >> /etc/MailScanner/conf.d/local_variables only if one doesn't already >> exist. This will give the site the ability to redefine the variables >> before they are used and allow complete configuration without >> touching >> MailScanner.conf. >> >> Perhaps even better, don't install /etc/MailScanner/conf.d/ >> local_variables >> at all, since every site needs to supply at least %org-name%, >> %org-long-name% and %web-site% anyway, this will strongly encourage >> them to define these, since the include file will be missing if they >> don't. >> > I don't want to do that as it will cause new users a strange error > which they do not understand, leaving the software "broken by > default" just like 99% of other software on the market :-( > > The "local_variables" one is a better idea, but it will cause a > warning to be generated as the file will be read by both default > "include" lines. And I don't want that either. > > If you can come up with a better idea for a solution, I'm all ears :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From admin at lorodoes.com Sun Oct 4 01:52:45 2009 From: admin at lorodoes.com (Garrod M. Alwood) Date: Sun Oct 4 01:53:20 2009 Subject: MailScanner ANNOUNCE: New stable release 4.78.17 In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: <4AC7F1DD.6050408@lorodoes.com> Hey Everyone, Just as an FYI, I was able to alien the main mailscanner .rpm into a .deb and it works great. Updates everything perfectly (just make sure you backup your configuration). I'm sure it will install perfectly as well. I have been testing the package now for 4 days and everything is perfect no complaints and the new feature has been working as well. Garrod M. Alwood Linux Consultant Jules Field wrote: > Evening all! > > I have just released a new stable release of MailScanner 4.78. > > There are many new features this time around, including > - "host:" and "host-nocheck:" specifiers in rulesets to allow you to > specify hostnames the mail came from, as well as IP addresses and > sender e-mail addresses. > - virus scanning is now done before spam scanning. > - new support for "spam-viruses" which are spam messages detected by > your virus scanner (such as with the extra ClamAV signature databases, > or F-Prot). This is managed by the new MailScanner.conf settings > "Spam-Virus Header" and "Virus Names Which Are Spam". See the > ChangeLog for more information. > - several installer improvements, in particular for Fedora Core 11 and > better RPM management. > - "include" directive in MailScanner.conf files, so you can avoid > modifying the shipped MailScanner.conf file at all, making upgrades > easier. This also makes large installations easier as you can just > specify your local modifications in a set of files stored in > /etc/MailScanner/conf.d. "Include" directives can be nested to > arbitrary depths, so included files can include other files to any > complexity you require. > - Many fixes. > > For more information on any of the above, see the Change Log and the > MailScanner.conf file as they describe them in more depth. > > Download as usual from www.mailscanner.info. > > > The full Change Log is here: > > * New Features and Improvements * > 1 Improved handling of Postfix messages with complex structures caused by > some milters. > 2 In addition to the previous 'host:hostname.domain.com' method of > providing > a hostname in rulesets, you can now also specify > host-nocheck:hostname.domain.com > which is the same thing but no anti-spoof checks are made. This is only > useful if you have a 'PTR' record for providing the IP address of the > hostname but no forward 'A' record for translating the IP address into > a hostname. > This is frequently the situation when using dynamic IP addresses. > 3 Swapped over virus-scanning and spam-scanning code completely, so all > virus-scanning code is done before spam-scanning code. It won't virus- > scan "Silent Viruses" which is pretty much all of them now, so it > should > work okay. This allows me to introduce... > 3 New feature to allow detection of "spam-viruses" which are items of > spam > that are reported by your virus scanner. You can set 2 new > configuration > options: > Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* > The names of the "spam-viruses" found are those viruses reported by > your > virus scanners which match any of the strings given in "Virus Names > Which > Are Spam". These "spam-virus" names are added to the header set by > "Spam-Virus Header". You can then write a SpamAssassin rule in > spam.assassin.prefs.conf which gives a score for the presence or > contents > of this header. I supply an example rule which adds a score of 3 if the > header exists. Feel free to re-write and extend that rule! It will > not work > unless you customise it. You could even write a "SpamAssassin Rule > Action" > to handle this rule specially! > 6 Improved installer for Fedora Core 11. > 7 Improved RPM installer so when it needs to, it only removes RPMs I > installed. > 7-2 Added an "export HOSTNAME" to the init.d script. Should resolve some > issues where using "$HOSTNAME" or "${HOSTNAME}" in MailScanner.conf did > not work. > 8 Added support for "include path-to-conf-files" lines in > MailScanner.conf. > You can now put your site-specific customisations in separate files, to > make upgrading of many servers a lot easier. You can nest "include" > files, > which means that an "include"d file can "include" other files. > The "path-to-conf-files" can use the normal shell wildcard > characters such > as "*" so a valid line might be > include /etc/MailScanner/config/*.conf > to read all the *.conf files in that directory in turn. > The *last* value read for each MailScanner.conf setting will be used. > 8 Added support for "include" lines in upgrade_MailScanner_conf. If > you treat > them as comments, the whole problem quietly disappears! > 10 Added /etc/MailScanner/conf.d directory to RPM and added a default > include > line in shipped MailScanner.conf. Put a README in the conf.d > directory. > 11 Improved notes in conf.d/README file. > 13 Added "Quick.Peek" script to distribution to read configuration > settings > from shell scripts, which correctly handles included files. > > * Fixes * > 2 Minor fix to phishing net for servers on port numbers that start > with "80" > but are not 80. > 2 Fixed issue of spam report not appearing in rare cases. > 4 Fixed problem of silent viruses not being quarantined when requested. > 5 Fixed issue where spam-viruses would be quarantined and found as > silent. > 5-3 Renamed subroutine. > 6 Fixed installer for Perl-IO, Perl-DBI, Perl-DBD-SQLite, > Perl-Filesys-Df, > Perl-Net-DNS for Fedora 11. > 7 Fixed installer for Perl-Digest-SHA1 for Fedora 11. > 9 Fixed problem where "Scan Messages = no" was ignored. > 9 Fixed problem where multiply-infected files in the same archive may not > always be removed correctly. > 10 Fixed issues with "include" files where they wouldn't be used for a > few > variables, and "%variable%" definitions in include files were ignored. > 11 Fixed problem where settings found in included conf files would be > ignored sometimes when starting up. > 14 Rulesets used within Custom Functions should work again now. > 15 Fixed crash when "Expand TNEF = replace". > 16 Improved processing_messages_alert so it behaves better in the face of > a ruleset defining "Notices To =". > 16 Fixed problem in Exim where duplicate headers could appear due to > DeleteHeader not finding them correctly. > 16 Improved handling of Unicode and foreign character sets used in > attachment > filenames. > > Jules > From ljosnet at gmail.com Mon Oct 5 08:25:51 2009 From: ljosnet at gmail.com (=?ISO-8859-1?Q?Lj=F3snet?=) Date: Mon Oct 5 08:26:01 2009 Subject: Need help from Exim users In-Reply-To: <4AC70318.8040204@haigmail.com> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> <7EBB54DF883C4EBAA298FA432161C62C@SUPPORT01V> <4AC70318.8040204@haigmail.com> Message-ID: <910ee2ac0910050025u62eda776ob487d238c90c7f6c@mail.gmail.com> I'd appreciate the PDF's as well. :) Thanks. On Sat, Oct 3, 2009 at 7:54 AM, Lance Haig wrote: > Hi Nigel, > > I would appreciate a copy of the PDFs > > Thanks > > Lance > > Nigel Kendrick wrote: >> I have PDFS of the excellent howto written some time ago by Johnny Hughes >> (of CentOS fame) that describes setting up MailScanner with Postfix, >> Spamassassin, clamav and squirrelmail. For some reason, the original Web >> pages have disappeared and copies are hard to find (unless anyone knows >> different). >> >> Let me know if you want copies. I have used them as a checklist to setup >> many mail servers built around CentOS and MailScanner. >> >> Nigel Kendrick >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of The Doctor >> Sent: Friday, October 02, 2009 3:41 PM >> To: mailscanner@lists.mailscanner.info >> Subject: Need help from Exim users >> >> Well Postfix is not doing the anti-spam I was >> hoping it would do and the 'jailing' is not working. >> >> I elect to go to Exim. >> >> What do I need to get get RBLS, virtual E-mail and stuff working >> before adding MailScanner? >> > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From drew.marshall at trunknetworks.com Mon Oct 5 13:14:47 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Mon Oct 5 13:15:21 2009 Subject: New stable release 4.78.17 - FreeBSD Port In-Reply-To: References: <4AC4F51E.4040100@ecs.soton.ac.uk> Message-ID: On 1 Oct 2009, at 19:29, Jules Field wrote: > Evening all! > > I have just released a new stable release of MailScanner 4.78. > > There are many new features this time around, including > - "host:" and "host-nocheck:" specifiers in rulesets to allow you to > specify hostnames the mail came from, as well as IP addresses and > sender e-mail addresses. > - virus scanning is now done before spam scanning. > - new support for "spam-viruses" which are spam messages detected by > your virus scanner (such as with the extra ClamAV signature > databases, or F-Prot). This is managed by the new MailScanner.conf > settings "Spam-Virus Header" and "Virus Names Which Are Spam". See > the ChangeLog for more information. > - several installer improvements, in particular for Fedora Core 11 > and better RPM management. > - "include" directive in MailScanner.conf files, so you can avoid > modifying the shipped MailScanner.conf file at all, making upgrades > easier. This also makes large installations easier as you can just > specify your local modifications in a set of files stored in /etc/ > MailScanner/conf.d. "Include" directives can be nested to arbitrary > depths, so included files can include other files to any complexity > you require. > - Many fixes. > > For more information on any of the above, see the Change Log and the > MailScanner.conf file as they describe them in more depth. > > Download as usual from www.mailscanner.info. All Please find attached my revised port for FreeBSD (If it doesn't make it through mailman, you can download it from www.trunknetworks.com/downloads ) I have this running on my mail gateways without problem, so there shouldn't be any issues. This won't make it (Yet!) into the ports tree officially as I have been delayed in contacting Jan-Peter to work out how to do this but I am back on it now, so I hope there may be some progress shortly (Remember that shortly in my terms is the life span of many Spam emails!). In the mean time decompress this in the place of /usr/ports/mail/ mailscanner and upgrade/ install as normal. -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner.tgz Type: application/octet-stream Size: 14032 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091005/ea9e962d/mailscanner.obj -------------- next part -------------- Have fun Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From kkobb at skylinecorp.com Mon Oct 5 14:29:32 2009 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Mon Oct 5 14:30:24 2009 Subject: FreeBSD port - Was Re: New stable release 4.78.17 - FreeBSD Port Message-ID: <4AC9F4BC.4050203@skylinecorp.com> Jan-Peter is no longer listed as the maintainer of this port. There is already a PR submitted to update the port to 4.78.17: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/139313 Hopefully this will be committed soon, but you can always download the submitted patch and apply it. I am trying it now, and so far it seems OK. From dave.list at pixelhammer.com Mon Oct 5 21:18:02 2009 From: dave.list at pixelhammer.com (DAve) Date: Mon Oct 5 21:18:36 2009 Subject: My salesmen are driving me to drink Message-ID: <4ACA547A.4000700@pixelhammer.com> So I get a quote today that says we *already* sold "Email Redundancy" to a client. The PHBs, uh salesmen, want me to to configure our MailScanner boxes to send one copy of a message to the client's exchange server and another to our pop toasters. I already setup MailArchiva and have no idea why they did not quote that as a solution. I explained that they would need a separate delivery domain to copy the message to and I would have to keep a rules file with every user in it to accomplish this. They do not understand. Other than using MailArchiva and copying per domain, is there anything other than usera@domain.com copy usera@extra-domain.com That I can do with MailScanner to accomplish this? Thanks (reaching for a bottle) DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Quincy Adams http://appleseedinfo.org From david at gnsa.us Mon Oct 5 21:28:14 2009 From: david at gnsa.us (David Nalley) Date: Mon Oct 5 21:34:40 2009 Subject: My salesmen are driving me to drink In-Reply-To: <4ACA547A.4000700@pixelhammer.com> References: <4ACA547A.4000700@pixelhammer.com> Message-ID: On Mon, Oct 5, 2009 at 4:18 PM, DAve wrote: > So I get a quote today that says we *already* sold "Email Redundancy" to a > client. > > The PHBs, uh salesmen, want me to to configure our MailScanner boxes to send > one copy of a message to the client's exchange server and another to our pop > toasters. > > I already setup MailArchiva and have no idea why they did not quote that as > a solution. I explained that they would need a separate delivery domain to > copy the message to and I would have to keep a rules file with every user in > it to accomplish this. They do not understand. > > Other than using MailArchiva and copying per domain, is there anything other > than > > usera@domain.com copy usera@extra-domain.com > > That I can do with MailScanner to accomplish this? > > Thanks (reaching for a bottle) > > DAve > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. ?I hope you will make good use of it. ?If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Quincy Adams > > http://appleseedinfo.org > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > There is a sendmail milter that does this iirc (but I am a postfix user, so I don't recall specifics) From dave.list at pixelhammer.com Mon Oct 5 21:37:58 2009 From: dave.list at pixelhammer.com (DAve) Date: Mon Oct 5 21:38:30 2009 Subject: My salesmen are driving me to drink In-Reply-To: References: <4ACA547A.4000700@pixelhammer.com> Message-ID: <4ACA5926.5010604@pixelhammer.com> David Nalley wrote: > On Mon, Oct 5, 2009 at 4:18 PM, DAve wrote: >> So I get a quote today that says we *already* sold "Email Redundancy" to a >> client. >> >> The PHBs, uh salesmen, want me to to configure our MailScanner boxes to send >> one copy of a message to the client's exchange server and another to our pop >> toasters. >> >> I already setup MailArchiva and have no idea why they did not quote that as >> a solution. I explained that they would need a separate delivery domain to >> copy the message to and I would have to keep a rules file with every user in >> it to accomplish this. They do not understand. >> >> Other than using MailArchiva and copying per domain, is there anything other >> than >> >> usera@domain.com copy usera@extra-domain.com >> >> That I can do with MailScanner to accomplish this? >> >> Thanks (reaching for a bottle) >> >> DAve >> -- >> "Posterity, you will know how much it cost the present generation to >> preserve your freedom. I hope you will make good use of it. If you >> do not, I shall repent in heaven that ever I took half the pains to >> preserve it." John Quincy Adams >> >> http://appleseedinfo.org >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > There is a sendmail milter that does this iirc (but I am a postfix > user, so I don't recall specifics) can't do the milter, I need to run the messages through MailScanner first. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Quincy Adams http://appleseedinfo.org From glenn.steen at gmail.com Tue Oct 6 00:16:37 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 6 00:16:52 2009 Subject: My salesmen are driving me to drink In-Reply-To: <4ACA5926.5010604@pixelhammer.com> References: <4ACA547A.4000700@pixelhammer.com> <4ACA5926.5010604@pixelhammer.com> Message-ID: <223f97700910051616k32079832u302605bb449fd235@mail.gmail.com> 2009/10/5 DAve : > David Nalley wrote: >> >> On Mon, Oct 5, 2009 at 4:18 PM, DAve wrote: >>> >>> So I get a quote today that says we *already* sold "Email Redundancy" to >>> a >>> client. >>> >>> The PHBs, uh salesmen, want me to to configure our MailScanner boxes to >>> send >>> one copy of a message to the client's exchange server and another to our >>> pop >>> toasters. >>> >>> I already setup MailArchiva and have no idea why they did not quote that >>> as >>> a solution. I explained that they would need a separate delivery domain >>> to >>> copy the message to and I would have to keep a rules file with every user >>> in >>> it to accomplish this. They do not understand. >>> >>> Other than using MailArchiva and copying per domain, is there anything >>> other >>> than >>> >>> usera@domain.com copy usera@extra-domain.com >>> >>> That I can do with MailScanner to accomplish this? >>> >>> Thanks (reaching for a bottle) >>> >>> DAve (snip) >> >> There is a sendmail milter that does this iirc (but I am a postfix >> user, so I don't recall specifics) > > can't do the milter, I need to run the messages through MailScanner first. > > DAve > Route them through a second line (depending on volume (for that clien/those clients) that basically just do the milter thing?! Should be some transport magic (whatever the sendmailequivalent is called:-):-). Should be workable, since you'd do that on a per domain asis, likely. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Oct 6 00:32:21 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 6 00:32:31 2009 Subject: problem with some mail In-Reply-To: <4AC0B897.2050407@argroup.it> References: <4AC0B897.2050407@argroup.it> Message-ID: <223f97700910051632r4f8541abvf11f88a8c7282e53@mail.gmail.com> 2009/9/28 lorenzo santi : > hi, > > i have a system with postfix + mailscanner > Versions? OS? Method of install? Without relevant details, we can't really help you. > i found that some mail in the log ends with: > > mail postfix/qmgr[31256]: 4F4591D6431: from=, > size=227819, nrcpt=1 (queue active) > > > this mail is NOT delivered and seems disappeared. i cant "locate" the > message in no queue or other directory. and in mailwatch looks like are > normal delivered mail. > "locate" as in the command locate? That wouldn't know anything about what files are really on your filesystem until an updatedb run has been completed... usually run from cron once/day or once/week... Not the best tool;-). Where would it be delivered normally? Have you made sure it isn't dropped there? or just ... "misplaced"...? > any suggestion? > thanks > Lorenzo > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Oct 6 01:10:07 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 6 01:10:17 2009 Subject: Need help from Exim users In-Reply-To: <20091002144101.GA13108@doctor.nl2k.ab.ca> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> Message-ID: <223f97700910051710y45988f82q432dc0a04a8ac873@mail.gmail.com> 2009/10/2 The Doctor : > Well Postfix is not doing the anti-spam I was > hoping it would do and the 'jailing' is not working. > ? Postfix could do hoops, but only if configured correctly... same goes for _any_ MTA. So what would you gain by a switch? MTAs are complex beasts, even without UCE measures, and adding MailScanner (wonderful as it is) does add more complexity. Bottom line is that you'll need read a lot to get the best from any MTA you choose to use. Did you? Will you? A plain vanilla PF install, with a plain vanilla MailScanner install, will likely not get the best out of the system. Neither will a plain vanilla Exim install. Then again, if you find Exim simpler to grasp, why... more power to you;-). > I elect to go to Exim. > > What do I need to get get RBLS, virtual E-mail and stuff working > before adding MailScanner? > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lists at elasticmind.net Tue Oct 6 01:56:52 2009 From: lists at elasticmind.net (Mog) Date: Tue Oct 6 01:57:17 2009 Subject: Need help from Exim users In-Reply-To: <223f97700910051710y45988f82q432dc0a04a8ac873@mail.gmail.com> References: <20091002144101.GA13108@doctor.nl2k.ab.ca> <223f97700910051710y45988f82q432dc0a04a8ac873@mail.gmail.com> Message-ID: <4ACA95D4.40606@elasticmind.net> Personally I think all MTAs are so similar in that they all try to do the same job, but they just achieve it in different ways. This means that if one MTA can do something, there's a very good chance the other will be able to as well. It's just a question of reading and finding out how really. Like Glenn said, MTAs are not trivial, and do take some time to figure out and get working how you want. Postfix is a very good MTA, and IMHO switching from it to something else on a whim is likely not the most effective solution. If it were me, I'd stick with postfix because it's pretty cool, and just research more or ask some kind people for some help in setting it up to suit your needs. Kind regards, mog Glenn Steen wrote: > 2009/10/2 The Doctor : > >> Well Postfix is not doing the anti-spam I was >> hoping it would do and the 'jailing' is not working. >> >> > ? > Postfix could do hoops, but only if configured correctly... same goes > for _any_ MTA. So what would you gain by a switch? MTAs are complex > beasts, even without UCE measures, and adding MailScanner (wonderful > as it is) does add more complexity. Bottom line is that you'll need > read a lot to get the best from any MTA you choose to use. Did you? > Will you? > A plain vanilla PF install, with a plain vanilla MailScanner install, > will likely not get the best out of the system. Neither will a plain > vanilla Exim install. > > Then again, if you find Exim simpler to grasp, why... more power to you;-). > > >> I elect to go to Exim. >> >> What do I need to get get RBLS, virtual E-mail and stuff working >> before adding MailScanner? >> >> > > Cheers > From donald.dawson at bakerbotts.com Tue Oct 6 20:19:07 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Oct 6 20:19:24 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net> How is clamscan called by the new 4.78 version? It does not appear to be using the /usr/lib/MailScanner/clamav-wrapper script. I am not yet using clamd. Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of donald.dawson@bakerbotts.com Sent: Friday, October 02, 2009 11:44 AM To: mailscanner@lists.mailscanner.info Subject: RE: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Friday, October 02, 2009 2:35 AM To: MailScanner discussion Subject: Re: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain As you are clearly trying to use a new feature ("Spam-Virus"es) that I just introduced, I think you will find all your problems are solved using the new "Spam-Virus" feature in 4.78. On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > > We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 > version). We installed clam via the MS tar ball. Clam is our only AV > and is called by MS via /usr/lib/MailScanner/clamav-wrapper. > > We have been getting FPs on some newsletters due to Phishing > Heuristics in clam. We also found that MS does not appear to use a > clamd.conf or freshclam.conf file. To get around the FP Phishing > Heuristics problem, we modified the clamav-wrapper to turn off > heuristic url scans (line 152 added in clamav-wrapper script): > > ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" > > I would rather not edit the delivered MS script. Is there a clam > config file used by MS? > > Where would I put the '--phishing-scan-urls=no' option? > > Lastly, is it preferable to install clamav, clamav-db and clamd RPMs > versus letting MS load clamscan for every email? > > ...from the tarball clam/SA install.sh script: > > echo 'There are 2 recommended ways of installing ClamAV, depending on' > echo 'various factors.' > echo 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' _http://packages.sw.be/clamav/_' > echo 'Then re-run this script and tell me that clamscan is installed in' > echo '/usr/bin. This will set up your virus.scanners.conf file for you.' > echo > echo 'Otherwise you probably want me to install ClamAV now. So answer y.' > > Jules - thank you for a great product! > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -------------- Jules, would you also recommend installing the clamd rpm versus letting MS run clamscan? Thanks, Donald -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Oct 6 21:05:26 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Tue Oct 6 21:05:44 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net> <4ACBA306.3070801@ecs.soton.ac.uk> Message-ID: Just the same way it always has, I haven't changed that at all. If your Virus Scanners = clamav then it will use the clamav-wrapper script. If your Virus Scanners = clamavmodule then it will use the library. If your Virus Scanners = clamd then it will talk straight to clamd. Run "MailScanner --lint" to see what "Virus Scanners = auto" might do. On 06/10/2009 20:19, donald.dawson@bakerbotts.com wrote: > How is clamscan called by the new 4.78 version? It does not appear to > be using the /usr/lib/MailScanner/clamav-wrapper script. I am not yet > using clamd. > > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > donald.dawson@bakerbotts.com > Sent: Friday, October 02, 2009 11:44 AM > To: mailscanner@lists.mailscanner.info > Subject: RE: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Friday, October 02, 2009 2:35 AM > To: MailScanner discussion > Subject: Re: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > As you are clearly trying to use a new feature ("Spam-Virus"es) that I > just introduced, I think you will find all your problems are solved > using the new "Spam-Virus" feature in 4.78. > > On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > >> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 >> version). We installed clam via the MS tar ball. Clam is our only AV >> > >> and is called by MS via /usr/lib/MailScanner/clamav-wrapper. >> >> We have been getting FPs on some newsletters due to Phishing >> Heuristics in clam. We also found that MS does not appear to use a >> clamd.conf or freshclam.conf file. To get around the FP Phishing >> Heuristics problem, we modified the clamav-wrapper to turn off >> heuristic url scans (line 152 added in clamav-wrapper script): >> >> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" >> >> I would rather not edit the delivered MS script. Is there a clam >> config file used by MS? >> >> Where would I put the '--phishing-scan-urls=no' option? >> >> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs >> versus letting MS load clamscan for every email? >> >> ...from the tarball clam/SA install.sh script: >> >> echo 'There are 2 recommended ways of installing ClamAV, depending on' >> echo 'various factors.' >> echo 'If you want to use MailScanners support for Clamd >> > (virus-scanning' > >> echo 'daemon) then I recommend you cancel this script now (press >> > Ctrl-C)' > >> echo 'and install the RPMs for clamav, clamav-db and clamd from' >> echo ' _http://packages.sw.be/clamav/_' >> echo 'Then re-run this script and tell me that clamscan is installed >> > in' > >> echo '/usr/bin. This will set up your virus.scanners.conf file for >> > you.' > >> echo >> echo 'Otherwise you probably want me to install ClamAV now. So answer >> > y.' > >> Jules - thank you for a great product! >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> > Jules > > -------------- > > Jules, would you also recommend installing the clamd rpm versus letting > MS run clamscan? > > Thanks, > Donald > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Tue Oct 6 21:20:14 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Oct 6 21:20:26 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net><8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net><4ACBA306.3070801@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E2A@BBEXVS04.bakerbotts.net> lint shows: MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamavmodule from MailScanner.conf: Virus Scanners = auto from virus.scanners.conf: clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp should I explicitly say 'clamav' instead of 'auto'? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Tuesday, October 06, 2009 3:05 PM To: MailScanner discussion Subject: Re: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain Just the same way it always has, I haven't changed that at all. If your Virus Scanners = clamav then it will use the clamav-wrapper script. If your Virus Scanners = clamavmodule then it will use the library. If your Virus Scanners = clamd then it will talk straight to clamd. Run "MailScanner --lint" to see what "Virus Scanners = auto" might do. On 06/10/2009 20:19, donald.dawson@bakerbotts.com wrote: > How is clamscan called by the new 4.78 version? It does not appear to > be using the /usr/lib/MailScanner/clamav-wrapper script. I am not yet > using clamd. > > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > donald.dawson@bakerbotts.com > Sent: Friday, October 02, 2009 11:44 AM > To: mailscanner@lists.mailscanner.info > Subject: RE: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Friday, October 02, 2009 2:35 AM > To: MailScanner discussion > Subject: Re: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > As you are clearly trying to use a new feature ("Spam-Virus"es) that I > just introduced, I think you will find all your problems are solved > using the new "Spam-Virus" feature in 4.78. > > On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: > >> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 >> version). We installed clam via the MS tar ball. Clam is our only AV >> > >> and is called by MS via /usr/lib/MailScanner/clamav-wrapper. >> >> We have been getting FPs on some newsletters due to Phishing >> Heuristics in clam. We also found that MS does not appear to use a >> clamd.conf or freshclam.conf file. To get around the FP Phishing >> Heuristics problem, we modified the clamav-wrapper to turn off >> heuristic url scans (line 152 added in clamav-wrapper script): >> >> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" >> >> I would rather not edit the delivered MS script. Is there a clam >> config file used by MS? >> >> Where would I put the '--phishing-scan-urls=no' option? >> >> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs >> versus letting MS load clamscan for every email? >> >> ...from the tarball clam/SA install.sh script: >> >> echo 'There are 2 recommended ways of installing ClamAV, depending on' >> echo 'various factors.' >> echo 'If you want to use MailScanners support for Clamd >> > (virus-scanning' > >> echo 'daemon) then I recommend you cancel this script now (press >> > Ctrl-C)' > >> echo 'and install the RPMs for clamav, clamav-db and clamd from' >> echo ' _http://packages.sw.be/clamav/_' >> echo 'Then re-run this script and tell me that clamscan is installed >> > in' > >> echo '/usr/bin. This will set up your virus.scanners.conf file for >> > you.' > >> echo >> echo 'Otherwise you probably want me to install ClamAV now. So answer >> > y.' > >> Jules - thank you for a great product! >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> > Jules > > -------------- > > Jules, would you also recommend installing the clamd rpm versus letting > MS run clamscan? > > Thanks, > Donald > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Oct 6 21:33:28 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Tue Oct 6 21:33:55 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E2A@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net><8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net><4ACBA306.3070801@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363E2A@BBEXVS04.bakerbotts.net> <4ACBA998.6040004@ecs.soton.ac.uk> Message-ID: On 06/10/2009 21:20, donald.dawson@bakerbotts.com wrote: > lint shows: > > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamavmodule > > from MailScanner.conf: > > Virus Scanners = auto > > from virus.scanners.conf: > > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > clamavmodule /bin/false /tmp > > should I explicitly say 'clamav' instead of 'auto'? > Yes, if that is what you want. It would be worth your while switching over to clamd at some point. But it does take a few minutes to do, so allocate time to the change properly. (Oh my! That's my ITIL voice talking :-) Jules. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Tuesday, October 06, 2009 3:05 PM > To: MailScanner discussion > Subject: Re: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > Just the same way it always has, I haven't changed that at all. > > If your Virus Scanners = clamav then it will use the clamav-wrapper > script. > If your Virus Scanners = clamavmodule then it will use the library. > If your Virus Scanners = clamd then it will talk straight to clamd. > > Run "MailScanner --lint" to see what "Virus Scanners = auto" might do. > > On 06/10/2009 20:19, donald.dawson@bakerbotts.com wrote: > >> How is clamscan called by the new 4.78 version? It does not appear to >> be using the /usr/lib/MailScanner/clamav-wrapper script. I am not yet >> using clamd. >> >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> donald.dawson@bakerbotts.com >> Sent: Friday, October 02, 2009 11:44 AM >> To: mailscanner@lists.mailscanner.info >> Subject: RE: ClamAVModule::INFECTED:: >> Phishing.Heuristics.Email.SpoofedDomain >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules >> Field >> Sent: Friday, October 02, 2009 2:35 AM >> To: MailScanner discussion >> Subject: Re: ClamAVModule::INFECTED:: >> Phishing.Heuristics.Email.SpoofedDomain >> >> As you are clearly trying to use a new feature ("Spam-Virus"es) that I >> just introduced, I think you will find all your problems are solved >> using the new "Spam-Virus" feature in 4.78. >> >> On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: >> >> >>> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 >>> version). We installed clam via the MS tar ball. Clam is our only >>> > AV > >>> >>> >> >> >>> and is called by MS via /usr/lib/MailScanner/clamav-wrapper. >>> >>> We have been getting FPs on some newsletters due to Phishing >>> Heuristics in clam. We also found that MS does not appear to use a >>> clamd.conf or freshclam.conf file. To get around the FP Phishing >>> Heuristics problem, we modified the clamav-wrapper to turn off >>> heuristic url scans (line 152 added in clamav-wrapper script): >>> >>> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" >>> >>> I would rather not edit the delivered MS script. Is there a clam >>> config file used by MS? >>> >>> Where would I put the '--phishing-scan-urls=no' option? >>> >>> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs >>> versus letting MS load clamscan for every email? >>> >>> ...from the tarball clam/SA install.sh script: >>> >>> echo 'There are 2 recommended ways of installing ClamAV, depending >>> > on' > >>> echo 'various factors.' >>> echo 'If you want to use MailScanners support for Clamd >>> >>> >> (virus-scanning' >> >> >>> echo 'daemon) then I recommend you cancel this script now (press >>> >>> >> Ctrl-C)' >> >> >>> echo 'and install the RPMs for clamav, clamav-db and clamd from' >>> echo ' _http://packages.sw.be/clamav/_' >>> echo 'Then re-run this script and tell me that clamscan is installed >>> >>> >> in' >> >> >>> echo '/usr/bin. This will set up your virus.scanners.conf file for >>> >>> >> you.' >> >> >>> echo >>> echo 'Otherwise you probably want me to install ClamAV now. So answer >>> >>> >> y.' >> >> >>> Jules - thank you for a great product! >>> >>> Donald Dawson >>> Security Administrator >>> Baker Botts L.L.P. >>> One Shell Plaza >>> 910 Louisiana >>> Houston, TX 77002 >>> W: 713-229-2183 >>> >>> >>> >> Jules >> >> -------------- >> >> Jules, would you also recommend installing the clamd rpm versus >> > letting > >> MS run clamscan? >> >> Thanks, >> Donald >> >> > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Tue Oct 6 21:36:28 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Oct 6 21:36:59 2009 Subject: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363DBA@BBEXVS04.bakerbotts.net><4AC5AD32.6010609@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363DD3@BBEXVS04.bakerbotts.net><8FB531F78038DC4497B80CBAE8E927E202363E27@BBEXVS04.bakerbotts.net><4ACBA306.3070801@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363E2A@BBEXVS04.bakerbotts.net><4ACBA998.6040004@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E2B@BBEXVS04.bakerbotts.net> Thank you Jules - changing 'Virus Scanners = auto' to 'clamav' works. I'll plan to install clamd soon. Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Tuesday, October 06, 2009 3:33 PM To: MailScanner discussion Subject: Re: ClamAVModule::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain On 06/10/2009 21:20, donald.dawson@bakerbotts.com wrote: > lint shows: > > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamavmodule > > from MailScanner.conf: > > Virus Scanners = auto > > from virus.scanners.conf: > > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > clamavmodule /bin/false /tmp > > should I explicitly say 'clamav' instead of 'auto'? > Yes, if that is what you want. It would be worth your while switching over to clamd at some point. But it does take a few minutes to do, so allocate time to the change properly. (Oh my! That's my ITIL voice talking :-) Jules. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Tuesday, October 06, 2009 3:05 PM > To: MailScanner discussion > Subject: Re: ClamAVModule::INFECTED:: > Phishing.Heuristics.Email.SpoofedDomain > > Just the same way it always has, I haven't changed that at all. > > If your Virus Scanners = clamav then it will use the clamav-wrapper > script. > If your Virus Scanners = clamavmodule then it will use the library. > If your Virus Scanners = clamd then it will talk straight to clamd. > > Run "MailScanner --lint" to see what "Virus Scanners = auto" might do. > > On 06/10/2009 20:19, donald.dawson@bakerbotts.com wrote: > >> How is clamscan called by the new 4.78 version? It does not appear to >> be using the /usr/lib/MailScanner/clamav-wrapper script. I am not yet >> using clamd. >> >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> donald.dawson@bakerbotts.com >> Sent: Friday, October 02, 2009 11:44 AM >> To: mailscanner@lists.mailscanner.info >> Subject: RE: ClamAVModule::INFECTED:: >> Phishing.Heuristics.Email.SpoofedDomain >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules >> Field >> Sent: Friday, October 02, 2009 2:35 AM >> To: MailScanner discussion >> Subject: Re: ClamAVModule::INFECTED:: >> Phishing.Heuristics.Email.SpoofedDomain >> >> As you are clearly trying to use a new feature ("Spam-Virus"es) that I >> just introduced, I think you will find all your problems are solved >> using the new "Spam-Virus" feature in 4.78. >> >> On 01/10/2009 23:26, donald.dawson@bakerbotts.com wrote: >> >> >>> We are running MS 4.75.11 (soon to upgrade to interesting new 4.78.17 >>> version). We installed clam via the MS tar ball. Clam is our only >>> > AV > >>> >>> >> >> >>> and is called by MS via /usr/lib/MailScanner/clamav-wrapper. >>> >>> We have been getting FPs on some newsletters due to Phishing >>> Heuristics in clam. We also found that MS does not appear to use a >>> clamd.conf or freshclam.conf file. To get around the FP Phishing >>> Heuristics problem, we modified the clamav-wrapper to turn off >>> heuristic url scans (line 152 added in clamav-wrapper script): >>> >>> ExtraScanOptions="$ExtraScanOptions --phishing-scan-urls=no" >>> >>> I would rather not edit the delivered MS script. Is there a clam >>> config file used by MS? >>> >>> Where would I put the '--phishing-scan-urls=no' option? >>> >>> Lastly, is it preferable to install clamav, clamav-db and clamd RPMs >>> versus letting MS load clamscan for every email? >>> >>> ...from the tarball clam/SA install.sh script: >>> >>> echo 'There are 2 recommended ways of installing ClamAV, depending >>> > on' > >>> echo 'various factors.' >>> echo 'If you want to use MailScanners support for Clamd >>> >>> >> (virus-scanning' >> >> >>> echo 'daemon) then I recommend you cancel this script now (press >>> >>> >> Ctrl-C)' >> >> >>> echo 'and install the RPMs for clamav, clamav-db and clamd from' >>> echo ' _http://packages.sw.be/clamav/_' >>> echo 'Then re-run this script and tell me that clamscan is installed >>> >>> >> in' >> >> >>> echo '/usr/bin. This will set up your virus.scanners.conf file for >>> >>> >> you.' >> >> >>> echo >>> echo 'Otherwise you probably want me to install ClamAV now. So answer >>> >>> >> y.' >> >> >>> Jules - thank you for a great product! >>> >>> Donald Dawson >>> Security Administrator >>> Baker Botts L.L.P. >>> One Shell Plaza >>> 910 Louisiana >>> Houston, TX 77002 >>> W: 713-229-2183 >>> >>> >>> >> Jules >> >> -------------- >> >> Jules, would you also recommend installing the clamd rpm versus >> > letting > >> MS run clamscan? >> >> Thanks, >> Donald >> >> > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Tue Oct 6 23:02:49 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Oct 6 23:03:34 2009 Subject: MailScanner 4.78 install Perl module deletion issue Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E3C@BBEXVS04.bakerbotts.net> I upgraded MS from version 4.75.11 to 4.78.17-1 on 4 separate servers. Each time I ran the install (install.sh), I got errors - example: 'Can't locate Getopt/Long.pm'. I had to restore the files in /usr/lib/perl5/5.8.8. When I re-ran the install.sh script, the install, it only removed perl-TimeDate, and continued on without error. Just wanted to let you know, in case someone else has the same problem. I made a backup of the perl files before the install: cd /usr/lib/perl5/5.8.8 tar cvf files.tar * Here's the top of the first install.log showing the problem of missing Perl modules: ------------------------------------------------------------------------ ------------------------------------------------------------- ... If this fails due to dependency checks, and you wish to ignore these problems, you can run ./install.sh nodeps Setting Perl5 search path I think your system will build architecture-dependent modules for i386 Deleting all the old versions of the Perl modules I built, I will re-install them in a minute. Removing perl-ExtUtils-MakeMaker Removing perl-Math-BigInt Removing perl-Math-BigRat Removing perl-bignum Removing perl-MIME-Base64 Removing perl-TimeDate Removing perl-Test-Harness Removing perl-IO Removing perl-MailTools Removing perl-MIME-tools Removing perl-Getopt-Long Removing perl-Filesys-Df Removing perl-Net-CIDR Removing perl-Sys-Hostname-Long Removing perl-Sys-Syslog Removing perl-Net-DNS Removing perl-OLE-Storage_Lite Perl modules I built have been removed... Rebuilding all the Perl RPMs for your version of Perl Oh good, module File-Spec version 0.82 is already installed. Attempting to build and install perl-ExtUtils-MakeMaker-6.50-2 Installing perl-ExtUtils-MakeMaker-6.50-2.src.rpm Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.21090 + umask 022 + cd /usr/src/redhat/BUILD + cd /usr/src/redhat/BUILD + rm -rf ExtUtils-MakeMaker-6.50 + /bin/gzip -dc /usr/src/redhat/SOURCES/ExtUtils-MakeMaker-6.50.tar.gz + tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd ExtUtils-MakeMaker-6.50 ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chown -Rhf root . ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,u+w,g-w,o-w . + exit 0 Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.21090 + umask 022 + cd /usr/src/redhat/BUILD + cd ExtUtils-MakeMaker-6.50 + CFLAGS='-O2 -g -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' + perl Makefile.PL INSTALLDIRS=vendor Checking if your kit is complete... Looks good Writing Makefile for ExtUtils::MakeMaker + mkdir -p blib/lib/ExtUtils + cp inc/ExtUtils/Command.pm inc/ExtUtils/Install.pm inc/ExtUtils/Installed.pm inc/ExtUtils/MANIFEST.SKIP inc/ExtUtils/Manifest.pm inc/ExtUtils/Packlist.pm b lib/lib/ExtUtils/ + make Skip blib/lib/ExtUtils/Manifest.pm (unchanged) cp lib/ExtUtils/MM_VOS.pm blib/lib/ExtUtils/MM_VOS.pm cp lib/ExtUtils/Mksymlists.pm blib/lib/ExtUtils/Mksymlists.pm cp lib/ExtUtils/MM.pm blib/lib/ExtUtils/MM.pm cp lib/ExtUtils/MM_UWIN.pm blib/lib/ExtUtils/MM_UWIN.pm cp lib/ExtUtils/testlib.pm blib/lib/ExtUtils/testlib.pm cp lib/ExtUtils/MM_DOS.pm blib/lib/ExtUtils/MM_DOS.pm cp lib/ExtUtils/MakeMaker/vmsish.pm blib/lib/ExtUtils/MakeMaker/vmsish.pm cp lib/ExtUtils/MM_Cygwin.pm blib/lib/ExtUtils/MM_Cygwin.pm cp lib/ExtUtils/MM_Win95.pm blib/lib/ExtUtils/MM_Win95.pm cp lib/ExtUtils/Liblist.pm blib/lib/ExtUtils/Liblist.pm cp lib/ExtUtils/MM_Darwin.pm blib/lib/ExtUtils/MM_Darwin.pm cp lib/ExtUtils/MM_AIX.pm blib/lib/ExtUtils/MM_AIX.pm cp lib/ExtUtils/Liblist/Kid.pm blib/lib/ExtUtils/Liblist/Kid.pm cp lib/ExtUtils/Mkbootstrap.pm blib/lib/ExtUtils/Mkbootstrap.pm cp lib/ExtUtils/MakeMaker/FAQ.pod blib/lib/ExtUtils/MakeMaker/FAQ.pod Skip blib/lib/ExtUtils/MANIFEST.SKIP (unchanged) cp lib/ExtUtils/MakeMaker/bytes.pm blib/lib/ExtUtils/MakeMaker/bytes.pm cp lib/ExtUtils/MM_NW5.pm blib/lib/ExtUtils/MM_NW5.pm cp lib/ExtUtils/MM_OS2.pm blib/lib/ExtUtils/MM_OS2.pm cp lib/ExtUtils/MakeMaker.pm blib/lib/ExtUtils/MakeMaker.pm cp lib/ExtUtils/MM_Unix.pm blib/lib/ExtUtils/MM_Unix.pm Skip blib/lib/ExtUtils/Installed.pm (unchanged) cp lib/ExtUtils/MM_Win32.pm blib/lib/ExtUtils/MM_Win32.pm cp lib/ExtUtils/MY.pm blib/lib/ExtUtils/MY.pm Skip blib/lib/ExtUtils/Packlist.pm (unchanged) cp lib/ExtUtils/MM_MacOS.pm blib/lib/ExtUtils/MM_MacOS.pm cp lib/ExtUtils/MM_VMS.pm blib/lib/ExtUtils/MM_VMS.pm cp lib/ExtUtils/MM_BeOS.pm blib/lib/ExtUtils/MM_BeOS.pm cp lib/ExtUtils/MakeMaker/Tutorial.pod blib/lib/ExtUtils/MakeMaker/Tutorial.pod cp lib/ExtUtils/MM_QNX.pm blib/lib/ExtUtils/MM_QNX.pm cp lib/ExtUtils/Command/MM.pm blib/lib/ExtUtils/Command/MM.pm Skip blib/lib/ExtUtils/Install.pm (unchanged) cp lib/ExtUtils/MakeMaker/Config.pm blib/lib/ExtUtils/MakeMaker/Config.pm cp lib/ExtUtils/MM_Any.pm blib/lib/ExtUtils/MM_Any.pm cp bin/instmodsh blib/script/instmodsh /usr/bin/perl "-Iblib/arch" "-Iblib/lib" "-MExtUtils::MY" -e "MY->fixin(shift)" blib/script/instmodsh Can't locate Getopt/Long.pm in @INC (@INC contains: blib/arch blib/lib /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-l inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/li b/perl5/vendor_perl /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5. 8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/per l5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_per l/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/pe rl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/ perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at blib/lib/ExtUtils/Command/MM.pm line 96. make: *** [manifypods] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.21090 (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.21090 (%build) ... ------------------------------------------------------------------------ ------------------------------------------------------------- successful install: ------------------------------------------------------------------------ ------------------------------------------------------------- ... Deleting all the old versions of the Perl modules I built, I will re-install them in a minute. Removing perl-TimeDate Perl modules I built have been removed... Rebuilding all the Perl RPMs for your version of Perl Oh good, module File-Spec version 0.82 is already installed. ... Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091006/d2e07ef7/attachment.html From MailScanner at ecs.soton.ac.uk Tue Oct 6 23:49:00 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Tue Oct 6 23:49:23 2009 Subject: MailScanner 4.78 install Perl module deletion issue In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E3C@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363E3C@BBEXVS04.bakerbotts.net> <4ACBC95C.4040005@ecs.soton.ac.uk> Message-ID: There is a "--inturn" option to the install.sh script that will stop it deleting all the old RPMs at the start, but wait until it is just about to install the new one before it deletes the old one, which may make the installation more robust. Exactly what version of Linux were you installing it on? '--inturn' is the default for recent Fedoras, but that's about it. You should be able to run "./install.sh --help" to get the usage. Jules. On 06/10/2009 23:02, donald.dawson@bakerbotts.com wrote: > > I upgraded MS from version 4.75.11 to 4.78.17-1 on 4 separate > servers. Each time I ran the install (install.sh), I got errors - > example: 'Can't locate Getopt/Long.pm'. > > I had to restore the files in /usr/lib/perl5/5.8.8. When I re-ran the > install.sh script, the install, it only removed perl-TimeDate, and > continued on without error. > > Just wanted to let you know, in case someone else has the same problem. > > I made a backup of the perl files before the install: > > cd /usr/lib/perl5/5.8.8 > tar cvf files.tar * > > Here's the top of the first install.log showing the problem of missing > Perl modules: > > ------------------------------------------------------------------------------------------------------------------------------------- > > ... > If this fails due to dependency checks, and you wish to ignore > these problems, you can run > ./install.sh nodeps > > Setting Perl5 search path > > I think your system will build architecture-dependent modules for i386 > > Deleting all the old versions of the Perl modules I built, > I will re-install them in a minute. > > Removing perl-ExtUtils-MakeMaker > Removing perl-Math-BigInt > Removing perl-Math-BigRat > Removing perl-bignum > Removing perl-MIME-Base64 > Removing perl-TimeDate > Removing perl-Test-Harness > Removing perl-IO > Removing perl-MailTools > Removing perl-MIME-tools > Removing perl-Getopt-Long > Removing perl-Filesys-Df > Removing perl-Net-CIDR > Removing perl-Sys-Hostname-Long > Removing perl-Sys-Syslog > Removing perl-Net-DNS > Removing perl-OLE-Storage_Lite > Perl modules I built have been removed... > > Rebuilding all the Perl RPMs for your version of Perl > > Oh good, module File-Spec version 0.82 is already installed. > > Attempting to build and install perl-ExtUtils-MakeMaker-6.50-2 > Installing perl-ExtUtils-MakeMaker-6.50-2.src.rpm > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.21090 > + umask 022 > + cd /usr/src/redhat/BUILD > + cd /usr/src/redhat/BUILD > + rm -rf ExtUtils-MakeMaker-6.50 > + /bin/gzip -dc /usr/src/redhat/SOURCES/ExtUtils-MakeMaker-6.50.tar.gz > + tar -xf - > + STATUS=0 > + '[' 0 -ne 0 ']' > + cd ExtUtils-MakeMaker-6.50 > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chown -Rhf root . > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chgrp -Rhf root . > + /bin/chmod -Rf a+rX,u+w,g-w,o-w . > + exit 0 > Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.21090 > + umask 022 > + cd /usr/src/redhat/BUILD > + cd ExtUtils-MakeMaker-6.50 > + CFLAGS='-O2 -g -m32 -march=i386 -mtune=generic > -fasynchronous-unwind-tables' > + perl Makefile.PL INSTALLDIRS=vendor > Checking if your kit is complete... > Looks good > Writing Makefile for ExtUtils::MakeMaker > + mkdir -p blib/lib/ExtUtils > + cp inc/ExtUtils/Command.pm inc/ExtUtils/Install.pm > inc/ExtUtils/Installed.pm inc/ExtUtils/MANIFEST.SKIP > inc/ExtUtils/Manifest.pm inc/ExtUtils/Packlist.pm b > > lib/lib/ExtUtils/ > + make > Skip blib/lib/ExtUtils/Manifest.pm (unchanged) > cp lib/ExtUtils/MM_VOS.pm blib/lib/ExtUtils/MM_VOS.pm > cp lib/ExtUtils/Mksymlists.pm blib/lib/ExtUtils/Mksymlists.pm > cp lib/ExtUtils/MM.pm blib/lib/ExtUtils/MM.pm > cp lib/ExtUtils/MM_UWIN.pm blib/lib/ExtUtils/MM_UWIN.pm > cp lib/ExtUtils/testlib.pm blib/lib/ExtUtils/testlib.pm > cp lib/ExtUtils/MM_DOS.pm blib/lib/ExtUtils/MM_DOS.pm > cp lib/ExtUtils/MakeMaker/vmsish.pm blib/lib/ExtUtils/MakeMaker/vmsish.pm > cp lib/ExtUtils/MM_Cygwin.pm blib/lib/ExtUtils/MM_Cygwin.pm > cp lib/ExtUtils/MM_Win95.pm blib/lib/ExtUtils/MM_Win95.pm > cp lib/ExtUtils/Liblist.pm blib/lib/ExtUtils/Liblist.pm > cp lib/ExtUtils/MM_Darwin.pm blib/lib/ExtUtils/MM_Darwin.pm > cp lib/ExtUtils/MM_AIX.pm blib/lib/ExtUtils/MM_AIX.pm > cp lib/ExtUtils/Liblist/Kid.pm blib/lib/ExtUtils/Liblist/Kid.pm > cp lib/ExtUtils/Mkbootstrap.pm blib/lib/ExtUtils/Mkbootstrap.pm > cp lib/ExtUtils/MakeMaker/FAQ.pod blib/lib/ExtUtils/MakeMaker/FAQ.pod > Skip blib/lib/ExtUtils/MANIFEST.SKIP (unchanged) > cp lib/ExtUtils/MakeMaker/bytes.pm blib/lib/ExtUtils/MakeMaker/bytes.pm > cp lib/ExtUtils/MM_NW5.pm blib/lib/ExtUtils/MM_NW5.pm > cp lib/ExtUtils/MM_OS2.pm blib/lib/ExtUtils/MM_OS2.pm > cp lib/ExtUtils/MakeMaker.pm blib/lib/ExtUtils/MakeMaker.pm > cp lib/ExtUtils/MM_Unix.pm blib/lib/ExtUtils/MM_Unix.pm > Skip blib/lib/ExtUtils/Installed.pm (unchanged) > cp lib/ExtUtils/MM_Win32.pm blib/lib/ExtUtils/MM_Win32.pm > cp lib/ExtUtils/MY.pm blib/lib/ExtUtils/MY.pm > Skip blib/lib/ExtUtils/Packlist.pm (unchanged) > cp lib/ExtUtils/MM_MacOS.pm blib/lib/ExtUtils/MM_MacOS.pm > cp lib/ExtUtils/MM_VMS.pm blib/lib/ExtUtils/MM_VMS.pm > cp lib/ExtUtils/MM_BeOS.pm blib/lib/ExtUtils/MM_BeOS.pm > cp lib/ExtUtils/MakeMaker/Tutorial.pod > blib/lib/ExtUtils/MakeMaker/Tutorial.pod > cp lib/ExtUtils/MM_QNX.pm blib/lib/ExtUtils/MM_QNX.pm > cp lib/ExtUtils/Command/MM.pm blib/lib/ExtUtils/Command/MM.pm > Skip blib/lib/ExtUtils/Install.pm (unchanged) > cp lib/ExtUtils/MakeMaker/Config.pm blib/lib/ExtUtils/MakeMaker/Config.pm > cp lib/ExtUtils/MM_Any.pm blib/lib/ExtUtils/MM_Any.pm > cp bin/instmodsh blib/script/instmodsh > /usr/bin/perl "-Iblib/arch" "-Iblib/lib" "-MExtUtils::MY" -e > "MY->fixin(shift)" blib/script/instmodsh > Can't locate Getopt/Long.pm in @INC (@INC contains: blib/arch blib/lib > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 > > /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 > /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-l > > inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 > /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 > /usr/lib/perl5/vendor_perl/5.8.5 /usr/li > > b/perl5/vendor_perl > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5. > > 8.6/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/per > > l5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/vendor_per > > l/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/pe > > rl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 > /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl /usr/lib/ > > perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at > blib/lib/ExtUtils/Command/MM.pm line 96. > make: *** [manifypods] Error 2 > error: Bad exit status from /var/tmp/rpm-tmp.21090 (%build) > > RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.21090 (%build) > ... > > ------------------------------------------------------------------------------------------------------------------------------------- > > successful install: > ------------------------------------------------------------------------------------------------------------------------------------- > > ... > Deleting all the old versions of the Perl modules I built, > I will re-install them in a minute. > > Removing perl-TimeDate > Perl modules I built have been removed... > > Rebuilding all the Perl RPMs for your version of Perl > > Oh good, module File-Spec version 0.82 is already installed. > ... > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Wed Oct 7 15:08:53 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Oct 7 15:09:16 2009 Subject: MailScanner 4.78 install Perl module deletion issue In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363E3C@BBEXVS04.bakerbotts.net><4ACBC95C.4040005@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E4E@BBEXVS04.bakerbotts.net> Thanks for the option. We are running Fedora Core 8 - kernel: 2.6.25.10-47.fc8 Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Tuesday, October 06, 2009 5:49 PM To: MailScanner discussion Subject: Re: MailScanner 4.78 install Perl module deletion issue There is a "--inturn" option to the install.sh script that will stop it deleting all the old RPMs at the start, but wait until it is just about to install the new one before it deletes the old one, which may make the installation more robust. Exactly what version of Linux were you installing it on? '--inturn' is the default for recent Fedoras, but that's about it. You should be able to run "./install.sh --help" to get the usage. Jules. On 06/10/2009 23:02, donald.dawson@bakerbotts.com wrote: > > I upgraded MS from version 4.75.11 to 4.78.17-1 on 4 separate > servers. Each time I ran the install (install.sh), I got errors - > example: 'Can't locate Getopt/Long.pm'. > > I had to restore the files in /usr/lib/perl5/5.8.8. When I re-ran the > install.sh script, the install, it only removed perl-TimeDate, and > continued on without error. > > Just wanted to let you know, in case someone else has the same problem. > > I made a backup of the perl files before the install: > > cd /usr/lib/perl5/5.8.8 > tar cvf files.tar * > > Here's the top of the first install.log showing the problem of missing > Perl modules: > > ------------------------------------------------------------------------ ------------------------------------------------------------- > > ... > If this fails due to dependency checks, and you wish to ignore > these problems, you can run > ./install.sh nodeps > > Setting Perl5 search path > > I think your system will build architecture-dependent modules for i386 > > Deleting all the old versions of the Perl modules I built, > I will re-install them in a minute. > > Removing perl-ExtUtils-MakeMaker > Removing perl-Math-BigInt > Removing perl-Math-BigRat > Removing perl-bignum > Removing perl-MIME-Base64 > Removing perl-TimeDate > Removing perl-Test-Harness > Removing perl-IO > Removing perl-MailTools > Removing perl-MIME-tools > Removing perl-Getopt-Long > Removing perl-Filesys-Df > Removing perl-Net-CIDR > Removing perl-Sys-Hostname-Long > Removing perl-Sys-Syslog > Removing perl-Net-DNS > Removing perl-OLE-Storage_Lite > Perl modules I built have been removed... > > Rebuilding all the Perl RPMs for your version of Perl > > Oh good, module File-Spec version 0.82 is already installed. > > Attempting to build and install perl-ExtUtils-MakeMaker-6.50-2 > Installing perl-ExtUtils-MakeMaker-6.50-2.src.rpm > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.21090 > + umask 022 > + cd /usr/src/redhat/BUILD > + cd /usr/src/redhat/BUILD > + rm -rf ExtUtils-MakeMaker-6.50 > + /bin/gzip -dc /usr/src/redhat/SOURCES/ExtUtils-MakeMaker-6.50.tar.gz > + tar -xf - > + STATUS=0 > + '[' 0 -ne 0 ']' > + cd ExtUtils-MakeMaker-6.50 > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chown -Rhf root . > ++ /usr/bin/id -u > + '[' 0 = 0 ']' > + /bin/chgrp -Rhf root . > + /bin/chmod -Rf a+rX,u+w,g-w,o-w . > + exit 0 > Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.21090 > + umask 022 > + cd /usr/src/redhat/BUILD > + cd ExtUtils-MakeMaker-6.50 > + CFLAGS='-O2 -g -m32 -march=i386 -mtune=generic > -fasynchronous-unwind-tables' > + perl Makefile.PL INSTALLDIRS=vendor > Checking if your kit is complete... > Looks good > Writing Makefile for ExtUtils::MakeMaker > + mkdir -p blib/lib/ExtUtils > + cp inc/ExtUtils/Command.pm inc/ExtUtils/Install.pm > inc/ExtUtils/Installed.pm inc/ExtUtils/MANIFEST.SKIP > inc/ExtUtils/Manifest.pm inc/ExtUtils/Packlist.pm b > > lib/lib/ExtUtils/ > + make > Skip blib/lib/ExtUtils/Manifest.pm (unchanged) > cp lib/ExtUtils/MM_VOS.pm blib/lib/ExtUtils/MM_VOS.pm > cp lib/ExtUtils/Mksymlists.pm blib/lib/ExtUtils/Mksymlists.pm > cp lib/ExtUtils/MM.pm blib/lib/ExtUtils/MM.pm > cp lib/ExtUtils/MM_UWIN.pm blib/lib/ExtUtils/MM_UWIN.pm > cp lib/ExtUtils/testlib.pm blib/lib/ExtUtils/testlib.pm > cp lib/ExtUtils/MM_DOS.pm blib/lib/ExtUtils/MM_DOS.pm > cp lib/ExtUtils/MakeMaker/vmsish.pm blib/lib/ExtUtils/MakeMaker/vmsish.pm > cp lib/ExtUtils/MM_Cygwin.pm blib/lib/ExtUtils/MM_Cygwin.pm > cp lib/ExtUtils/MM_Win95.pm blib/lib/ExtUtils/MM_Win95.pm > cp lib/ExtUtils/Liblist.pm blib/lib/ExtUtils/Liblist.pm > cp lib/ExtUtils/MM_Darwin.pm blib/lib/ExtUtils/MM_Darwin.pm > cp lib/ExtUtils/MM_AIX.pm blib/lib/ExtUtils/MM_AIX.pm > cp lib/ExtUtils/Liblist/Kid.pm blib/lib/ExtUtils/Liblist/Kid.pm > cp lib/ExtUtils/Mkbootstrap.pm blib/lib/ExtUtils/Mkbootstrap.pm > cp lib/ExtUtils/MakeMaker/FAQ.pod blib/lib/ExtUtils/MakeMaker/FAQ.pod > Skip blib/lib/ExtUtils/MANIFEST.SKIP (unchanged) > cp lib/ExtUtils/MakeMaker/bytes.pm blib/lib/ExtUtils/MakeMaker/bytes.pm > cp lib/ExtUtils/MM_NW5.pm blib/lib/ExtUtils/MM_NW5.pm > cp lib/ExtUtils/MM_OS2.pm blib/lib/ExtUtils/MM_OS2.pm > cp lib/ExtUtils/MakeMaker.pm blib/lib/ExtUtils/MakeMaker.pm > cp lib/ExtUtils/MM_Unix.pm blib/lib/ExtUtils/MM_Unix.pm > Skip blib/lib/ExtUtils/Installed.pm (unchanged) > cp lib/ExtUtils/MM_Win32.pm blib/lib/ExtUtils/MM_Win32.pm > cp lib/ExtUtils/MY.pm blib/lib/ExtUtils/MY.pm > Skip blib/lib/ExtUtils/Packlist.pm (unchanged) > cp lib/ExtUtils/MM_MacOS.pm blib/lib/ExtUtils/MM_MacOS.pm > cp lib/ExtUtils/MM_VMS.pm blib/lib/ExtUtils/MM_VMS.pm > cp lib/ExtUtils/MM_BeOS.pm blib/lib/ExtUtils/MM_BeOS.pm > cp lib/ExtUtils/MakeMaker/Tutorial.pod > blib/lib/ExtUtils/MakeMaker/Tutorial.pod > cp lib/ExtUtils/MM_QNX.pm blib/lib/ExtUtils/MM_QNX.pm > cp lib/ExtUtils/Command/MM.pm blib/lib/ExtUtils/Command/MM.pm > Skip blib/lib/ExtUtils/Install.pm (unchanged) > cp lib/ExtUtils/MakeMaker/Config.pm blib/lib/ExtUtils/MakeMaker/Config.pm > cp lib/ExtUtils/MM_Any.pm blib/lib/ExtUtils/MM_Any.pm > cp bin/instmodsh blib/script/instmodsh > /usr/bin/perl "-Iblib/arch" "-Iblib/lib" "-MExtUtils::MY" -e > "MY->fixin(shift)" blib/script/instmodsh > Can't locate Getopt/Long.pm in @INC (@INC contains: blib/arch blib/lib > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 > > /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 > /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-l > > inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 > /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 > /usr/lib/perl5/vendor_perl/5.8.5 /usr/li > > b/perl5/vendor_perl > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5. > > 8.6/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/per > > l5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi > /usr/lib/perl5/vendor_per > > l/5.8.7/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/pe > > rl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 > /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 > /usr/lib/perl5/vendor_perl /usr/lib/ > > perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at > blib/lib/ExtUtils/Command/MM.pm line 96. > make: *** [manifypods] Error 2 > error: Bad exit status from /var/tmp/rpm-tmp.21090 (%build) > > RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.21090 (%build) > ... > > ------------------------------------------------------------------------ ------------------------------------------------------------- > > successful install: > ------------------------------------------------------------------------ ------------------------------------------------------------- > > ... > Deleting all the old versions of the Perl modules I built, > I will re-install them in a minute. > > Removing perl-TimeDate > Perl modules I built have been removed... > > Rebuilding all the Perl RPMs for your version of Perl > > Oh good, module File-Spec version 0.82 is already installed. > ... > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Wed Oct 7 15:47:02 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Oct 7 15:47:31 2009 Subject: MailScanner install.sh script - reminders Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> I have a suggestion to /usr/sbin/update_spamassassin - consider commenting out line 32 (rm -f $LOGFILE) to allow viewing of the /tmp/update_spamassassin.MMDD file. It's useful to review the file for errors. For the install.sh script, please consider adding code to let the user know of all rpmnew files. We have a custom /etc/sysconfig/MailScanner file where we list the spam channels we get updates from: 29,30c29 < #SAUPDATEARGS="" < SAUPDATEARGS="-D --gpgkeyfile /etc/mail/spamassassin/sare-sa-update-gpgkeys.txt --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt" There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, INQDIR, QUARDIR, RUNAS... Could there be a custom file for the SAUPDATEARGS variable so we didn't have to modify the delivered /etc/sysconfig/MailScanner file? Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091007/d819b5da/attachment.html From Denis.Beauchemin at USherbrooke.ca Wed Oct 7 16:00:34 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Oct 7 16:00:58 2009 Subject: Bind problem on RHEL 5 (probably on CentOS 5 also) Message-ID: <4ACCAD12.1060809@USherbrooke.ca> Hello all, I just noticed all my MS boxes running caching nameservers were getting *a lot* of bind errors! Here are the numbers on one server: zgrep -c 'network unreachable resolving' messages-200909* messages-2009100* messages-20090901.gz:0 messages-20090902.gz:0 messages-20090903.gz:0 messages-20090904.gz:0 messages-20090905.gz:0 messages-20090906.gz:0 messages-20090907.gz:0 messages-20090908.gz:0 messages-20090909.gz:0 messages-20090910.gz:0 messages-20090911.gz:0 messages-20090912.gz:0 messages-20090913.gz:0 messages-20090914.gz:0 messages-20090915.gz:0 messages-20090916.gz:0 messages-20090917.gz:0 messages-20090918.gz:0 messages-20090919.gz:13482 messages-20090920.gz:13417 messages-20090921.gz:13784 messages-20090922.gz:21186 messages-20090923.gz:25369 messages-20090924.gz:24194 messages-20090925.gz:23056 messages-20090926.gz:20464 messages-20090927.gz:14473 messages-20090928.gz:13384 messages-20090929.gz:22540 messages-20090930.gz:23388 messages-20091001.gz:24669 messages-20091002.gz:22321 messages-20091003.gz:23447 messages-20091004.gz:14949 messages-20091005.gz:15378 messages-20091006.gz:22239 As you can see, that was worrysome! I found out that the problems started with the installation of bind-9.3.6-4.P1.el5. I tried to figure out what happened in that release but couldn't see anything (I should say I don't know much about bind). I went to RHN and downloaded the previous versions: bind-9.3.4-10.P1.el5_3.3.i386.rpm bind-chroot-9.3.4-10.P1.el5_3.3.i386.rpm bind-libs-9.3.4-10.P1.el5_3.3.i386.rpm bind-utils-9.3.4-10.P1.el5_3.3.i386.rpm caching-nameserver-9.3.4-10.P1.el5_3.3.i386.rpm After force-installing them the error messages disappeared! Just wanted to let you know. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091007/d443e83e/smime.bin From mike at mlrw.com Wed Oct 7 16:50:48 2009 From: mike at mlrw.com (Mike Wallace) Date: Wed Oct 7 16:51:02 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> Message-ID: I agree it would be nice to check the update logs. As for adding sare rules to update_spamassassin, according to http://www.rulesemporium.com/ "SARE rules aren't being updated". A better alternative is OpenProtect's SpamAssassin sa-update channel at http://saupdates.openprotect.com . I would also suggest using Sought rules, you can find more info at http://wiki.apache.org/spamassassin/SoughtRules . Another good idea is joining the spamassassin mailing list. I have picked up a lot of good tips there. Mike On Oct 7, 2009, at 10:47 AM, wrote: > I have a suggestion to /usr/sbin/update_spamassassin - consider > commenting out line 32 (rm -f $LOGFILE) to allow viewing of the /tmp/ > update_spamassassin.MMDD file. It's useful to review the file for > errors. > > For the install.sh script, please consider adding code to let the > user know of all rpmnew files. We have a custom /etc/sysconfig/ > MailScanner file where we list the spam channels we get updates from: > > 29,30c29 > < #SAUPDATEARGS="" > < SAUPDATEARGS="-D --gpgkeyfile /etc/mail/spamassassin/sare-sa- > update-gpgkeys.txt --channelfile /etc/mail/spamassassin/sare-sa- > update-channels.txt" > > There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, > INQDIR, QUARDIR, RUNAS... > > Could there be a custom file for the SAUPDATEARGS variable so we > didn't have to modify the delivered /etc/sysconfig/MailScanner file? > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091007/b6050572/attachment.html From MailScanner at ecs.soton.ac.uk Wed Oct 7 16:59:11 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Oct 7 16:59:36 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> <4ACCBACF.3040608@ecs.soton.ac.uk> Message-ID: On 07/10/2009 15:47, donald.dawson@bakerbotts.com wrote: > > I have a suggestion to //usr/sbin/update_spamassassin/ - consider > commenting out line 32 (rm -f $LOGFILE) to allow viewing of the > /tmp/update_spamassassin.MMDD file. It's useful to review the file > for errors. > The problem is that will leave a lot of log files behind, which will gradually fill your filesystem. > > For the/ install.sh/ script, please consider adding code to let the > user know of all rpmnew files. > That's not easy in RHEL as the rpm system doesn't keep track of them. In good old IRIX days all you had to do was "versions old" and "versions new" and it would tell you all of them across the whole filesystem immediately. RHEL doesn't track them so there's no quick way of doing this, sorry. > > We have a custom/ /etc/sysconfig/MailScanner/ file where we list the > spam channels we get updates from: > > 29,30c29 > < #SAUPDATEARGS="" > < SAUPDATEARGS="-D --gpgkeyfile > /etc/mail/spamassassin/sare-sa-update-gpgkeys.txt --channelfile > /etc/mail/spamassassin/sare-sa-update-channels.txt" > > There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, > INQDIR, QUARDIR, RUNAS... > > Could there be a custom file for the SAUPDATEARGS variable so we > didn't have to modify the delivered /etc/sysconfig/MailScanner file? > I'll take a look, that should be possible by making /etc/sysconfig/update_spamassassin file with just the SAUPDATEARGS stuff in it. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Wed Oct 7 17:09:40 2009 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Oct 7 17:10:09 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: References: <4ACCBACF.3040608@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> Message-ID: <625385e30910070909r42ebfesa881597b6975e372@mail.gmail.com> On Wed, Oct 7, 2009 at 5:59 PM, Jules Field wrote: > > On 07/10/2009 15:47, donald.dawson@bakerbotts.com wrote: >> >> I have a suggestion to //usr/sbin/update_spamassassin/ - consider >> commenting out line 32 (rm -f $LOGFILE) to allow viewing of the >> /tmp/update_spamassassin.MMDD file. ?It's useful to review the file for >> errors. >> > The problem is that will leave a lot of log files behind, which will > gradually fill your filesystem. Can't you just switch to another naming of the logfile, from "%m%d" to just "%d"? Weekday perhaps? Would only leave seven files around. -- /peter From MailScanner at ecs.soton.ac.uk Wed Oct 7 17:20:15 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Oct 7 17:20:38 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: <625385e30910070909r42ebfesa881597b6975e372@mail.gmail.com> References: <4ACCBACF.3040608@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> <625385e30910070909r42ebfesa881597b6975e372@mail.gmail.com> <4ACCBFBF.8090400@ecs.soton.ac.uk> Message-ID: On 07/10/2009 17:09, shuttlebox wrote: > On Wed, Oct 7, 2009 at 5:59 PM, Jules Field wrote: > >> On 07/10/2009 15:47, donald.dawson@bakerbotts.com wrote: >> >>> I have a suggestion to //usr/sbin/update_spamassassin/ - consider >>> commenting out line 32 (rm -f $LOGFILE) to allow viewing of the >>> /tmp/update_spamassassin.MMDD file. It's useful to review the file for >>> errors. >>> >>> >> The problem is that will leave a lot of log files behind, which will >> gradually fill your filesystem. >> > Can't you just switch to another naming of the logfile, from "%m%d" to > just "%d"? Weekday perhaps? Would only leave seven files around. > Instead, I am now checking the exit status of both sa-update and sa-compile. If they both succeed, it will delete the logfile. If either of them fails, then it will keep the logfile. Should work okay. I have also moved the settings relevant to update_spamassassin into /etc/sysconfig/update_spamassassin, out of /etc/sysconfig/MailScanner. So changes to one don't mean you need to change the other every time you upgrade. These changes will be in the next beta release. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Wed Oct 7 17:54:37 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Oct 7 17:54:56 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net><4ACCBACF.3040608@ecs.soton.ac.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E53@BBEXVS04.bakerbotts.net> maybe add a comment at the end to suggest running 'cd /; find . -name "*.rpmnew"' to list any new MS files. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Wednesday, October 07, 2009 10:59 AM To: MailScanner discussion Subject: Re: MailScanner install.sh script - reminders On 07/10/2009 15:47, donald.dawson@bakerbotts.com wrote: > > I have a suggestion to //usr/sbin/update_spamassassin/ - consider > commenting out line 32 (rm -f $LOGFILE) to allow viewing of the > /tmp/update_spamassassin.MMDD file. It's useful to review the file > for errors. > The problem is that will leave a lot of log files behind, which will gradually fill your filesystem. > > For the/ install.sh/ script, please consider adding code to let the > user know of all rpmnew files. > That's not easy in RHEL as the rpm system doesn't keep track of them. In good old IRIX days all you had to do was "versions old" and "versions new" and it would tell you all of them across the whole filesystem immediately. RHEL doesn't track them so there's no quick way of doing this, sorry. > > We have a custom/ /etc/sysconfig/MailScanner/ file where we list the > spam channels we get updates from: > > 29,30c29 > < #SAUPDATEARGS="" > < SAUPDATEARGS="-D --gpgkeyfile > /etc/mail/spamassassin/sare-sa-update-gpgkeys.txt --channelfile > /etc/mail/spamassassin/sare-sa-update-channels.txt" > > There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, > INQDIR, QUARDIR, RUNAS... > > Could there be a custom file for the SAUPDATEARGS variable so we > didn't have to modify the delivered /etc/sysconfig/MailScanner file? > I'll take a look, that should be possible by making /etc/sysconfig/update_spamassassin file with just the SAUPDATEARGS stuff in it. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Wed Oct 7 17:57:04 2009 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Oct 7 17:57:32 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net> Message-ID: <8FB531F78038DC4497B80CBAE8E927E202363E54@BBEXVS04.bakerbotts.net> Thanks Mike - the content of my /etc/mail/spamassassin/sare-sa-update-channels.txt file is: updates.spamassassin.org sought.rules.yerp.org saupdates.openprotect.com ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Wallace Sent: Wednesday, October 07, 2009 10:51 AM To: MailScanner discussion Subject: Re: MailScanner install.sh script - reminders I agree it would be nice to check the update logs. As for adding sare rules to update_spamassassin, according to http://www.rulesemporium.com/ "SARE rules aren't being updated". A better alternative is OpenProtect's SpamAssassin sa-update channel at http://saupdates.openprotect.com. I would also suggest using Sought rules, you can find more info at http://wiki.apache.org/spamassassin/SoughtRules. Another good idea is joining the spamassassin mailing list. I have picked up a lot of good tips there. Mike On Oct 7, 2009, at 10:47 AM, wrote: I have a suggestion to /usr/sbin/update_spamassassin - consider commenting out line 32 (rm -f $LOGFILE) to allow viewing of the /tmp/update_spamassassin.MMDD file. It's useful to review the file for errors. For the install.sh script, please consider adding code to let the user know of all rpmnew files. We have a custom /etc/sysconfig/MailScanner file where we list the spam channels we get updates from: 29,30c29 < #SAUPDATEARGS="" < SAUPDATEARGS="-D --gpgkeyfile /etc/mail/spamassassin/sare-sa-update-gpgkeys.txt --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt" There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, INQDIR, QUARDIR, RUNAS... Could there be a custom file for the SAUPDATEARGS variable so we didn't have to modify the delivered /etc/sysconfig/MailScanner file? Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091007/f4aaa99d/attachment.html From logs at comp-wiz.com Wed Oct 7 23:37:13 2009 From: logs at comp-wiz.com (Logs) Date: Wed Oct 7 23:38:04 2009 Subject: Problem Messages Message-ID: <017801ca479e$c11a1f80$434e5e80$@com> I keep getting the following message, even after I've delete n92HBTxJ023010. Anyone have any ideas on how I get rid of it? Currently being processed: Number of messages: 1 Tries Message Next Try At ===== ======= =========== 2 n92HBTxJ023010 Fri Oct 2 13:23:23 2009 Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Oct 7 23:58:07 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 7 23:58:30 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E202363E53@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E202363E4F@BBEXVS04.bakerbotts.net><4ACCBACF.3040608@ecs.soton.ac.uk> <8FB531F78038DC4497B80CBAE8E927E202363E53@BBEXVS04.bakerbotts.net> <4ACD1CFF.4030905@ecs.soton.ac.uk> Message-ID: But that command could take an hour to run. A slightly better version might be find /usr/lib/MailScanner /etc -x -type f -name '*.rpmnew' -print but that will still list rpmnew files that are nothing to do with MailScanner, which will just confuse a lot of users. I can't find a decent solution to this problem. Inexperienced users won't understand the consequenes of getting any output from this command, nor be able to separate the MailScanner-related rpmnew files from the non-MailScanner ones. The experienced users can type this command themselves anyway. If it is just to be a suggestion at the end of the upgrade process, it is being added to an awful lot of information they get at this point already. How would you succinctly describe to the users the output they might get from this command, and what they might do with the results? You've probably got at most 2 80-column lines to describe it all in. So I'm afraid I'm still not convinced this is a good idea. Jules. On 07/10/2009 17:54, donald.dawson@bakerbotts.com wrote: > maybe add a comment at the end to suggest running 'cd /; find . -name > "*.rpmnew"' to list any new MS files. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules > Field > Sent: Wednesday, October 07, 2009 10:59 AM > To: MailScanner discussion > Subject: Re: MailScanner install.sh script - reminders > > > > On 07/10/2009 15:47, donald.dawson@bakerbotts.com wrote: > >> I have a suggestion to //usr/sbin/update_spamassassin/ - consider >> commenting out line 32 (rm -f $LOGFILE) to allow viewing of the >> /tmp/update_spamassassin.MMDD file. It's useful to review the file >> for errors. >> >> > The problem is that will leave a lot of log files behind, which will > gradually fill your filesystem. > >> For the/ install.sh/ script, please consider adding code to let the >> user know of all rpmnew files. >> >> > That's not easy in RHEL as the rpm system doesn't keep track of them. In > > good old IRIX days all you had to do was "versions old" and "versions > new" and it would tell you all of them across the whole filesystem > immediately. RHEL doesn't track them so there's no quick way of doing > this, sorry. > >> We have a custom/ /etc/sysconfig/MailScanner/ file where we list the >> > >> spam channels we get updates from: >> >> 29,30c29 >> < #SAUPDATEARGS="" >> < SAUPDATEARGS="-D --gpgkeyfile >> /etc/mail/spamassassin/sare-sa-update-gpgkeys.txt --channelfile >> /etc/mail/spamassassin/sare-sa-update-channels.txt" >> >> There were a lot of changes in /etc/sysconfig/MailScanner - WORKDIR, >> INQDIR, QUARDIR, RUNAS... >> >> Could there be a custom file for the SAUPDATEARGS variable so we >> didn't have to modify the delivered /etc/sysconfig/MailScanner file? >> >> > I'll take a look, that should be possible by making > /etc/sysconfig/update_spamassassin file with just the SAUPDATEARGS stuff > > in it. > >> Thanks, >> Donald >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> One Shell Plaza >> 910 Louisiana >> Houston, TX 77002 >> W: 713-229-2183 >> >> > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Oct 7 23:59:19 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 7 23:59:42 2009 Subject: Problem Messages In-Reply-To: <017801ca479e$c11a1f80$434e5e80$@com> References: <017801ca479e$c11a1f80$434e5e80$@com> <4ACD1D47.2030603@ecs.soton.ac.uk> Message-ID: Delete /var/spool/MailScanner/incoming/Processed.db (or some other very similar name), then restart MailScanner. On 07/10/2009 23:37, Logs wrote: > I keep getting the following message, even after I've delete n92HBTxJ023010. > Anyone have any ideas on how I get rid of it? > > Currently being processed: > > Number of messages: 1 > Tries Message Next Try At > ===== ======= =========== > 2 n92HBTxJ023010 Fri Oct 2 13:23:23 2009 > > Thanks > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Follow me at twitter.com/JulesFM MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Oct 8 15:12:16 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Oct 8 15:12:26 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E202363E53@BBEXVS04.bakerbotts.net> <4ACD1CFF.4030905@ecs.soton.ac.uk> Message-ID: <20091008141216.GA3136@msapiro> On Wed, Oct 07, 2009 at 11:58:07PM +0100, Julian Field wrote: > But that command could take an hour to run. A slightly better version > might be > find /usr/lib/MailScanner /etc -x -type f -name '*.rpmnew' -print > but that will still list rpmnew files that are nothing to do with > MailScanner, which will just confuse a lot of users. > > I can't find a decent solution to this problem. Inexperienced users > won't understand the consequenes of getting any output from this > command, nor be able to separate the MailScanner-related rpmnew files > from the non-MailScanner ones. The experienced users can type this > command themselves anyway. I don't understand. When I run the install.sh script on CentOS 5, I see near the end, output like ##warning: /etc/MailScanner/MailScanner.conf created as /etc/MailScanner/MailScanner.conf.rpmnew ######warning: /etc/MailScanner/phishing.bad.sites.conf created as /etc/MailScanner/phishing.bad.sites.conf.rpmnew ########################################## As far as I know, there is one such 'warning' for every .rpmnew file that's created. The problem I had was some files such as /usr/sbin/update_spamassassin would be just overwritten instead of creating a .rpmnew. I work around this by having /usr/sbin/update_spamassassin.mas with my changes and putting MSSAUPDATE=/usr/sbin/update_spamassassin.mas in /etc/sysconfig/MailScanner. I deal with the .rpmnew files for files in which I have local changes with a manual process like mv MailScanner.conf.rpmnew MailScanner.conf.4.78.17 diff -u MailScanner.conf.4.78.16 MailScanner.conf.4.78.17 | patch MailScanner.conf The process of backup and compare is a bit different in detail for /usr/sbin/update_spamassassin because it doesn't get a .rpmnew, but it is essentially the same. It is not as important anyway because update_spamassassin rarely changes and even if it does, the old one probably still works. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Thu Oct 8 15:27:28 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 8 15:27:46 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: <20091008141216.GA3136@msapiro> References: <8FB531F78038DC4497B80CBAE8E927E202363E53@BBEXVS04.bakerbotts.net> <4ACD1CFF.4030905@ecs.soton.ac.uk> <20091008141216.GA3136@msapiro> <4ACDF6D0.60403@ecs.soton.ac.uk> Message-ID: On 08/10/2009 15:12, Mark Sapiro wrote: > On Wed, Oct 07, 2009 at 11:58:07PM +0100, Julian Field wrote: > >> But that command could take an hour to run. A slightly better version >> might be >> find /usr/lib/MailScanner /etc -x -type f -name '*.rpmnew' -print >> but that will still list rpmnew files that are nothing to do with >> MailScanner, which will just confuse a lot of users. >> >> I can't find a decent solution to this problem. Inexperienced users >> won't understand the consequenes of getting any output from this >> command, nor be able to separate the MailScanner-related rpmnew files >> from the non-MailScanner ones. The experienced users can type this >> command themselves anyway. >> > > I don't understand. When I run the install.sh script on CentOS 5, > I see near the end, output like > > ##warning: /etc/MailScanner/MailScanner.conf created as /etc/MailScanner/MailScanner.conf.rpmnew > ######warning: /etc/MailScanner/phishing.bad.sites.conf created as /etc/MailScanner/phishing.bad.sites.conf.rpmnew > ########################################## > > As far as I know, there is one such 'warning' for every .rpmnew file > that's created. > But it's only in log output. It's not put anywhere that is actually any use for finding them automatically and easily. I ain't going to start parsing log output from the rpm commands. > The problem I had was some files such as /usr/sbin/update_spamassassin > would be just overwritten instead of creating a .rpmnew. I work around > this by having /usr/sbin/update_spamassassin.mas with my changes and > putting MSSAUPDATE=/usr/sbin/update_spamassassin.mas in > /etc/sysconfig/MailScanner. > But update_spamassassin is a script, which you aren't supposed to edit. So it does get overwritten, by design. > I deal with the .rpmnew files for files in which I have local changes > with a manual process like > > mv MailScanner.conf.rpmnew MailScanner.conf.4.78.17 > diff -u MailScanner.conf.4.78.16 MailScanner.conf.4.78.17 | patch MailScanner.conf > Why not just use upgrade_MailScanner_conf like you're supposed to? > The process of backup and compare is a bit different in detail for > /usr/sbin/update_spamassassin because it doesn't get a .rpmnew, but > it is essentially the same. It is not as important anyway because > update_spamassassin rarely changes and even if it does, the old one > probably still works. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Thu Oct 8 16:19:25 2009 From: mark at msapiro.net (Mark Sapiro) Date: Thu Oct 8 16:19:54 2009 Subject: MailScanner install.sh script - reminders In-Reply-To: Message-ID: Julian Field wrote: > >On 08/10/2009 15:12, Mark Sapiro wrote: >> >> I don't understand. When I run the install.sh script on CentOS 5, >> I see near the end, output like >> >> ##warning: /etc/MailScanner/MailScanner.conf created as /etc/MailScanner/MailScanner.conf.rpmnew >> ######warning: /etc/MailScanner/phishing.bad.sites.conf created as /etc/MailScanner/phishing.bad.sites.conf.rpmnew >> ########################################## >> >> As far as I know, there is one such 'warning' for every .rpmnew file >> that's created. >> >But it's only in log output. It's not put anywhere that is actually any >use for finding them automatically and easily. I ain't going to start >parsing log output from the rpm commands. Please note I'm not suggesting that anything be changed. I just don't understand why anyone finds the current log output inadequate. It's displayed on my terminal, and I can always "grep rpmnew install.log" to see those specific entries. >> The problem I had was some files such as /usr/sbin/update_spamassassin >> would be just overwritten instead of creating a .rpmnew. I work around >> this by having /usr/sbin/update_spamassassin.mas with my changes and >> putting MSSAUPDATE=/usr/sbin/update_spamassassin.mas in >> /etc/sysconfig/MailScanner. >> >But update_spamassassin is a script, which you aren't supposed to edit. >So it does get overwritten, by design. I'm not complaining. I understand that when I do things I'm not supposed to do, that the consequences are my responsibility. >> I deal with the .rpmnew files for files in which I have local changes >> with a manual process like >> >> mv MailScanner.conf.rpmnew MailScanner.conf.4.78.17 >> diff -u MailScanner.conf.4.78.16 MailScanner.conf.4.78.17 | patch MailScanner.conf >> >Why not just use upgrade_MailScanner_conf like you're supposed to? Because of NOTE ==== To keep your old comments in your original file, add "--keep-comments" to the command line. Note that this will mean you don't get to find out any extra new values you might be able to use in existing "improved" configuration options. and because I don't find it any easier or more convenient than my way. (Note that I actually do an initial diff without the patch to see the changes.) Of course, now that most of my changes and all my comments are in an included file, I may rethink this. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From campbell at cnpapers.com Thu Oct 8 19:25:52 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 8 19:26:10 2009 Subject: updating Clamd Message-ID: <4ACE2EB0.9040905@cnpapers.com> Anyone know of any gotcha's if I update clamd running MS 4-72-5? I'd kinda like to update that before updating MS. I use rpmforge for clam. Steve Campbell From richard at fastnet.co.uk Fri Oct 9 10:30:10 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Oct 9 10:29:41 2009 Subject: Examples of SpamAssassin Rule Actions In-Reply-To: References: <373427.16968.qm@web33301.mail.mud.yahoo.com><4ABB2C6D.3040309@ecs.soton.ac.uk> Message-ID: >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >Sent: 24 September 2009 09:23 >To: MailScanner discussion >Subject: Re: Examples of SpamAssassin Rule Actions > > > >On 24/09/2009 09:08, Michael Mansour wrote: >> Hi, >> >> I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam. >> >> I have looked at the "SpamAssassin Rule Actions" setting and there's examples of: >> >> " >> # You can also trigger actions on the spam score of the message. You can >> # compare the spam score with a number and cause this to trigger an action. >> # For example, instead of a SA_RULENAME you can specify >> # SpamScore>number or SpamScore>=number or SpamScore==number or >> # SpamScore> # where "number" is the threshold value you are comparing it against. >> # So you could have a rule/action pair that looks like >> # SpamScore>25=>delete >> # This would cause all messages with a total spam score of more than 25 to be >> # deleted. You can use this to implement multiple levels of spam actions in >> # addition to the normal spam actions and the high-scoring spam actions. >> # >> # Combining this with a ruleset makes it even more powerful, as different >> # recipients and/or senders can have different sets of rules applied to them. >> " >> >> But no example of how to actually say: >> >> "if SpamScore>9=>quarantine for To address of blah@blah.com" >> >> Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above? >> >You first need a ruleset to apply the action to just blah@blah.com. So set >SpamAssassin Rule Actions = %rules-dir%/spam.rule.actions.rules > >Then in /etc/MailScanner/rules/spam.rule.actions.rules put this > >To: blah@blah.com SpamScore>9=>store,not-deliver >FromOrTo: default deliver > >That should do the trick. Do you understand it? > >Jules > >-- >Julian Field MEng CITP CEng >www.MailScanner.info >Buy the MailScanner book at www.MailScanner.info/store > >Need help customising MailScanner? >Contact me! >Need help fixing or optimising your systems? >Contact me! >Need help getting you started solving new requirements from your boss? >Contact me! > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! Hi, I was wondering if someone could give me some help on setting up a ruleset for this - # Some virus scanners now use their signatures to detect spam as well as # viruses. These "viruses" are called "spam-viruses". When they are found # the following header will be added to your message before it is passed to # SpamAssassin, listing all the "spam-viruses" that were found as a comma- # separated list. # This can also be the filename of a ruleset. For example, I would like to create individual scores for all the different rules in a database (this is one of them) - Sanesecurity.Doc #Fake phishing documents Sanesecurity.Fake #Fake emails from companies/spear phishing Sanesecurity.Phishing.Auction #Phishing emails from Ebay Sanesecurity.Phishing.Azon #Phishing emails from Amazon Sanesecurity.Phishing.Bank #Phishing emails from Banks Sanesecurity.Phishing.Card #Phishing Postcards Sanesecurity.Phishing.Cur #Simple phishing heuristics based on headers/urls and content Sanesecurity.Phishing.Dca #Html based doubleclick revenue link Sanesecurity.Phishing.Fake #Fake emails from companies/spear phishing Sanesecurity.Phishing.GiftCard #Phishing Postcards Sanesecurity.Phishing.Hex #Simple Heuristics based hex urls Sanesecurity.Phishing.Ivt #Html based invalid tags Sanesecurity.Phishing.Jsc #Html based Sanesecurity.Phishing.Nam #Html based common fake html editor Sanesecurity.Phishing.Onf #Html based Sanesecurity.Phishing.Pay #Phishing emails from PayPal Sanesecurity.Phishing.Rdi #Phishing redirects Sanesecurity.Phishing.Rock #Phishing emails generated with the rockfish toolkit Sanesecurity.Phishing.RockGen #Phishing emails generated with the rockfish toolkit Sanesecurity.Phishing.Shop #Phishing emails for shops Sanesecurity.Phishing.Slw #Html based Sanesecurity.Phishing.Url #Url based phishing detection Sanesecurity.Phishing.Wrd #Fake phishing documents Sanesecurity.PhishingTestSig #Sanesecurity Test Signature TestSig_Type3_Bdy #Sanesecurity Test Signature TestSig_Type4_Bdy #Sanesecurity Test Signature TestSig_Type4_Hdr #Sanesecurity Test Signature ... Instead of just 1 score for the entire thing. I've tried a few different ways but I'm not really sure how to do it. If anyone could give me some pointers that would be great. Thanks very much, Rich From MailScanner at ecs.soton.ac.uk Fri Oct 9 11:20:19 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 9 11:20:42 2009 Subject: Examples of SpamAssassin Rule Actions In-Reply-To: References: <373427.16968.qm@web33301.mail.mud.yahoo.com><4ABB2C6D.3040309@ecs.soton.ac.uk> <4ACF0E63.3090608@ecs.soton.ac.uk> Message-ID: On 09/10/2009 10:30, Richard Mealing wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: 24 September 2009 09:23 >> To: MailScanner discussion >> Subject: Re: Examples of SpamAssassin Rule Actions >> >> >> >> On 24/09/2009 09:08, Michael Mansour wrote: >> >>> Hi, >>> >>> I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam. >>> >>> I have looked at the "SpamAssassin Rule Actions" setting and there's examples of: >>> >>> " >>> # You can also trigger actions on the spam score of the message. You can >>> # compare the spam score with a number and cause this to trigger an action. >>> # For example, instead of a SA_RULENAME you can specify >>> # SpamScore>number or SpamScore>=number or SpamScore==number or >>> # SpamScore>> # where "number" is the threshold value you are comparing it against. >>> # So you could have a rule/action pair that looks like >>> # SpamScore>25=>delete >>> # This would cause all messages with a total spam score of more than 25 to be >>> # deleted. You can use this to implement multiple levels of spam actions in >>> # addition to the normal spam actions and the high-scoring spam actions. >>> # >>> # Combining this with a ruleset makes it even more powerful, as different >>> # recipients and/or senders can have different sets of rules applied to them. >>> " >>> >>> But no example of how to actually say: >>> >>> "if SpamScore>9=>quarantine for To address of blah@blah.com" >>> >>> Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above? >>> >>> >> You first need a ruleset to apply the action to just blah@blah.com. So set >> SpamAssassin Rule Actions = %rules-dir%/spam.rule.actions.rules >> >> Then in /etc/MailScanner/rules/spam.rule.actions.rules put this >> >> To: blah@blah.com SpamScore>9=>store,not-deliver >> FromOrTo: default deliver >> >> That should do the trick. Do you understand it? >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Hi, > > I was wondering if someone could give me some help on setting up a ruleset for this - > > # Some virus scanners now use their signatures to detect spam as well as > # viruses. These "viruses" are called "spam-viruses". When they are found > # the following header will be added to your message before it is passed to > # SpamAssassin, listing all the "spam-viruses" that were found as a comma- > # separated list. > # This can also be the filename of a ruleset. > > For example, I would like to create individual scores for all the different rules in a database (this is one of them) - > Sanesecurity.Doc #Fake phishing documents > Sanesecurity.Fake #Fake emails from companies/spear phishing > Sanesecurity.Phishing.Auction #Phishing emails from Ebay > Sanesecurity.Phishing.Azon #Phishing emails from Amazon > Sanesecurity.Phishing.Bank #Phishing emails from Banks > Sanesecurity.Phishing.Card #Phishing Postcards > Sanesecurity.Phishing.Cur #Simple phishing heuristics based on headers/urls and content > Sanesecurity.Phishing.Dca #Html based doubleclick revenue link > Sanesecurity.Phishing.Fake #Fake emails from companies/spear phishing > Sanesecurity.Phishing.GiftCard #Phishing Postcards > Sanesecurity.Phishing.Hex #Simple Heuristics based hex urls > Sanesecurity.Phishing.Ivt #Html based invalid tags > Sanesecurity.Phishing.Jsc #Html based > Sanesecurity.Phishing.Nam #Html based common fake html editor > Sanesecurity.Phishing.Onf #Html based > Sanesecurity.Phishing.Pay #Phishing emails from PayPal > Sanesecurity.Phishing.Rdi #Phishing redirects > Sanesecurity.Phishing.Rock #Phishing emails generated with the rockfish toolkit > Sanesecurity.Phishing.RockGen #Phishing emails generated with the rockfish toolkit > Sanesecurity.Phishing.Shop #Phishing emails for shops > Sanesecurity.Phishing.Slw #Html based > Sanesecurity.Phishing.Url #Url based phishing detection > Sanesecurity.Phishing.Wrd #Fake phishing documents > Sanesecurity.PhishingTestSig #Sanesecurity Test Signature > TestSig_Type3_Bdy #Sanesecurity Test Signature > TestSig_Type4_Bdy #Sanesecurity Test Signature > TestSig_Type4_Hdr #Sanesecurity Test Signature > > > ... Instead of just 1 score for the entire thing. I've tried a few different ways but I'm not really sure how to do it. If anyone could give me some pointers that would be great. > The key is that they need to be *SpamAssassin* rules, not MailScanner ones. In your /etc/MailScanner/spam.assassin.prefs.conf, put something like this: header SPAMVIRUS1 X-MailScanner-SpamVirus-Report =~ /SaneSecurity.Doc/i header SPAMVIRUS2 X-MailScanner-SpamVirus-Report =~ /SaneSecurity.Fake/i header SPAMVIRUS3 X-MailScanner-SpamVirus-Report =~ /SaneSecurity.Phishing.Hex/i score SPAMVIRUS1 2.0 score SPAMVIRUS2 2.1 score SPAMVIRUS3 2.5 and so on. Then restart MailScanner. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ilikeuce at bornefeld-ettmann.de Fri Oct 9 12:18:51 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Fri Oct 9 12:19:38 2009 Subject: configuration directories as ruleset Message-ID: <20091009111911.B9CA02C34502@rbe1.de> hi, is it possible to configure config dirs as a ruleset (e.g. %report-dir% to send reports in different languages to users) ? Thanks Ralph From MailScanner at ecs.soton.ac.uk Fri Oct 9 12:27:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 9 12:28:18 2009 Subject: configuration directories as ruleset In-Reply-To: <20091009111911.B9CA02C34502@rbe1.de> References: <20091009111911.B9CA02C34502@rbe1.de> <4ACF1E3D.2050703@ecs.soton.ac.uk> Message-ID: On 09/10/2009 12:18, Ralph Bornefeld-Ettmann wrote: > hi, > > is it possible to configure config dirs as a ruleset (e.g. > %report-dir% to send reports in different languages to users) ? Not directly, no. But the individual report locations *can* be defined as a ruleset. So you just need to use a small collection of rulesets instead of one. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ilikeuce at bornefeld-ettmann.de Fri Oct 9 12:49:47 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Fri Oct 9 12:50:35 2009 Subject: configuration directories as ruleset In-Reply-To: References: <20091009111911.B9CA02C34502@rbe1.de> <4ACF1E3D.2050703@ecs.soton.ac.uk> Message-ID: Julian Field schrieb: > > > On 09/10/2009 12:18, Ralph Bornefeld-Ettmann wrote: >> hi, >> >> is it possible to configure config dirs as a ruleset (e.g. >> %report-dir% to send reports in different languages to users) ? > Not directly, no. But the individual report locations *can* be defined > as a ruleset. So you just need to use a small collection of rulesets > instead of one. > > Jules > thanks, I didn't think about this. Ralph From davidj at synaq.com Fri Oct 9 16:18:45 2009 From: davidj at synaq.com (David Jacobson) Date: Fri Oct 9 16:19:21 2009 Subject: Rulesets within rulesets Message-ID: <390589898.2471255101522988.JavaMail.davidj@chronic> Hi, We're trying to clean out our non.spam.action.rules - it's getting rather large.. So, I was hoping we could have non.spam.action.rules say: To: *@domain.com %rules-dir%/domain.com.rules But MailScanner keeps erroring out on this. So, is it possible to have rulesets within a non.spam.action.rules file? Thank you, David From MailScanner at ecs.soton.ac.uk Fri Oct 9 16:32:15 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Oct 9 16:32:34 2009 Subject: Rulesets within rulesets In-Reply-To: <390589898.2471255101522988.JavaMail.davidj@chronic> References: <390589898.2471255101522988.JavaMail.davidj@chronic> <4ACF577F.3050803@ecs.soton.ac.uk> Message-ID: On 09/10/2009 16:18, David Jacobson wrote: > Hi, > > We're trying to clean out our non.spam.action.rules - it's getting rather large.. > > So, I was hoping we could have non.spam.action.rules say: > > To: *@domain.com %rules-dir%/domain.com.rules > > But MailScanner keeps erroring out on this. > > So, is it possible to have rulesets within a non.spam.action.rules file? > No. What are you actually trying to do? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rlopezcnm at gmail.com Fri Oct 9 18:54:43 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Oct 9 18:54:53 2009 Subject: Dangerous content detection with "file" command In-Reply-To: References: Message-ID: On Tue, Sep 29, 2009 at 11:05 AM, wrote: > I have a word document that was mistakenly flagged as "executable". > Adding some debugging into the "SweepOther.pm" code revealed that the > document contained a Title property of "The Quest of the Self". The > linux "file" command used to identify file types returns this property > (along with author and others) in it's output as follows: > > > Support.doc: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, > Code page > : 1252, Title: The Quest of the Self, Author: johndoe, Template: Normal, > Last Sa > ved By: JOHN DOE, Revision Number: 2, Name of Creating Application: > Microsoft > Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Sep 17 > 09:57:00 20 > 09, Last Saved Time/Date: Thu Sep 17 09:57:00 2009, Number of Pages: 1, > Number o > f Words: 2597, Number of Characters: 14289, Security: 0 > > MailScanner does a simple regex compare of the output from the "file" > command and sees the string "ELF" in it (in the word Self), and flags > the file as executable. This will happen with any Word doucment that > contains any matching strings in the title, subject, author, category, > comments, or any other property fields. > > A simple change in the regex used in the CheckFileContentTypes to only > capture the "file" command's output up to the first "," does the trick, > and I've checked some other files in quarantine to see if it would be a > problem. So far, I don't see a problem. > > The diffs for SweepOther.pm are as follows: > > 410c410 > < ? ? ? ? $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*(.*)$/; > --- >> ? ? ? ? $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*),/; > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > I am surprised at verbose output of your file command. Try as I may I can not get that kind of output. What file command are your running? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From maxsec at gmail.com Fri Oct 9 20:46:00 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Oct 9 20:46:11 2009 Subject: Rulesets within rulesets In-Reply-To: <390589898.2471255101522988.JavaMail.davidj@chronic> References: <390589898.2471255101522988.JavaMail.davidj@chronic> Message-ID: <72cf361e0910091246k52335fa2ye59b864f83946416@mail.gmail.com> Depnds on what you want, some can http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading -- Martin Hepworth Oxford, UK 2009/10/9 David Jacobson > > Hi, > > We're trying to clean out our non.spam.action.rules - it's getting rather > large.. > > So, I was hoping we could have non.spam.action.rules say: > > To: *@domain.com %rules-dir%/domain.com.rules > > But MailScanner keeps erroring out on this. > > So, is it possible to have rulesets within a non.spam.action.rules file? > > Thank you, > David > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091009/49a916f4/attachment.html From paul.hutchings at mira.co.uk Sat Oct 10 10:17:47 2009 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sat Oct 10 10:17:59 2009 Subject: Allow Multiple HTML Signatures - HTML Code help? Message-ID: Just upgraded to the latest MailScanner and noticed there is now an option to stop duplicate signatures being added to HTML formatted emails. Our HTML signature code is below, embarrassingly I don't "do" HTML so don't know what I need to alter in order to make this option valid - and it's an option that I *really* have been wanting for a while so I'm keen to make it work. Cheers, Paul ----- START SIG -----

MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

----- END SIG ----- -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Mon Oct 12 09:34:32 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Oct 12 09:34:51 2009 Subject: ScamNailer ANNOUNCE: New web site References: <4AD2EA18.20400@ecs.soton.ac.uk> Message-ID: My anti-spear-phishing script has grown up a bit and earned itself a new name and a website. So say hello to "ScamNailer" ! The name is the brainchild of a mate of mine at work, Andy Newton, and is the closest thing he could come up with that was a) suitable, and b) an anagram of MailScanner (which it very nearly is :-) You can see the new website (you might recognise it from its big brother) at www.scamnailer.info I have got to do a bit more work on the code, this is just to announce the name and the website. Let me know what you think! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From norbert.schmidt at interactivedata.com Mon Oct 12 10:01:33 2009 From: norbert.schmidt at interactivedata.com (Norbert Schmidt) Date: Mon Oct 12 10:01:43 2009 Subject: Norbert Schmidt is out of the office Message-ID: I will be out of the office starting 08.10.2009 and will not return until 27.10.2009. I'll answer to your mail, when I get back. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091012/ef4e8a89/attachment.html From support-lists at petdoctors.co.uk Mon Oct 12 10:41:22 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Mon Oct 12 10:51:42 2009 Subject: ScamNailer ANNOUNCE: New web site In-Reply-To: References: <4AD2EA18.20400@ecs.soton.ac.uk> Message-ID: -----Original Message----- From: mailscanner-announce-bounces@lists.mailscanner.info [mailto:mailscanner-announce-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, October 12, 2009 9:35 AM To: MailScanner discussion; MailScanner-Announce mailing list list Cc: Newton A.M. Subject: ScamNailer ANNOUNCE: New web site My anti-spear-phishing script has grown up a bit and earned itself a new name and a website. So say hello to "ScamNailer" ! >> Sounds vicious! From jtp at jtpage.net Mon Oct 12 11:57:34 2009 From: jtp at jtpage.net (Jeffry Page) Date: Mon Oct 12 11:57:50 2009 Subject: updating Clamd In-Reply-To: <4ACE2EB0.9040905@cnpapers.com> References: <4ACE2EB0.9040905@cnpapers.com> Message-ID: <00c401ca4b2a$ce40bfe0$6ac23fa0$@net> I am running clamd-0.95.2-4.el5.rf with the newest 4.78.17 MailScanner. Did a grep on my logs, seems to be working Oct 12 02:26:55 web MailScanner[28476]: Virus Scanning: Found 1 viruses -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: Thursday, October 08, 2009 1:26 PM To: mailscanner@lists.mailscanner.info Subject: updating Clamd Anyone know of any gotcha's if I update clamd running MS 4-72-5? I'd kinda like to update that before updating MS. I use rpmforge for clam. Steve Campbell -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------------- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From simonmjones at gmail.com Mon Oct 12 14:44:58 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Oct 12 14:45:07 2009 Subject: yum upgrade broke my mailscanner - FIXED Message-ID: <70572c510910120644k799aaddal440ca864b85d95e8@mail.gmail.com> Hi all, just a quickie, I ran yum upgrade on my centos 5 box and after a reboot noticed mailscanner wasn't starting which seemed to have something to do with a perl module. running cpan > force install Scalar::Util fixed the problem for me. Simon From Hostmaster at computerservicecentre.com Mon Oct 12 14:53:10 2009 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Mon Oct 12 14:53:22 2009 Subject: yum upgrade broke my mailscanner - FIXED In-Reply-To: <70572c510910120644k799aaddal440ca864b85d95e8@mail.gmail.com> References: <70572c510910120644k799aaddal440ca864b85d95e8@mail.gmail.com> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2ABCBAFB@commssrv01.computerservicecentre.com> >Hi all, >just a quickie, I ran yum upgrade on my centos 5 box and after a >reboot noticed mailscanner wasn't starting which seemed to have >something to do with a perl module. running cpan > force install >Scalar::Util fixed the problem for me. >Simon CPAN in an RPM environment? Good luck with that... Richard -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From simonmjones at gmail.com Mon Oct 12 15:04:09 2009 From: simonmjones at gmail.com (Simon Jones) Date: Mon Oct 12 15:04:20 2009 Subject: yum upgrade broke my mailscanner - FIXED In-Reply-To: <3D9C92F3075F5144B46AA2C590F48E2ABCBAFB@commssrv01.computerservicecentre.com> References: <70572c510910120644k799aaddal440ca864b85d95e8@mail.gmail.com> <3D9C92F3075F5144B46AA2C590F48E2ABCBAFB@commssrv01.computerservicecentre.com> Message-ID: <70572c510910120704p251ac658j7a19d98afbcd235c@mail.gmail.com> 2009/10/12 Hostmaster : >>Hi all, > >>just a quickie, I ran yum upgrade on my centos 5 box and after a >>reboot noticed mailscanner wasn't starting which seemed to have >>something to do with a perl module. ?running cpan > force install >>Scalar::Util fixed the problem for me. > >>Simon > > CPAN in an RPM environment? Good luck with that... > > Richard > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. > > This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. > > Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > It fixed the problem, how would you have fixed it, I look forward to enlightenment :) From Hostmaster at computerservicecentre.com Mon Oct 12 15:38:33 2009 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Mon Oct 12 15:39:01 2009 Subject: yum upgrade broke my mailscanner - FIXED In-Reply-To: <70572c510910120704p251ac658j7a19d98afbcd235c@mail.gmail.com> References: <70572c510910120644k799aaddal440ca864b85d95e8@mail.gmail.com><3D9C92F3075F5144B46AA2C590F48E2ABCBAFB@commssrv01.computerservicecentre.com> <70572c510910120704p251ac658j7a19d98afbcd235c@mail.gmail.com> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2ABCBAFC@commssrv01.computerservicecentre.com> >It fixed the problem, how would you have fixed it, I look forward to >enlightenment :) Well, taking a look at one of my CentOS 5.3 boxes running MS, /usr/lib/perl5/5.8.8/Scalar/Util.pm is provided by "perl-5.8.8-18.el5_3.1" - the core Perl package on a CentOS machine. Without knowing which repo's other than the core CentOS repo you are running, I would have started off with checking to see if my last "yum update" had modified Scalar/Util.pm, however regardless of which (any) third-party repo's you are using, you should always be using yum-priorities (http://wiki.centos.org/PackageManagement/Yum/Priorities) to protect the base. Depending on what I found out on what had modified Scalar::Util, my next stages from there would have been to either unpack a re-downloaded perl-5.8.8-18.el5_3.1 RPM with rpm2cpio and try returning Scalar::Util back to its package version, or force a re-install of the RPM back over the top. There has been plenty of discussion both on the CentOS forums and IIRC here regarding CPAN on RPM boxes. I come from a background of using Slackware before I came to RHEL, and I learnt the hard way by installing the tarball install of MailScanner eons ago (probably around version 4.42) on a CentOS 4 box. CPAN was used to get the perl modules sorted for that install, and over time the problems around using CPAN in an RPM environment just compounded themselves, especially with MailScanner updates and system updates. I hit problems with Compress::Zlib and MailTools as many people have, before deciding enough was enough and going back to RPM's. The process of migrating back from a system cluttered with CPAN built perl modules to RPM's was very, very messy, with copious use of "locate perl |xargs rpm -qf" to work out what was currently on the filesystem and not part of a package, identifying the correct packages and installing them. I then used a side-by-side installation of MailScanner tarball with MailScanner RPM (the tar installation residing in /opt) so I could iron out all of the problems before switching fully to the RPM installation of MailScanner. I wouldn't wish anyone to have to go through the migration that I did - it used up days of my time which could have much more profitably been spent elsewhere. Please, for your own sanity, avoid CPAN on RPM systems. A quick google for "centos cpan" shows that I am not the only one who has been "educated" in the ways of RPM based systems ;-) Richard -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From admin at lorodoes.com Mon Oct 12 15:46:42 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Mon Oct 12 15:46:59 2009 Subject: yum upgrade broke my mailscanner - FIXED Message-ID: <20091012144643.21705D6802D@plutopapers.com> My question is why run yum on a live box that is running fine? Always test first before you yum on a live box. Garrod Alwood IT Consultant -----Original Message----- From: Hostmaster Sent: Monday, October 12, 2009 10:38 AM To: MailScanner discussion Subject: RE: yum upgrade broke my mailscanner - FIXED >It fixed the problem, how would you have fixed it, I look forward to >enlightenment :) Well, taking a look at one of my CentOS 5.3 boxes running MS, /usr/lib/perl5/5.8.8/Scalar/Util.pm is provided by "perl-5.8.8-18.el5_3.1" - the core Perl package on a CentOS machine. Without knowing which repo's other than the core CentOS repo you are running, I would have started off with checking to see if my last "yum update" had modified Scalar/Util.pm, however regardless of which (any) third-party repo's you are using, you should always be using yum-priorities (http://wiki.centos.org/PackageManagement/Yum/Priorities) to protect the base. Depending on what I found out on what had modified Scalar::Util, my next stages from there would have been to either unpack a re-downloaded perl-5.8.8-18.el5_3.1 RPM with rpm2cpio and try returning Scalar::Util back to its package version, or force a re-install of the RPM back over the top. There has been plenty of discussion both on the CentOS forums and IIRC here regarding CPAN on RPM boxes. I come from a background of using Slackware before I came to RHEL, and I learnt the hard way by installing the tarball install of MailScanner eons ago (probably around version 4.42) on a CentOS 4 box. CPAN was used to get the perl modules sorted for that install, and over time the problems around using CPAN in an RPM environment just compounded themselves, especially with MailScanner updates and system updates. I hit problems with Compress::Zlib and MailTools as many people have, before deciding enough was enough and going back to RPM's. The process of migrating back from a system cluttered with CPAN built perl modules to RPM's was very, very messy, with copious use of "locate perl |xargs rpm -qf" to work out what was currently on the filesystem and not part of a package, identifying the correct packages and installing them. I then used a side-by-side installation of MailScanner tarball with MailS [The entire original message is not included] From rlopezcnm at gmail.com Mon Oct 12 18:29:46 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Oct 12 18:29:58 2009 Subject: ScamNailer ANNOUNCE: New web site In-Reply-To: References: <4AD2EA18.20400@ecs.soton.ac.uk> Message-ID: On Mon, Oct 12, 2009 at 3:41 AM, Nigel Kendrick wrote: > > > -----Original Message----- > From: mailscanner-announce-bounces@lists.mailscanner.info > [mailto:mailscanner-announce-bounces@lists.mailscanner.info] On Behalf Of > Julian Field > Sent: Monday, October 12, 2009 9:35 AM > To: MailScanner discussion; MailScanner-Announce mailing list list > Cc: Newton A.M. > Subject: ScamNailer ANNOUNCE: New web site > > My anti-spear-phishing script has grown up a bit and earned itself a new > name and a website. > > So say hello to "ScamNailer" ! > > > >>> Sounds vicious! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Is the Stable version there Stable enough to be using now? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From campbell at cnpapers.com Mon Oct 12 20:34:03 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Oct 12 20:34:19 2009 Subject: Got a real nightmare on my hands installing the newest Message-ID: <4AD384AB.3010705@cnpapers.com> I just tried updating MS on a Centos 3 box. Seems like a lot of the perl modules need perl-5.8.1, while the latest perl for Centos 3 is only 5.8.0-94, so a lot of stuff failed, along with MS. I started installing what was needed with rpmbuild, but got into the dependency circle, so I tried going back a to MS 4.72. Now a lot of the modules were deleted by the new stuff and I'm not sure that they weren't just ignored in the 4.72 install. Anyone got a suggestion for me who has done the Centos 3 install? Thanks steve campbell From steve at fsl.com Mon Oct 12 20:43:30 2009 From: steve at fsl.com (Stephen Swaney) Date: Mon Oct 12 20:43:40 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: <4AD384AB.3010705@cnpapers.com> References: <4AD384AB.3010705@cnpapers.com> Message-ID: On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > I just tried updating MS on a Centos 3 box. Seems like a lot of the > perl modules need perl-5.8.1, while the latest perl for Centos 3 is > only 5.8.0-94, so a lot of stuff failed, along with MS. > > I started installing what was needed with rpmbuild, but got into the > dependency circle, so I tried going back a to MS 4.72. Now a lot of > the modules were deleted by the new stuff and I'm not sure that they > weren't just ignored in the 4.72 install. > > Anyone got a suggestion for me who has done the Centos 3 install? > > Thanks > > steve campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Steve, I have to ask why are you are installing on OS that's no longer supported? Best regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available From mikael at syska.dk Mon Oct 12 20:53:03 2009 From: mikael at syska.dk (Mikael Syska) Date: Mon Oct 12 20:53:16 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: References: <4AD384AB.3010705@cnpapers.com> Message-ID: <6beca9db0910121253m48e6644ckd35ddebfc6d3ac9d@mail.gmail.com> Hi On Mon, Oct 12, 2009 at 9:43 PM, Stephen Swaney wrote: > > On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > >> I just tried updating MS on a Centos 3 box. Seems like a lot of the perl >> modules need perl-5.8.1, while the latest perl for Centos 3 is only >> 5.8.0-94, so a lot of stuff failed, along with MS. >> >> I started installing what was needed with rpmbuild, but got into the >> dependency circle, so I tried going back a to MS 4.72. Now a lot of the >> modules were deleted by the new stuff and I'm not sure that they weren't >> just ignored in the 4.72 install. >> >> Anyone got a suggestion for me who has done the Centos 3 install? >> >> Thanks >> >> steve campbell >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Steve, > > I have to ask why are you are installing on OS that's no longer supported? I think he is updating the MS installation on an old Centos 3 box ... so not a new installation. > > Best regards, > > Steve > > -- > Steve Swaney > steve@fsl.com > 202 595-7760 ext: 601 > www.fsl.com > The most accurate and cost effective anti-spam solutions available > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > venlig hilsen Mikael Syska From campbell at cnpapers.com Mon Oct 12 20:53:13 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Oct 12 20:53:25 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: References: <4AD384AB.3010705@cnpapers.com> Message-ID: <4AD38929.5070303@cnpapers.com> Stephen Swaney wrote: > > On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > >> I just tried updating MS on a Centos 3 box. Seems like a lot of the >> perl modules need perl-5.8.1, while the latest perl for Centos 3 is >> only 5.8.0-94, so a lot of stuff failed, along with MS. >> >> I started installing what was needed with rpmbuild, but got into the >> dependency circle, so I tried going back a to MS 4.72. Now a lot of >> the modules were deleted by the new stuff and I'm not sure that they >> weren't just ignored in the 4.72 install. >> >> Anyone got a suggestion for me who has done the Centos 3 install? >> >> Thanks >> >> steve campbell >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > Steve, > > I have to ask why are you are installing on OS that's no longer > supported? > > Best regards, > > Steve > Not supported by whom? Centos 3 is still a viable OS. If our company had the resources to install on new equipment and I had spares, I'd do it. But we don't, so I can't upgrade hardware and OS as easily as I'd like to. Now, does anyone have a real suggestion? steve From hvdkooij at vanderkooij.org Tue Oct 13 00:27:55 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Oct 13 00:28:06 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: References: <4AD384AB.3010705@cnpapers.com> Message-ID: <4AD3BB7B.4080603@vanderkooij.org> On 10/12/2009 09:43 PM, Stephen Swaney wrote: > > On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > >> Anyone got a suggestion for me who has done the Centos 3 install? > > I have to ask why are you are installing on OS that's no longer supported? How long will CentOS-3 updates be supported? We intend to support CentOS-3 updates until Oct 31, 2010. See also: http://www.centos.org/modules/smartfaq/faq.php?faqid=43 But the fact that Centos 3 is supported for about a year does not mean MailScanner has to support it as well. So If you realy like to run MailScanner I suppose you propably would be wise and considere Centos 5.x as a replacement. Hugo. From campbell at cnpapers.com Tue Oct 13 02:34:03 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 13 02:34:13 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: <4AD3BB7B.4080603@vanderkooij.org> References: <4AD384AB.3010705@cnpapers.com> <4AD3BB7B.4080603@vanderkooij.org> Message-ID: <1255397643.4ad3d90b57c47@perdition.cnpapers.net> Quoting Hugo van der Kooij : > On 10/12/2009 09:43 PM, Stephen Swaney wrote: > > > > On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > > > >> Anyone got a suggestion for me who has done the Centos 3 install? > > > > I have to ask why are you are installing on OS that's no longer supported? > > How long will CentOS-3 updates be supported? > We intend to support CentOS-3 updates until Oct 31, 2010. > See also: http://www.centos.org/modules/smartfaq/faq.php?faqid=43 > > But the fact that Centos 3 is supported for about a year does not mean > MailScanner has to support it as well. So If you realy like to run > MailScanner I suppose you propably would be wise and considere Centos > 5.x as a replacement. > > Hugo. > > -- Hugo, Please don't misunderstand my frustrations. I am not blaming MailScanner or Julian in any way for this messup of mine. I was only responding to Steve's comment about Centos 3 being sort of a dead OS. My original post was asking for suggestions as to how others might have gotten beyond the Perl problems I created. My situation started with trying to upgrade 4.72 to the latest version. Upon it's failure, I tried using "install.sh nodeps", which made things worse. I see no way back now other than a bare metal restore. To tell you the truth, I really don't see how I got 4.72 to work since a lot of it is dependant on Perl 5.8.1, but I've got it installed on two other Centos 3 machines as well. I'm not a Perl expert, that's pretty obvious. I'm really glad Julian takes MS to higher levels. I don't understand the options I have for upgrading when using install.sh, but up until this time, MS has always come up faithfully after running upgrade for the conf files. Once I get restored, I'll start to try and find a way to upgrade Centos. For now, I just have sendmail running, so I've bought a little time. Thanks for the input, though. Hope this explains my position. I think MS is great, and I surely don't mean to be degrading. Sorry. steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From simonmjones at gmail.com Tue Oct 13 11:16:43 2009 From: simonmjones at gmail.com (Simon Jones) Date: Tue Oct 13 11:16:52 2009 Subject: yum upgrade broke my mailscanner - FIXED In-Reply-To: <20091012144643.21705D6802D@plutopapers.com> References: <20091012144643.21705D6802D@plutopapers.com> Message-ID: <70572c510910130316m5545f118g8d1e131cbbf75c63@mail.gmail.com> 2009/10/12 Garrod Alwood : > My question is why run yum on a live box that is running fine? Always test first before you yum on a live box. > > Garrod Alwood > IT Consultant > > -----Original Message----- > From: Hostmaster > Sent: Monday, October 12, 2009 10:38 AM > To: MailScanner discussion > Subject: RE: yum upgrade broke my mailscanner - FIXED > > > >>It fixed the problem, how would you have fixed it, I look forward to >>enlightenment :) > > Well, taking a look at one of my CentOS 5.3 boxes running MS, > /usr/lib/perl5/5.8.8/Scalar/Util.pm is provided by "perl-5.8.8-18.el5_3.1" - the > core Perl package on a CentOS machine. > > Without knowing which repo's other than the core CentOS repo you are running, I > would have started off with checking to see if my last "yum update" had modified > Scalar/Util.pm, however regardless of which (any) third-party repo's you are > using, you should always be using yum-priorities > (http://wiki.centos.org/PackageManagement/Yum/Priorities) to protect the base. > > Depending on what I found out on what had modified Scalar::Util, my next stages > from there would have been to either unpack a re-downloaded > perl-5.8.8-18.el5_3.1 RPM with rpm2cpio and try returning Scalar::Util back to > its package version, or force a re-install of the RPM back over the top. > > There has been plenty of discussion both on the CentOS forums and IIRC here > regarding CPAN on RPM boxes. > I come from a background of using Slackware before I came to RHEL, and I learnt > the hard way by installing the tarball install of MailScanner eons ago (probably > around version 4.42) on a CentOS 4 box. CPAN was used to get the perl modules > sorted for that install, and over time the problems around using CPAN in an RPM > environment just compounded themselves, especially with MailScanner updates and > system updates. I hit problems with Compress::Zlib and MailTools as many people > have, before deciding enough was enough and going back to RPM's. The process of > migrating back from a system cluttered with CPAN built perl modules to RPM's was > very, very messy, with copious use of "locate perl |xargs rpm -qf" to work out > what was currently on the filesystem and not part of a package, identifying the > correct packages and installing them. I then used a side-by-side installation of > MailScanner tarball with MailS > > > [The entire original message is not included] > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > It wasn't actually a production server, I was switching it from physical hardware to a VPS on our Xen platform - got it all working and tested it then ran the updates (excluding kernel updates) and that's when i got the error on restarting mailscanner. Just thought it might have been a useful post to someone having a similar problem. From gandalv.greyheim at gmail.com Tue Oct 13 13:59:38 2009 From: gandalv.greyheim at gmail.com (=?ISO-8859-1?Q?J=F8rn_Skjerven?=) Date: Tue Oct 13 13:59:48 2009 Subject: Permissions Issue ? In-Reply-To: <223f97700908030449u2ec5c9dbrc66687c9e56a7aca@mail.gmail.com> References: <14600540.01249298635595.JavaMail.root@office.splatnix.net> <223f97700908030449u2ec5c9dbrc66687c9e56a7aca@mail.gmail.com> Message-ID: I'm currently seeing the same error here, same directories setup and rights. I have no .razor file in /var/spool/MailScanner/incoming/, and permissions set as follows Incoming Work User = postfix Incoming Work Group = clamav Incoming Work Permissions = 0660 Also i have not set up any specific config for razor, is this described in detail how to integrate with mailscanner somewhere ? Any suggestions ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091013/faecb240/attachment.html From gandalv.greyheim at gmail.com Tue Oct 13 14:24:49 2009 From: gandalv.greyheim at gmail.com (=?ISO-8859-1?Q?J=F8rn_Skjerven?=) Date: Tue Oct 13 14:24:59 2009 Subject: Permissions Issue ? In-Reply-To: References: <14600540.01249298635595.JavaMail.root@office.splatnix.net> <223f97700908030449u2ec5c9dbrc66687c9e56a7aca@mail.gmail.com> Message-ID: 2009/10/13 J?rn Skjerven > I'm currently seeing the same error here, same directories setup and > rights. > > I have no .razor file in /var/spool/MailScanner/incoming/, and permissions > set as follows > > Incoming Work User = postfix > Incoming Work Group = clamav > Incoming Work Permissions = 0660 > > Also i have not set up any specific config for razor, is this described in > detail how to integrate with mailscanner somewhere ? > > Any suggestions ? > Ah, never mind, i figured it out. I had to move the .razor directory to /var/spool/postfix to make it work as i ran razor-admin -register as root, but now it logs only to one file. -- _________________ J?rn Skjerven WebDeal System Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091013/bec5ad24/attachment.html From dyioulos at firstbhph.com Tue Oct 13 15:12:00 2009 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Oct 13 15:12:47 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: <4AD38929.5070303@cnpapers.com> References: <4AD384AB.3010705@cnpapers.com> <4AD38929.5070303@cnpapers.com> Message-ID: <200910131012.01421.dyioulos@firstbhph.com> On Monday 12 October 2009 3:53:13 pm Steve Campbell wrote: > Stephen Swaney wrote: > > On Oct 12, 2009, at 3:34 PM, Steve Campbell wrote: > >> I just tried updating MS on a Centos 3 box. > >> Seems like a lot of the perl modules need > >> perl-5.8.1, while the latest perl for Centos > >> 3 is only 5.8.0-94, so a lot of stuff > >> failed, along with MS. > >> > >> I started installing what was needed with > >> rpmbuild, but got into the dependency > >> circle, so I tried going back a to MS 4.72. > >> Now a lot of the modules were deleted by the > >> new stuff and I'm not sure that they weren't > >> just ignored in the 4.72 install. > >> > >> Anyone got a suggestion for me who has done > >> the Centos 3 install? > >> > >> Thanks > >> > >> steve campbell > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listin > >>fo/mailscanner > >> > >> Before posting, read > >> http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the > >> book off the website! > > > > Steve, > > > > I have to ask why are you are installing on > > OS that's no longer supported? > > > > Best regards, > > > > Steve > > Not supported by whom? Centos 3 is still a > viable OS. If our company had the resources to > install on new equipment and I had spares, I'd > do it. But we don't, so I can't upgrade > hardware and OS as easily as I'd like to. > > Now, does anyone have a real suggestion? > > steve > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/ >mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book > off the website! I, too, am still using CentOS 3 as my mail server platform, and I, too, ran into the problems you describe. I'm running the same perl version as you, as well. IIRC, I updated all of the perl modules that MS uses (from Dag repository), then installed MS from the RPM itself. It worked/is still working great. HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Oct 13 15:40:17 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 13 15:40:33 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: <200910131012.01421.dyioulos@firstbhph.com> References: <4AD384AB.3010705@cnpapers.com> <4AD38929.5070303@cnpapers.com> <200910131012.01421.dyioulos@firstbhph.com> Message-ID: <4AD49151.2030109@cnpapers.com> Dimitri Yioulos wrote: > On Monday 12 October 2009 3:53:13 pm Steve > Campbell wrote: > >>>> I just tried updating MS on a Centos 3 box. >>>> Seems like a lot of the perl modules need >>>> perl-5.8.1, while the latest perl for Centos >>>> 3 is only 5.8.0-94, so a lot of stuff >>>> failed, along with MS. >>>> >>>> I started installing what was needed with >>>> rpmbuild, but got into the dependency >>>> circle, so I tried going back a to MS 4.72. >>>> Now a lot of the modules were deleted by the >>>> new stuff and I'm not sure that they weren't >>>> just ignored in the 4.72 install. >>>> >>>> Anyone got a suggestion for me who has done >>>> the Centos 3 install? >>>> >>>> Thanks >>>> >>>> steve campbell >>>> >>>> >>>> >>>> > I, too, am still using CentOS 3 as my mail server > platform, and I, too, ran into the problems you > describe. I'm running the same perl version as > you, as well. IIRC, I updated all of the perl > modules that MS uses (from Dag repository), then > installed MS from the RPM itself. It worked/is > still working great. > > HTH. > > Dimitri > > Dimitri, How did you get around the Perl 5.8.1 dependency of some of the modules? Doesn't it still complain and fail even with the non-Dag stuff? I have the rpmforge repo on this system. Is Dag and rpmforge still the same? Think I'll try your way another day. I got my system back by running an older version upgrade, then moving back to the version I started with. Seems that older versions didn't remove things, and if the new perl module failed, it could still work OK, but the newer install tends to remove things first. If that hadn't worked, I was going to do a restore of the entire server from last week. I'm still a little worried I might not have something that's not just right. Thanks for the info. steve From MailScanner at ecs.soton.ac.uk Tue Oct 13 15:48:00 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Oct 13 15:48:34 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: <4AD49151.2030109@cnpapers.com> References: <4AD384AB.3010705@cnpapers.com> <4AD38929.5070303@cnpapers.com> <200910131012.01421.dyioulos@firstbhph.com> <4AD49151.2030109@cnpapers.com> <4AD49320.6080308@ecs.soton.ac.uk> Message-ID: On 13/10/2009 15:40, Steve Campbell wrote: > > > Dimitri Yioulos wrote: >> On Monday 12 October 2009 3:53:13 pm Steve Campbell wrote: >>>>> I just tried updating MS on a Centos 3 box. >>>>> Seems like a lot of the perl modules need >>>>> perl-5.8.1, while the latest perl for Centos >>>>> 3 is only 5.8.0-94, so a lot of stuff >>>>> failed, along with MS. >>>>> >>>>> I started installing what was needed with >>>>> rpmbuild, but got into the dependency >>>>> circle, so I tried going back a to MS 4.72. >>>>> Now a lot of the modules were deleted by the >>>>> new stuff and I'm not sure that they weren't >>>>> just ignored in the 4.72 install. >>>>> >>>>> Anyone got a suggestion for me who has done >>>>> the Centos 3 install? >>>>> >>>>> Thanks >>>>> >>>>> steve campbell >>>>> >>>>> >>>>> >> I, too, am still using CentOS 3 as my mail server platform, and I, >> too, ran into the problems you describe. I'm running the same perl >> version as you, as well. IIRC, I updated all of the perl modules >> that MS uses (from Dag repository), then installed MS from the RPM >> itself. It worked/is still working great. >> >> HTH. >> >> Dimitri >> > Dimitri, > > How did you get around the Perl 5.8.1 dependency of some of the > modules? Doesn't it still complain and fail even with the non-Dag > stuff? I have the rpmforge repo on this system. Is Dag and rpmforge > still the same? Think I'll try your way another day. > > I got my system back by running an older version upgrade, then moving > back to the version I started with. Seems that older versions didn't > remove things, and if the new perl module failed, it could still work > OK, but the newer install tends to remove things first. If that hadn't > worked, I was going to do a restore of the entire server from last > week. I'm still a little worried I might not have something that's not > just right. > You can do "./install.sh --inturn" which will remove and then reinstall each module in turn. You can do "./install.sh --help" to get all the command-line options. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Tue Oct 13 16:05:54 2009 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Tue Oct 13 16:06:47 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: References: <4AD384AB.3010705@cnpapers.com> <4AD49320.6080308@ecs.soton.ac.uk> Message-ID: <200910131105.55325.dyioulos@firstbhph.com> On Tuesday 13 October 2009 10:48:00 am Julian Field wrote: > On 13/10/2009 15:40, Steve Campbell wrote: > > Dimitri Yioulos wrote: > >> On Monday 12 October 2009 3:53:13 pm Steve Campbell wrote: > >>>>> I just tried updating MS on a Centos 3 > >>>>> box. Seems like a lot of the perl modules > >>>>> need perl-5.8.1, while the latest perl > >>>>> for Centos 3 is only 5.8.0-94, so a lot > >>>>> of stuff failed, along with MS. > >>>>> > >>>>> I started installing what was needed with > >>>>> rpmbuild, but got into the dependency > >>>>> circle, so I tried going back a to MS > >>>>> 4.72. Now a lot of the modules were > >>>>> deleted by the new stuff and I'm not sure > >>>>> that they weren't just ignored in the > >>>>> 4.72 install. > >>>>> > >>>>> Anyone got a suggestion for me who has > >>>>> done the Centos 3 install? > >>>>> > >>>>> Thanks > >>>>> > >>>>> steve campbell > >> > >> I, too, am still using CentOS 3 as my mail > >> server platform, and I, too, ran into the > >> problems you describe. I'm running the same > >> perl version as you, as well. IIRC, I > >> updated all of the perl modules that MS uses > >> (from Dag repository), then installed MS > >> from the RPM itself. It worked/is still > >> working great. > >> > >> HTH. > >> > >> Dimitri > > > > Dimitri, > > > > How did you get around the Perl 5.8.1 > > dependency of some of the modules? Doesn't it > > still complain and fail even with the non-Dag > > stuff? I have the rpmforge repo on this > > system. Is Dag and rpmforge still the same? > > Think I'll try your way another day. > > > > I got my system back by running an older > > version upgrade, then moving back to the > > version I started with. Seems that older > > versions didn't remove things, and if the new > > perl module failed, it could still work OK, > > but the newer install tends to remove things > > first. If that hadn't worked, I was going to > > do a restore of the entire server from last > > week. I'm still a little worried I might not > > have something that's not just right. > > You can do "./install.sh --inturn" which will > remove and then reinstall each module in turn. > You can do "./install.sh --help" to get all the > command-line options. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at > www.MailScanner.info/store > Jules, Was "./install.sh --inturn" available in version 4.76? That was the version in which I encountered problems, and my work-around did work in lieu of a better solution at the time, and a need to get MS fixed QUICK. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Tue Oct 13 16:14:24 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Oct 13 16:14:36 2009 Subject: Got a real nightmare on my hands installing the newest In-Reply-To: References: <4AD384AB.3010705@cnpapers.com> <4AD38929.5070303@cnpapers.com> <200910131012.01421.dyioulos@firstbhph.com> <4AD49151.2030109@cnpapers.com> <4AD49320.6080308@ecs.soton.ac.uk> Message-ID: <4AD49950.8080306@cnpapers.com> Julian Field wrote: > > > On 13/10/2009 15:40, Steve Campbell wrote: >> >> >> Dimitri Yioulos wrote: >>> On Monday 12 October 2009 3:53:13 pm Steve Campbell wrote: >>>>>> I just tried updating MS on a Centos 3 box. >>>>>> Seems like a lot of the perl modules need >>>>>> perl-5.8.1, while the latest perl for Centos >>>>>> 3 is only 5.8.0-94, so a lot of stuff >>>>>> failed, along with MS. >>>>>> >>>>>> I started installing what was needed with >>>>>> rpmbuild, but got into the dependency >>>>>> circle, so I tried going back a to MS 4.72. >>>>>> Now a lot of the modules were deleted by the >>>>>> new stuff and I'm not sure that they weren't >>>>>> just ignored in the 4.72 install. >>>>>> >>>>>> Anyone got a suggestion for me who has done >>>>>> the Centos 3 install? >>>>>> >>>>>> Thanks >>>>>> >>>>>> steve campbell >>>>>> >>>>>> >>>>>> >>> I, too, am still using CentOS 3 as my mail server platform, and I, >>> too, ran into the problems you describe. I'm running the same perl >>> version as you, as well. IIRC, I updated all of the perl modules >>> that MS uses (from Dag repository), then installed MS from the RPM >>> itself. It worked/is still working great. >>> >>> HTH. >>> >>> Dimitri >>> >> Dimitri, >> >> How did you get around the Perl 5.8.1 dependency of some of the >> modules? Doesn't it still complain and fail even with the non-Dag >> stuff? I have the rpmforge repo on this system. Is Dag and rpmforge >> still the same? Think I'll try your way another day. >> >> I got my system back by running an older version upgrade, then moving >> back to the version I started with. Seems that older versions didn't >> remove things, and if the new perl module failed, it could still work >> OK, but the newer install tends to remove things first. If that >> hadn't worked, I was going to do a restore of the entire server from >> last week. I'm still a little worried I might not have something >> that's not just right. >> > You can do "./install.sh --inturn" which will remove and then > reinstall each module in turn. You can do "./install.sh --help" to get > all the command-line options. > > Jules Thanks Julian, I'm not sure which option is right for me after reviewing what is available. They all seem to be applicable either in whole or in part. steve From cfisk at qwicnet.com Tue Oct 13 16:32:13 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Tue Oct 13 16:32:35 2009 Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database Message-ID: Hi! A few days (weeks?) ago I emailed asking how to store the spam.whitelist.rules and spam.blacklist.rules in a MySQL database and it was suggested I write a script to yank the data and format the files. I have done so and would like to share it. If interested you can download the tarball from: http://www.qwicnet.com/mailscanner/mailscannerdb.tar I am by no means an accomplished perl programmer, this was done on my spare time and "works for me". I've put it up under the same license as MailScanner (GPL) in case it is useful enough to be added. Hope it is useful to someone! Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brent.addis at spit.gen.nz Tue Oct 13 22:05:51 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Tue Oct 13 22:06:09 2009 Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database In-Reply-To: References: Message-ID: <1255467951.6667.3.camel@baddis-laptop> Forgive me if i'm wrong, but doesn't mailwatch do this? -----Original Message----- From: Christopher Fisk Reply-to: MailScanner discussion To: mailscanner@lists.mailscanner.info Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database Date: Tue, 13 Oct 2009 11:32:13 -0400 Hi! A few days (weeks?) ago I emailed asking how to store the spam.whitelist.rules and spam.blacklist.rules in a MySQL database and it was suggested I write a script to yank the data and format the files. I have done so and would like to share it. If interested you can download the tarball from: http://www.qwicnet.com/mailscanner/mailscannerdb.tar I am by no means an accomplished perl programmer, this was done on my spare time and "works for me". I've put it up under the same license as MailScanner (GPL) in case it is useful enough to be added. Hope it is useful to someone! Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091014/0d56e685/attachment.html From ismail at ismailozatay.net Tue Oct 13 22:33:06 2009 From: ismail at ismailozatay.net (Ismail OZATAY) Date: Tue Oct 13 22:33:15 2009 Subject: about notify messages Message-ID: <4AD4F212.2050305@ismailozatay.net> Hi Julian , I have just started to use "Notify Senders Of Blocked Size Attachments" option. It is working properly but when our system sends a notification mail to sender, e-mails were blocked by remote mta. Because the MailScanner does not include any address in "from" section while sending . Could you fix our problem, please ? Best regards. Ismail OZATAY From philip at zeiglers.net Tue Oct 13 22:35:09 2009 From: philip at zeiglers.net (Philip Zeigler) Date: Tue Oct 13 22:37:54 2009 Subject: Slightly OT: Postcard Virus/SPAM Message-ID: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> I just noticed that one of my mail servers has been compromised somehow and has begun sending out spam/virus as if it was coming from postcard.org. The emails seem to be originating from my web server with the apache@mydomain.com address. I have stopped the sendmail out process so that these don't get sent. This also prevents more of these emails from being generated. If I flush the mail queue and restart the outbound sendmail process then more of these emails get generated. Until I get this cleaned up, I'm leaving it off. My problem is that I can't figure out how they are actually getting generated so that I can put a stop to it. There is no trace in my access_log files of anyone posting through a form, etc. Has anyone else dealt with this and know how to clean up this mess. Philip -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091013/1401118d/attachment.html From alex at rtpty.com Tue Oct 13 22:43:29 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Oct 13 22:43:43 2009 Subject: Slightly OT: Postcard Virus/SPAM In-Reply-To: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> Message-ID: Sure, but there's so much you need to test... First of all, how many logged in users do you have? Did you run "last" to see if anyone's logged in? Does it still run if you "init 1" then start networking and the MTA/MailScanner? On Oct 13, 2009, at 4:35 PM, Philip Zeigler wrote: > I just noticed that one of my mail servers has been compromised > somehow and has begun sending out spam/virus as if it was coming > from postcard.org. The emails seem to be originating from my web > server with the apache@mydomain.com address. > > I have stopped the sendmail out process so that these don?t get > sent. This also prevents more of these emails from being > generated. If I flush the mail queue and restart the outbound > sendmail process then more of these emails get generated. Until I > get this cleaned up, I?m leaving it off. > > My problem is that I can?t figure out how they are actually getting > generated so that I can put a stop to it. There is no trace in my > access_log files of anyone posting through a form, etc. > > Has anyone else dealt with this and know how to clean up this mess. > > Philip > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From philip at zeiglers.net Tue Oct 13 23:00:06 2009 From: philip at zeiglers.net (Philip Zeigler) Date: Tue Oct 13 23:03:03 2009 Subject: Slightly OT: Postcard Virus/SPAM In-Reply-To: References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> Message-ID: <3ED71793F9A94BC687A8A76B0F80F4DA@9MHQV61> There are no users logged in. Server is a web server and mail server. There are accounts set up for users for the email but they are accessed only through imap/dovecot. None of the users have shell access (set to /bin/nologin or /bin/false). I am remote from the machine right now so I will not be able to test the "init 1" until the tomorrow morning. Philip -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Tuesday, October 13, 2009 5:43 PM To: MailScanner discussion Subject: Re: Slightly OT: Postcard Virus/SPAM Sure, but there's so much you need to test... First of all, how many logged in users do you have? Did you run "last" to see if anyone's logged in? Does it still run if you "init 1" then start networking and the MTA/MailScanner? On Oct 13, 2009, at 4:35 PM, Philip Zeigler wrote: > I just noticed that one of my mail servers has been compromised > somehow and has begun sending out spam/virus as if it was coming > from postcard.org. The emails seem to be originating from my web > server with the apache@mydomain.com address. > > I have stopped the sendmail out process so that these don't get > sent. This also prevents more of these emails from being > generated. If I flush the mail queue and restart the outbound > sendmail process then more of these emails get generated. Until I > get this cleaned up, I'm leaving it off. > > My problem is that I can't figure out how they are actually getting > generated so that I can put a stop to it. There is no trace in my > access_log files of anyone posting through a form, etc. > > Has anyone else dealt with this and know how to clean up this mess. > > Philip > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lorodoes.com Tue Oct 13 23:18:02 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Tue Oct 13 23:18:18 2009 Subject: Slightly OT: Postcard Virus/SPAM In-Reply-To: <3ED71793F9A94BC687A8A76B0F80F4DA@9MHQV61> References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> <3ED71793F9A94BC687A8A76B0F80F4DA@9MHQV61> Message-ID: <32d8b81ca626d16165f75fa4200dcb0d.squirrel@www.lorodoes.com> Possibly one of your users has a compromised machine then if they are accessing the mailserver through Outlook or Thunderbird or any other email client program. > There are no users logged in. Server is a web server and mail server. > There are accounts set up for users for the email but they are accessed > only > through imap/dovecot. None of the users have shell access (set to > /bin/nologin or /bin/false). > > I am remote from the machine right now so I will not be able to test the > "init 1" until the tomorrow morning. > > Philip > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman > Sent: Tuesday, October 13, 2009 5:43 PM > To: MailScanner discussion > Subject: Re: Slightly OT: Postcard Virus/SPAM > > Sure, but there's so much you need to test... > > First of all, how many logged in users do you have? Did you run "last" > to see if anyone's logged in? Does it still run if you "init 1" then > start networking and the MTA/MailScanner? > > On Oct 13, 2009, at 4:35 PM, Philip Zeigler wrote: > >> I just noticed that one of my mail servers has been compromised >> somehow and has begun sending out spam/virus as if it was coming >> from postcard.org. The emails seem to be originating from my web >> server with the apache@mydomain.com address. >> >> I have stopped the sendmail out process so that these don't get >> sent. This also prevents more of these emails from being >> generated. If I flush the mail queue and restart the outbound >> sendmail process then more of these emails get generated. Until I >> get this cleaned up, I'm leaving it off. >> >> My problem is that I can't figure out how they are actually getting >> generated so that I can put a stop to it. There is no trace in my >> access_log files of anyone posting through a form, etc. >> >> Has anyone else dealt with this and know how to clean up this mess. >> >> Philip >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From admin at lorodoes.com Tue Oct 13 23:19:39 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Tue Oct 13 23:19:57 2009 Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database In-Reply-To: <1255467951.6667.3.camel@baddis-laptop> References: <1255467951.6667.3.camel@baddis-laptop> Message-ID: <6cffd3fd89dccba96eb9a9b141a329c4.squirrel@www.lorodoes.com> Hey check out MailWatch a webgui for Mailscanner. It has the whitelist and blacklist in SQL format. Just thought I would throw that out there. > Forgive me if i'm wrong, but doesn't mailwatch do this? > > > -----Original Message----- > From: Christopher Fisk > Reply-to: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: My solution for getting the spam.whitelist.rules and > spam.blacklist.rules into a database > Date: Tue, 13 Oct 2009 11:32:13 -0400 > > > Hi! > > A few days (weeks?) ago I emailed asking how to store the > spam.whitelist.rules and spam.blacklist.rules in a MySQL database and it > was suggested I write a script to yank the data and format the files. > > I have done so and would like to share it. If interested you can download > the tarball from: > > http://www.qwicnet.com/mailscanner/mailscannerdb.tar > > > I am by no means an accomplished perl programmer, this was done on my > spare time and "works for me". I've put it up under the same license as > MailScanner (GPL) in case it is useful enough to be added. > > > > Hope it is useful to someone! > > > > Chris > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From philip at zeiglers.net Wed Oct 14 00:56:37 2009 From: philip at zeiglers.net (Philip Zeigler) Date: Wed Oct 14 00:57:11 2009 Subject: Slightly OT: Postcard Virus/SPAM --RESOLVED In-Reply-To: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> Message-ID: <1116033598-1255478217-cardhu_decombobulator_blackberry.rim.net-1883089087-@bda494.bisx.prod.on.blackberry> I have solved the problem. As I mentioned before, there is no way a user can log in with shell access and everything was being sent as the user apache so it had to be web related. It turns out the server had package installed called horde which is apparently a framework for creating web applications. Also appears the the default configuration is very unsecure and allowed a hacker to create an application to send out these postcard spam/virus. Removing horde and a reboot fixed the issue. Philip -----Original Message----- From: "Philip Zeigler" Date: Tue, 13 Oct 2009 17:35:09 To: Subject: Slightly OT: Postcard Virus/SPAM -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From philip at zeiglers.net Wed Oct 14 00:56:37 2009 From: philip at zeiglers.net (Philip Zeigler) Date: Wed Oct 14 00:57:19 2009 Subject: Slightly OT: Postcard Virus/SPAM --RESOLVED In-Reply-To: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> Message-ID: <1116033598-1255478223-cardhu_decombobulator_blackberry.rim.net-57138888-@bda494.bisx.prod.on.blackberry> I have solved the problem. As I mentioned before, there is no way a user can log in with shell access and everything was being sent as the user apache so it had to be web related. It turns out the server had package installed called horde which is apparently a framework for creating web applications. Also appears the the default configuration is very unsecure and allowed a hacker to create an application to send out these postcard spam/virus. Removing horde and a reboot fixed the issue. Philip -----Original Message----- From: "Philip Zeigler" Date: Tue, 13 Oct 2009 17:35:09 To: Subject: Slightly OT: Postcard Virus/SPAM -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From nick at inticon.net.au Wed Oct 14 01:09:06 2009 From: nick at inticon.net.au (Nick Brown) Date: Wed Oct 14 01:09:26 2009 Subject: Slightly OT: Postcard Virus/SPAM --RESOLVED In-Reply-To: <1116033598-1255478217-cardhu_decombobulator_blackberry.rim.net-1883089087-@bda494.bisx.prod.on.blackberry> References: <0F07A388C437458DB8A2D7B18324B211@9MHQV61> <1116033598-1255478217-cardhu_decombobulator_blackberry.rim.net-1883089087-@bda494.bisx.prod.on.blackberry> Message-ID: Yes, I'd be inclined to recommend Squirrel Mail as opposed to Horde as a web app framework. *chuckles* On 14/10/2009, at 10:56 AM, Philip Zeigler wrote: > I have solved the problem. As I mentioned before, there is no way a > user can log in with shell access and everything was being sent as > the user apache so it had to be web related. > > It turns out the server had package installed called horde which is > apparently a framework for creating web applications. Also appears > the the default configuration is very unsecure and allowed a hacker > to create an application to send out these postcard spam/virus. > Removing horde and a reboot fixed the issue. > > Philip > -----Original Message----- > From: "Philip Zeigler" > Date: Tue, 13 Oct 2009 17:35:09 > To: > Subject: Slightly OT: Postcard Virus/SPAM > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Oct 14 09:14:28 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Oct 14 09:14:48 2009 Subject: about notify messages In-Reply-To: <4AD4F212.2050305@ismailozatay.net> References: <4AD4F212.2050305@ismailozatay.net> <4AD58864.6060304@ecs.soton.ac.uk> Message-ID: All the sender reports are customisable, and are all in /etc/MailScanner/reports/en/sender*. And they all contain a "From:" line, I just checked. On 13/10/2009 22:33, Ismail OZATAY wrote: > Hi Julian , > > I have just started to use "Notify Senders Of Blocked Size > Attachments" option. It is working properly but when our system sends > a notification mail to sender, e-mails were blocked by remote mta. > Because the MailScanner does not include any address in "from" section > while sending . Could you fix our problem, please ? > > Best regards. > > Ismail OZATAY Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Wed Oct 14 13:46:42 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Wed Oct 14 13:47:05 2009 Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database In-Reply-To: <1255467951.6667.3.camel@baddis-laptop> Message-ID: > Forgive me if i'm wrong, but doesn't mailwatch do this? Quite possibly! Could have used that information previously though! =) You have given me a product to take a look at though. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Wed Oct 14 13:58:00 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Oct 14 13:58:12 2009 Subject: ScamNailer ANNOUNCE: New web site In-Reply-To: References: <4AD2EA18.20400@ecs.soton.ac.uk> Message-ID: Jules, I am staring at the script and the deployment page on the website, and I'm a bit confused about the mailscanner restart/reload in the script. The script has: my $mailscanner_restart = '/sbin/service MailScanner reload'; Since I'm on Solaris, I'm looking at my own home-cooked init script, and a "reload" means "send HUP signal to the process group leader or oldest MailScanner process". But the deployment webpage says that the script needs to do a restart (ie send ordinary kill signal to process leader, wait for all processes to die, start fresh). I had to modify my init script to get a "restart" option. So... The comments in the script itself seem misleading. HUP or restart? Jeff Earickson Colby College From rlopezcnm at gmail.com Wed Oct 14 14:12:53 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed Oct 14 14:13:04 2009 Subject: ScamNailer "add addresses of your own" questions Message-ID: The email below slipped past ScamNailer ( actually past predecessor). If I understand the directions, the from address can be added to /etc/MailScanner/anti-phishing.addresses. Can the url link address be added to the /etc/MailScanner/anti-phishing.addresses file? From: Web Administrator [mailto:admin@see-below.org] Sent: Saturday, October 10, 2009 12:39 AM Subject: Important: Email Account Verification Update!! ! Your mailbox quota has been exceeded the storage limit which is 20GB as set by your administrator, You are currently running on 20.9GB. You may not be able to send or receive new mails until you re-validate your mailbox. To re-activate your account please click the link below http://ww.see-below.info/ Thanks and we are sorry for the inconveniences Local Host ******* Where see-below in the From address was helpdesk and in the URL was originally accountsadmin. I did not want the real address and link in this email. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From chris at scorpion.nl Wed Oct 14 14:15:47 2009 From: chris at scorpion.nl (Christiaan den Besten) Date: Wed Oct 14 14:15:55 2009 Subject: Processing Database Corruption Message-ID: <4AD5CF03.4040008@scorpion.nl> Hi ! We seem to be hitting a 'bug' (or bad programming on my side) when using the Processing database. Machines scanning ? 600k msg/day get a corrupted .db once every few days. We suspect this started when we introduced a monitoring-check to see if the number of messages in the database is not exceeding our limit. To check this we use : --- sub db_dump_count { my $dbh; my $sth; my $row; my $dbh = DBI->connect("dbi:SQLite:dbname=/opt/exim/spool/MailScanner/incoming/Processing.db","","",{PrintError => 0, RaiseError => 0}) or die "Could not find Processing.db"; $sth = $dbh -> prepare ("SELECT COUNT(*) AS Count FROM processing") or return 0; $sth -> execute (); if ($row = $sth -> fetchrow_hashref() ) { return $$row{"Count"}; } $sth -> finish (); return 0; } --- Is it possible that opening the same database twice is not possible using sqllite ? Version MailScanner : 4.77.10 Version SQLLite3 : - 1.601 DBI, - 1.14 DBD::SQLite, - 3.4.2-2 sqlite3 I was thinking on writing a patch to do the same, but use memcache instead to resolve this .... Yours, Christiaan den Besten From goetz.reinicke at filmakademie.de Wed Oct 14 15:37:08 2009 From: goetz.reinicke at filmakademie.de (=?ISO-8859-15?Q?G=F6tz_Reinicke_-_IT-Koordinator?=) Date: Wed Oct 14 15:37:23 2009 Subject: Avira Antivir Update (V2 -> V3) and Mailscanner Message-ID: <4AD5E214.1000806@filmakademie.de> Hi, recently I installed the update of the CLI scanner from avira. The scanner is named "avscan" (Version 3.x) now and not "antivir" (Version 2.x) anymore. Are there any updates to the virus.scanners.conf regarding this update? I've tried to add and create some config files by myselve, but this did not work. I created a "antivir-V3-wrapper" file, set antivir-V3 /usr/lib/MailScanner/antivir-V3-wrapper /usr/lib/AntiVir in /etc/MailScanner/virus.scanners.conf and changed the main mailscaner config file changing antivir to antivir-V3. Mailscanner than reported there is no antivir-V3. I than renamed antivir-V3 to antivir in the configs. No error, but also no virus scanning. Any hints or suggestions? Regards, G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia H?bner Staatsr?tin f?r Demographischen Wandel und f?r Senioren im Staatsministerium Gesch?ftsf?hrer: Prof. Thomas Schadt From Kevin_Miller at ci.juneau.ak.us Wed Oct 14 17:08:54 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Oct 14 17:09:08 2009 Subject: My solution for getting the spam.whitelist.rules and spam.blacklist.rules into a database In-Reply-To: References: <1255467951.6667.3.camel@baddis-laptop> Message-ID: <4A09477D575C2C4B86497161427DD94C126BA5C4F9@city-exchange07> Christopher Fisk wrote: >> Forgive me if i'm wrong, but doesn't mailwatch do this? > > Quite possibly! Could have used that information previously though! > =) > > You have given me a product to take a look at though. One thing to note, it's an either/or situation with rules in MailScanner or MailWatch. If you use them in MailScanner, you don't get them in MailWatch and vice versa. I don't use the MailWatch rules option because the MailScanner rules are more flexible. At least for what I do. But the MailWatch route may be just the thing for your needs. Sorry to not have more details, but it's been ages since I looked at them one way or the other and I just don't remember the particulars... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mark at msapiro.net Wed Oct 14 17:37:21 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Oct 14 17:37:42 2009 Subject: ScamNailer 2.07 question Message-ID: I see the ScamNailer-2.07 script doesn't retrieve the https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses list. Does this mean the http://www.mailscanner.tv/emails/ list includes the addresses which are in that list or is there some other reason? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From darvin.denmian at gmail.com Wed Oct 14 19:46:08 2009 From: darvin.denmian at gmail.com (Darvin Denmian) Date: Wed Oct 14 19:46:18 2009 Subject: MailScanner Rules Message-ID: Hello, Firts of all : I'm new in MailScanner, so I liked to know: - Is there a way to create rules, to block certain types of attachments, per user and per domain? - Can this rules can be stored in Mysql ? Thanks !! From nkelly at citrusnetworks.net Wed Oct 14 20:18:48 2009 From: nkelly at citrusnetworks.net (Noel Kelly) Date: Wed Oct 14 20:19:01 2009 Subject: sendmail/mailscanner on Ubuntu (fix) Message-ID: <4AD62418.7030601@citrusnetworks.net> Hi julian Having just had to reinstall mailscanner/sendmail on an Ubuntu server from the repositories and come across the popular 'how do you get the inbound/outbound sendmail instances to start?' queries i thought I should document the fix for it. Clearly I found it before because the answer was buried in the configs from the previous server installed a few years ago. Prior to finding it though I came across of a lot of head-scratching threads on the forum and the notes from Mohammed on the Ubuntu page on mailscanner.info only mention postfix. The answer is to edit 'DAEMON_PARMS' in /etc/mail/sendmail.conf: DAEMON_PARMS="-bd -OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in"; Also you have to create the /var/spool/mqueue.in directory and change the permissions. Now you can start /etc/init.d/sendmail and /etc/init.d/mailscanner. The fact that the Hardy package is an ageing 4.58.9 is another matter: "MailScanner E-Mail Virus Scanner version 4.58.9 starting... " I use sendmail because of some of the milters and scripts like Vispan. Cheers Noel From admin at lorodoes.com Wed Oct 14 21:08:03 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Wed Oct 14 21:08:19 2009 Subject: ScamNailer 2.07 question In-Reply-To: References: Message-ID: <0b05d7d07d32ac32a4e495343339b097.squirrel@www.lorodoes.com> As the post said these are different and better than the ones that are on sourceforge. > I see the ScamNailer-2.07 script doesn't retrieve the > https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses > list. > > Does this mean the http://www.mailscanner.tv/emails/ list includes the > addresses which are in that list or is there some other reason? > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rlopezcnm at gmail.com Wed Oct 14 22:05:37 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed Oct 14 22:05:46 2009 Subject: .mat - Matlab v Microsoft Access Shortcut Message-ID: Is there a way to allow the block of .mat files except if they are Matlab files? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Wed Oct 14 22:20:40 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Oct 14 22:20:50 2009 Subject: .mat - Matlab v Microsoft Access Shortcut In-Reply-To: References: Message-ID: <223f97700910141420v2927bb5x96af9933817c2650@mail.gmail.com> 2009/10/14 Robert Lopez : > Is there a way to allow the block of .mat files except if they are Matlab files? > Yes, simply change the rule in filenames.rules.conf ... make it allow, or comment it out. The downside is that you'll allow the access shortcut thing. My users have a tendency to want this too, from time to time, but... it usually turns out it isn't for strictly business related stuff:-). So far, I haven't budged:-). Since the MatLab files are text (source code), they could just rename them, to circumvent the problem. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ilikeuce at bornefeld-ettmann.de Thu Oct 15 02:00:39 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Thu Oct 15 02:01:29 2009 Subject: MailScanner Rules In-Reply-To: References: Message-ID: Darvin Denmian schrieb: > Hello, > > Firts of all : I'm new in MailScanner, so I liked to know: > > - Is there a way to create rules, to block certain types of > attachments, per user and per domain? > - Can this rules can be stored in Mysql ? > > Thanks !! to respond with my old professor's words : "in principle - yes" ;-) 1. how to block certain types of files per user/per domain : create a file /etc/MailScanner/rules/filename.rules : To: john.doe@example.com /etc/MailScanner/rules/filename.rules.jd.conf To: example.com /etc/MailScanner/rules/filename.rules.ex.conf FromOrTo: default /etc/MailScanner/rules/filename.rules.conf /etc/MailScanner/filename.rules.conf can be the default ruleset shipped with MailScanner. Then edit /etc/MailScanner/MailScanner.conf and change to : Filename Rules = %rules-dir%/filename.rules the same you can implement for filetypes. Do not forget to restart Mailscanner after changes. 2. store rules in mysql as mentioned before you CAN in principle store rules in mysql. But you need - either a job that extracts rules files from the database so MailScanner can read them (hourly cronjob is possibly enough) - or a new feature that enables MailScanner to read from databases to the latter option I have read in an earlier post here something like "if you can not do this yourself Julian possibly will be happy to do it for you - if you pay him" so don't hesitate ... he does not bite or scratch or eat you up ;-) From alex at rtpty.com Thu Oct 15 04:11:12 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 04:11:25 2009 Subject: 50% OT, 50% Feature (Bug?) Request ;-) Message-ID: Some of my users are getting tons of .PPS files lately. I'd like to know if there's a solution outside of MailScanner (I'm thinking "mimedefang" or something like that) that could - in a simple fashion - rename .PPS files to .PPT or something like that. I don't know if it would be a useful feature for other purposes, so I thought I'd ask the list if they'd see it as a good thing if this sort of thing would be "built into" MailScanner. Cheers, Alex From glenn.steen at gmail.com Thu Oct 15 09:15:34 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 09:15:44 2009 Subject: Avira Antivir Update (V2 -> V3) and Mailscanner In-Reply-To: <4AD5E214.1000806@filmakademie.de> References: <4AD5E214.1000806@filmakademie.de> Message-ID: <223f97700910150115j583e39a3ye4c36618866a90a5@mail.gmail.com> 2009/10/14 G?tz Reinicke - IT-Koordinator : > Hi, > > recently I installed the update of the CLI scanner from avira. > > The scanner is named "avscan" (Version 3.x) now and not "antivir" > (Version 2.x) anymore. > > Are there any updates to the virus.scanners.conf regarding this update? > > I've tried to add and create some config files by myselve, but this did > not work. > > I created a "antivir-V3-wrapper" file, set > > antivir-V3 /usr/lib/MailScanner/antivir-V3-wrapper /usr/lib/AntiVir > > in /etc/MailScanner/virus.scanners.conf and changed the main mailscaner > config file changing antivir to antivir-V3. > > Mailscanner than reported there is no antivir-V3. I than renamed > antivir-V3 to antivir in the configs. No error, but also no virus scanning. > > > Any hints or suggestions? > > > Regards, > > ? ? ? ?G?tz You'd need do some perl hacking (SweepViruses.pm etc ... IIRC) to introduce a new virus scanner (which is what you tried do with the antivir-V3 thing).If I understood you correctly, you then tried supplanting the antivir command in the antivir configuration wit the avscan command? For that to work as expected, you'd need make sure it has all the same parameters as the original (V2), and that it produces (if nowhere else, in the wrapper script) the same output ... so that what's in MS can interprete it correctly. Probably easiest is to provide Jules with a copy of the new scanner (fully functional!) and ... sit back and wait:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Thu Oct 15 10:42:30 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 15 10:42:52 2009 Subject: ScamNailer 2.07 question In-Reply-To: References: <4AD6EE86.2030009@ecs.soton.ac.uk> Message-ID: On 14/10/2009 17:37, Mark Sapiro wrote: > I see the ScamNailer-2.07 script doesn't retrieve the > https://aper.svn.sourceforge.net/svnroot/aper/phishing_reply_addresses > list. > > Does this mean the http://www.mailscanner.tv/emails/ list includes the > addresses which are in that list Correct. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Oct 15 10:43:26 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 15 10:43:47 2009 Subject: ScamNailer ANNOUNCE: New web site In-Reply-To: References: <4AD2EA18.20400@ecs.soton.ac.uk> <4AD6EEBE.3000807@ecs.soton.ac.uk> Message-ID: On 14/10/2009 13:58, Jeff A. Earickson wrote: > Jules, > > I am staring at the script and the deployment page on the website, > and I'm a bit confused about the mailscanner restart/reload in the > script. > > The script has: > > my $mailscanner_restart = '/sbin/service MailScanner reload'; > > Since I'm on Solaris, I'm looking at my own home-cooked init script, > and a "reload" means "send HUP signal to the process group leader or > oldest MailScanner process". > > But the deployment webpage says that the script needs to do a restart > (ie send ordinary kill signal to process leader, wait for all processes > to die, start fresh). I had to modify my init script to get a "restart" > option. > > So... The comments in the script itself seem misleading. HUP or > restart? HUP. I need to fix the docs on the web page. Thanks for alerting me to that. > > Jeff Earickson > Colby College Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Oct 15 10:48:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Oct 15 10:48:42 2009 Subject: MailScanner Rules In-Reply-To: References: <4AD6EFD9.2010404@ecs.soton.ac.uk> Message-ID: On 14/10/2009 19:46, Darvin Denmian wrote: > Hello, > > Firts of all : I'm new in MailScanner, so I liked to know: > > - Is there a way to create rules, to block certain types of > attachments, per user and per domain? > See the "filename.rules.conf" and "filetype.rules.conf" files and their "archive.*" counterparts. You can create a ruleset which uses different files like "filename.rules.conf"/"filetype.rules.conf" for different users and domains. This is one of the most commonly-asked questions, so I strongly suspect you will find the answer in the Wiki. > - Can this rules can be stored in Mysql ? > Take a look at MailWatch. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From logs at comp-wiz.com Thu Oct 15 14:39:52 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 14:40:23 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage Message-ID: <00d101ca4d9c$fa4a7120$eedf5360$@com> I have no idea what to do as I have never come across this before. I am using a CentOS 5.3 server and when I enable the "Use SpamAssassin" option my server slows to a near halt. Somehow with the 2 enabled together something is going wrong and I don't even know where to begin trouble shooting this without turning SpamAssassin off. Can anyone point me in the right direction? I don't even know if this a MailSacnner or SpamAssassin issue. Thanks, Vernon -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/90fb25e6/attachment.html From rlopezcnm at gmail.com Thu Oct 15 14:51:23 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Oct 15 14:51:35 2009 Subject: .mat - Matlab v Microsoft Access Shortcut In-Reply-To: <223f97700910141420v2927bb5x96af9933817c2650@mail.gmail.com> References: <223f97700910141420v2927bb5x96af9933817c2650@mail.gmail.com> Message-ID: On Wed, Oct 14, 2009 at 3:20 PM, Glenn Steen wrote: > 2009/10/14 Robert Lopez : >> Is there a way to allow the block of .mat files except if they are Matlab files? >> > Yes, simply change the rule in filenames.rules.conf ... make it allow, > or comment it out. > The downside is that you'll allow the access shortcut thing. > > My users have a tendency to want this too, from time to time, but... > it usually turns out it isn't for strictly business related stuff:-). > So far, I haven't budged:-). > Since the MatLab files are text (source code), they could just rename > them, to circumvent the problem. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > There are math, science, and engineering classes that use Matlab. So in this case, they have a strong case. I knew I could allow .mat I have requested a sample .mat file and I am hoping I can modify the linux (Ubuntu) file command to tell the difference between the uses. But assuming I can get that to happen, I have not yet found how to make that useful to MailScanner. I did suggest the renaming, but it has become a political issue escalated to administration. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From prandal at herefordshire.gov.uk Thu Oct 15 14:55:10 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Oct 15 14:55:28 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <00d101ca4d9c$fa4a7120$eedf5360$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> Start by telling us which version of spamassassin you have installed, and where you installed it from. Also, if you haven't already, run sa-update to ensure you have the current SA rules. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Logs Sent: 15 October 2009 14:40 To: 'MailScanner discussion' Subject: MailScanner and SpamAssassin together causes Exterme CPU usage I have no idea what to do as I have never come across this before. I am using a CentOS 5.3 server and when I enable the "Use SpamAssassin" option my server slows to a near halt. Somehow with the 2 enabled together something is going wrong and I don't even know where to begin trouble shooting this without turning SpamAssassin off. Can anyone point me in the right direction? I don't even know if this a MailSacnner or SpamAssassin issue. Thanks, Vernon -- This message has been scanned for viruses and dangerous content by comp-wiz.com , and is believed to be clean. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/692949c6/attachment.html From darvin.denmian at gmail.com Thu Oct 15 15:00:30 2009 From: darvin.denmian at gmail.com (Darvin Denmian) Date: Thu Oct 15 15:00:42 2009 Subject: MailScanner Rules In-Reply-To: References: <4AD6EFD9.2010404@ecs.soton.ac.uk> Message-ID: Thanks for alll replies !!! On Thu, Oct 15, 2009 at 6:48 AM, Julian Field wrote: > > > On 14/10/2009 19:46, Darvin Denmian wrote: >> >> Hello, >> >> Firts of all : I'm new in MailScanner, so I liked to know: >> >> - Is there a way to create rules, to block certain types of >> attachments, per user and per domain? >> > > See the "filename.rules.conf" and "filetype.rules.conf" files and their > "archive.*" counterparts. You can create a ruleset which uses different > files like "filename.rules.conf"/"filetype.rules.conf" for different users > and domains. This is one of the most commonly-asked questions, so I strongly > suspect you will find the answer in the Wiki. >> >> - Can this rules can be stored in Mysql ? >> > > Take a look at MailWatch. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From logs at comp-wiz.com Thu Oct 15 15:03:13 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 15:03:45 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> Message-ID: <011801ca4da0$3dcfb8d0$b96f2a70$@com> I have version 3.2.5-1.el5 installed in I installed it VIA YUM. However I also uninstalled and downloaded the ClamAV, SA version off the MailScanner website but it didn't install SA for some reason. And so I downloaded and installed VIA YUM again, only to have the same problem re-occur. Vern From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Thursday, October 15, 2009 9:55 AM To: MailScanner discussion Subject: RE: MailScanner and SpamAssassin together causes Exterme CPU usage Start by telling us which version of spamassassin you have installed, and where you installed it from. Also, if you haven't already, run sa-update to ensure you have the current SA rules. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Logs Sent: 15 October 2009 14:40 To: 'MailScanner discussion' Subject: MailScanner and SpamAssassin together causes Exterme CPU usage I have no idea what to do as I have never come across this before. I am using a CentOS 5.3 server and when I enable the "Use SpamAssassin" option my server slows to a near halt. Somehow with the 2 enabled together something is going wrong and I don't even know where to begin trouble shooting this without turning SpamAssassin off. Can anyone point me in the right direction? I don't even know if this a MailSacnner or SpamAssassin issue. Thanks, Vernon -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/4b54bc48/attachment.html From roland.de.lepper at cvis.nl Thu Oct 15 15:04:52 2009 From: roland.de.lepper at cvis.nl (Roland de Lepper) Date: Thu Oct 15 15:05:01 2009 Subject: spamc, spamd and spamassassin Message-ID: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> Hi there, I'm evaluating MailScanner, the commecrial edition from FSL. They provide a nice set of installation packages which can be downloaded via yum groupinstall. I installed the software from their server, including spamassassin. I did some test from the website declude.com. This site provide simple tests to test your spamassassin and virus scanner. The badheader, spamheader and routing test fail. This means, it will go through Mailscanner and the email is delivered to the recipient. This not good, because i tested it with another domain, which have Mailscanner in front of it, and those mails were blocked. I can not see have the other MailScanner is configured. So I did some tests with spamassasin. The default packages from FSL contains only spamc. The parameter "Use Spamassassin" in MailScanner is set to YES. [root@eumailscan tmp]# spamc < ClamAV.update.log -------------------------------------- ClamAV update process started at Thu Oct 15 15:07:02 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) Downloading daily-9900.cdiff [100%] daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) Clamd successfully notified about the update. [root@eumailscan tmp]# [root@eumailscan tmp]# spamassassin < ClamAV.update.log X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on eumailscan.cvislabs.eu X-Spam-Level: ***** X-Spam-Status: Yes, score=5.4 required=5.0 tests=MISSING_DATE,MISSING_HB_SEP, MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, NO_RELAYS autolearn=no version=3.2.5 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 0.0 MISSING_DATE Missing Date: header * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 1.6 MISSING_HEADERS Missing To: header * 1.3 MISSING_SUBJECT Missing Subject: header * -0.0 NO_RECEIVED Informational: message has no Received headers * 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 * headers -------------------------------------- Subject: [SPAM] X-Spam-Prev-Subject: (nonexistent) ClamAV update process started at Thu Oct 15 15:07:02 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) Downloading daily-9900.cdiff [100%] daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) Clamd successfully notified about the update. [root@eumailscan tmp]# You see the difference? It is checking the headers! MailScanne is blocking spam though, but not from the test from declude.com. No spamc or spamassassin deamon is running on my system. So how does MailScanner calls SpamAssassin? Does it call spamc instead of Spamassassin? Hope somebody can clearify my problem. Regards, Roland From rabellino at di.unito.it Thu Oct 15 15:11:59 2009 From: rabellino at di.unito.it (Sergio Rabellino) Date: Thu Oct 15 15:12:24 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <011801ca4da0$3dcfb8d0$b96f2a70$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> Message-ID: <4AD72DAF.4020305@di.unito.it> Please, check that the dns is correctly set-up and fully functional. What are the hw specs of the server ? Logs ha scritto: > > I have version 3.2.5-1.el5 installed in I installed it VIA YUM. > However I also uninstalled and downloaded the ClamAV, SA version off > the MailScanner website but it didn't install SA for some reason. And > so I downloaded and installed VIA YUM again, only to have the same > problem re-occur. > > > > Vern > > > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Randal, Phil > *Sent:* Thursday, October 15, 2009 9:55 AM > *To:* MailScanner discussion > *Subject:* RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > > > Start by telling us which version of spamassassin you have installed, > and where you installed it from. > > > > Also, if you haven't already, run sa-update to ensure you have the > current SA rules. > > > > Phil > > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all > copies of it. > > > > > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Logs > *Sent:* 15 October 2009 14:40 > *To:* 'MailScanner discussion' > *Subject:* MailScanner and SpamAssassin together causes Exterme CPU usage > > I have no idea what to do as I have never come across this before. I > am using a CentOS 5.3 server and when I enable the "Use SpamAssassin" > option my server slows to a near halt. Somehow with the 2 enabled > together something is going wrong and I don't even know where to begin > trouble shooting this without turning SpamAssassin off. Can anyone > point me in the right direction? I don't even know if this a > MailSacnner or SpamAssassin issue. > > > > Thanks, > > Vernon > > > > > -- > This message has been scanned for viruses and > dangerous content by *comp-wiz.com* , and is > believed to be clean. > > > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all > copies of it. > -- > This message has been scanned for viruses and > dangerous content by *comp-wiz.com* , and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *comp-wiz.com* , and is > believed to be clean. -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From logs at comp-wiz.com Thu Oct 15 15:18:27 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 15:19:01 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD72DAF.4020305@di.unito.it> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> Message-ID: <014901ca4da2$5dca9a40$195fcec0$@com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/85e5772d/attachment.jpe From alex at rtpty.com Thu Oct 15 15:22:41 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 15:22:51 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD72DAF.4020305@di.unito.it> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> Message-ID: <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/cf7c9476/attachment-0001.jpe From logs at comp-wiz.com Thu Oct 15 15:23:34 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 15:24:05 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD72DAF.4020305@di.unito.it> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> Message-ID: <016501ca4da3$14b5b0a0$3e2111e0$@com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/70e00df5/attachment.jpe From prandal at herefordshire.gov.uk Thu Oct 15 15:28:20 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Oct 15 15:29:26 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <011801ca4da0$3dcfb8d0$b96f2a70$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com><7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA07FE0FD1@HC-MBX02.herefordshire.gov.uk> Can you run sa-update -D and compare the last few lines of output with this: [27658] dbg: channel: metadata version = 795855 [27658] dbg: dns: 5.2.3.updates.spamassassin.org => 795855, parsed as 795855 [27658] dbg: channel: current version is 795855, new version is 795855, skipping channel Can you also tell us which MailScanner version is installed? Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Logs Sent: 15 October 2009 15:03 To: 'MailScanner discussion' Subject: RE: MailScanner and SpamAssassin together causes Exterme CPU usage I have version 3.2.5-1.el5 installed in I installed it VIA YUM. However I also uninstalled and downloaded the ClamAV, SA version off the MailScanner website but it didn't install SA for some reason. And so I downloaded and installed VIA YUM again, only to have the same problem re-occur. Vern From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Thursday, October 15, 2009 9:55 AM To: MailScanner discussion Subject: RE: MailScanner and SpamAssassin together causes Exterme CPU usage Start by telling us which version of spamassassin you have installed, and where you installed it from. Also, if you haven't already, run sa-update to ensure you have the current SA rules. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Logs Sent: 15 October 2009 14:40 To: 'MailScanner discussion' Subject: MailScanner and SpamAssassin together causes Exterme CPU usage I have no idea what to do as I have never come across this before. I am using a CentOS 5.3 server and when I enable the "Use SpamAssassin" option my server slows to a near halt. Somehow with the 2 enabled together something is going wrong and I don't even know where to begin trouble shooting this without turning SpamAssassin off. Can anyone point me in the right direction? I don't even know if this a MailSacnner or SpamAssassin issue. Thanks, Vernon -- This message has been scanned for viruses and dangerous content by comp-wiz.com , and is believed to be clean. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -- This message has been scanned for viruses and dangerous content by comp-wiz.com , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com , and is believed to be clean. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/970cbdaf/attachment.html From glenn.steen at gmail.com Thu Oct 15 15:51:02 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 15:51:12 2009 Subject: .mat - Matlab v Microsoft Access Shortcut In-Reply-To: References: <223f97700910141420v2927bb5x96af9933817c2650@mail.gmail.com> Message-ID: <223f97700910150751i1b694c6du1edd58ffb4386658@mail.gmail.com> 2009/10/15 Robert Lopez : > On Wed, Oct 14, 2009 at 3:20 PM, Glenn Steen wrote: >> 2009/10/14 Robert Lopez : >>> Is there a way to allow the block of .mat files except if they are Matlab files? >>> >> Yes, simply change the rule in filenames.rules.conf ... make it allow, >> or comment it out. >> The downside is that you'll allow the access shortcut thing. >> >> My users have a tendency to want this too, from time to time, but... >> it usually turns out it isn't for strictly business related stuff:-). >> So far, I haven't budged:-). >> Since the MatLab files are text (source code), they could just rename >> them, to circumvent the problem. >> >> Cheers > > > There are math, science, and engineering classes that use Matlab. > So in this case, they have a strong case. :-/ > I knew I could allow .mat ... which is all you can do. Nothing more, nothing less. You *could* try do something like allow a specific pattern (say *_OK_.mat), demand that they be put in an archive (and then don't check that) or similar, but it is all ... bandaids...:( > I have requested a sample .mat file and I am hoping I can modify the > linux (Ubuntu) file command to tell the difference between the uses. The file command has nothing to do with this, since it isn't the file *type*, but rather the file *name*, that is the problem. Hence the "override" pattern thing. If there is a directionality to this (only from the inside to the outside, for example) you could do some filename rules overloading to "solve it". Or bite the bullet and allow .mat ... whichever is most manageable and least risky. > But assuming I can get that to happen, I have not yet found how to > make that useful to MailScanner. *If* this was a file type problem, which it isn't, it'd make sense/work well immediately;-). Alas, this is not the case, so don't spend too much time on that:-). > I did suggest the renaming, but it has become a political issue > escalated to administration. > That *might* be a good thing:-). If you lack, as so very many of us do, a proper policy ("grounded" upstairs, so to speak), this might actually get you one...;-D The filename.rules.conf file is pretty well documented on the source of the blockage (.mat, for example, originates from MicroSofts own recommendations)... In case you need defend it:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at rtpty.com Thu Oct 15 15:54:55 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 15:55:10 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <016501ca4da3$14b5b0a0$3e2111e0$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <016501ca4da3$14b5b0a0$3e2111e0$@com> Message-ID: <6E002D04-48D9-42D2-962A-C766FD9BDDF5@rtpty.com> Is it caching? On Oct 15, 2009, at 9:23 AM, Logs wrote: > DNS is correctly setup and functioning. > From logs at comp-wiz.com Thu Oct 15 16:00:16 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 16:00:51 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> Message-ID: <01bd01ca4da8$36c49da0$a44dd8e0$@com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/b873a515/attachment.jpe From logs at comp-wiz.com Thu Oct 15 16:03:16 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 16:03:45 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <6E002D04-48D9-42D2-962A-C766FD9BDDF5@rtpty.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <016501ca4da3$14b5b0a0$3e2111e0$@com> <6E002D04-48D9-42D2-962A-C766FD9BDDF5@rtpty.com> Message-ID: <01cc01ca4da8$a08ead70$e1ac0850$@com> Not sure what you mean by that, but it is a DNS server and is actually working. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Thursday, October 15, 2009 10:55 AM To: MailScanner discussion Subject: Re: MailScanner and SpamAssassin together causes Exterme CPU usage Is it caching? On Oct 15, 2009, at 9:23 AM, Logs wrote: > DNS is correctly setup and functioning. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. From glenn.steen at gmail.com Thu Oct 15 16:05:31 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 16:05:41 2009 Subject: spamc, spamd and spamassassin In-Reply-To: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> Message-ID: <223f97700910150805n74ab968dw8f5b772b5c1ebc50@mail.gmail.com> 2009/10/15 Roland de Lepper : > Hi there, > > I'm evaluating MailScanner, the commecrial edition from FSL. > They provide a nice set of installation packages which can be downloaded > via yum groupinstall. > > I installed the software from their server, including spamassassin. > I did some test from the website declude.com. This site provide simple > tests to test your spamassassin and virus scanner. > > The badheader, spamheader and routing test fail. This means, it will go > through Mailscanner and the email is delivered to the recipient. > > This not good, because i tested it with another domain, which have > Mailscanner in front of it, and those mails were blocked. I can not see > have the other MailScanner is configured. > > So I did some tests with spamassasin. The default packages from FSL > contains only spamc. The parameter "Use Spamassassin" in MailScanner is > set to YES. > > [root@eumailscan tmp]# spamc < ClamAV.update.log > -------------------------------------- > ClamAV update process started at Thu Oct 15 15:07:02 2009 > main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: > sven) > Downloading daily-9900.cdiff [100%] > daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) > Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) > Clamd successfully notified about the update. > [root@eumailscan tmp]# > > [root@eumailscan tmp]# spamassassin < ClamAV.update.log > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > ? ? ? ?eumailscan.cvislabs.eu > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.4 required=5.0 tests=MISSING_DATE,MISSING_HB_SEP, > ? ? ? ?MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, > ? ? ? ?NO_RELAYS autolearn=no version=3.2.5 > X-Spam-Report: > ? ? ? ?* ?0.0 MISSING_MID Missing Message-Id: header > ? ? ? ?* ?0.0 MISSING_DATE Missing Date: header > ? ? ? ?* -0.0 NO_RELAYS Informational: message was not relayed via SMTP > ? ? ? ?* ?2.5 MISSING_HB_SEP Missing blank line between message header and body > ? ? ? ?* ?1.6 MISSING_HEADERS Missing To: header > ? ? ? ?* ?1.3 MISSING_SUBJECT Missing Subject: header > ? ? ? ?* -0.0 NO_RECEIVED Informational: message has no Received headers > ? ? ? ?* ?0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 > ? ? ? ?* ? ? ?headers > -------------------------------------- > Subject: [SPAM] > X-Spam-Prev-Subject: (nonexistent) > ClamAV update process started at Thu Oct 15 15:07:02 2009 > main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: > sven) > Downloading daily-9900.cdiff [100%] > daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) > Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) > Clamd successfully notified about the update. > [root@eumailscan tmp]# > > You see the difference? It is checking the headers! > > MailScanne is blocking spam though, but not from the test from declude.com. > No spamc or spamassassin deamon is running on my system. > So how does MailScanner calls SpamAssassin? Does it call spamc instead of > Spamassassin? > > Hope somebody can clearify my problem. MailScanner doesn't use spamc. If by "FSL MailScanner" you mean DefenderMX, I can't say for sure, but if it is the yum repo (which it seems you are refering to)... then no, it doesn't use spamc/spamd. It capitalizes the fact that SA is perl, and instantiate an internal copy (call the perl interface directly, one could say). So the output MS produce will differ from that of the spamassassin command, but not the result... if the same setup is used (you might be running postfix, in which case you need take care regarding permissions... and how you call the respective commands) that is. What does "MailScanner --lint" tell you? What does a complete debug run tell you (MailScanner --debug --debug-sa)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From roland.de.lepper at cvis.nl Thu Oct 15 16:31:50 2009 From: roland.de.lepper at cvis.nl (Roland de Lepper) Date: Thu Oct 15 16:31:59 2009 Subject: spamc, spamd and spamassassin In-Reply-To: <223f97700910150805n74ab968dw8f5b772b5c1ebc50@mail.gmail.com> References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> <223f97700910150805n74ab968dw8f5b772b5c1ebc50@mail.gmail.com> Message-ID: Hi, It's alot of output, but here it comes: Mailscanner --lint says: [root@eumailscan log]# MailScanner --lint Trying to setlogsock(unix) Read 856 hostnames from the phishing whitelist Read 7498 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 0 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 3 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd =========================================================================== Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== If any of your virus scanners (clamd) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist [root@eumailscan log]# Mailscanner --debug --debug-sa: 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sare_whitelist_rcvd.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sare_whitelist_rcvd.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sare_whitelist_spf.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sare_whitelist_spf.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sare_whitelist_spf.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sc_top200.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sc_top200.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/70_sc_top200.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_bml_post25x.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_bml_post25x.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_bml_post25x.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_redirect_post3.0.0.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_redirect_post3.0.0.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/72_sare_redirect_post3.0.0.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/99_sare_fraud_post25x.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/saupdates_openprotect_com/99_sare_fraud_post25x.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/99_sare_fraud_post25x.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_fake_helo_tests.cf 17:28:35 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 17:28:35 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf" for included file 17:28:35 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_fr.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_it.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_nl.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pl.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_pt_br.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/50_scores.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_awl.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_shortcircuit.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dk.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_dkim.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_spf.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/60_whitelist_subject.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_removed.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf 17:28:36 [21892] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 17:28:36 [21892] dbg: config: using "/var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf" for included file 17:28:36 [21892] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf 17:28:36 [21892] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E 17:28:36 [21892] dbg: rules: PREVENT_NONDELIVERY merged duplicates: SARE_HEAD_HDR_PREVNDR 17:28:36 [21892] dbg: rules: __SARE_HEAD_HDR_IDKEY merged duplicates: SARE_HEAD_HDR_XIDKEY 17:28:36 [21892] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE 17:28:36 [21892] dbg: rules: __SARE_BODY_BLANKS_5_100 merged duplicates: __SARE_BODY_BLNK_5_100 17:28:36 [21892] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 17:28:36 [21892] dbg: rules: __HTML_IMG_ONLY merged duplicates: __IMG_ONLY 17:28:36 [21892] dbg: rules: FU_UKGEOCITIES merged duplicates: __SARE_SPEC_XX2GEOCIT 17:28:36 [21892] dbg: rules: FB_FAKE_NUMBERS merged duplicates: SARE_OBFU_NUMBERS 17:28:36 [21892] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA 17:28:36 [21892] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE 17:28:36 [21892] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 17:28:36 [21892] dbg: rules: SARE_SUB_2UNDERSCORES merged duplicates: SARE_SUB_6_FIG_INC SARE_SUB_ACCENT_CHAR SARE_SUB_ACCT_UPD SARE_SUB_ACTION_OB SARE_SUB_ADV_DB SARE_SUB_ADV_SEARCH SARE_SUB_AGING SARE_SUB_ALL_LEAD SARE_SUB_AM_MED_DICT SARE_SUB_ASSIST SARE_SUB_AS_LOW_AS SARE_SUB_BETTER_DEAL SARE_SUB_BETTER_OB2 SARE_SUB_BIGGER SARE_SUB_BIGGER_OB SARE_SUB_BOOST SARE_SUB_BOOST_OB SARE_SUB_BREAKTHRU SARE_SUB_BREAKTHRU_OB SARE_SUB_BULK_EMAIL SARE_SUB_BUY_CHEAP SARE_SUB_BUY_OB SARE_SUB_BUY_OB1 SARE_SUB_CALL_NOW SARE_SUB_CARD_BILLED SARE_SUB_CARTRIDGE_OB SARE_SUB_CAR_INSURANCE SARE_SUB_CASINO_OB SARE_SUB_CHANGE_LIFE SARE_SUB_CHARGE_OB SARE_SUB_CHEAP_OB SARE_SUB_COMM_MAILERS SARE_SUB_CONFIDENTIAL SARE_SUB_CONFID_OB SARE_SUB_CONSULTATION SARE_SUB_CONSULTN_OB SARE_SUB_CURRENT_NEWS SARE_SUB_DBL_MEDICTN SARE_SUB_DBL_PHARM SARE_SUB_DEBT SARE_SUB_DEBTS_COURT SARE_SUB_DOLLARS SARE_SUB_DOWNLOAD_OB SARE_SUB_EBAY_OB SARE_SUB_EXCL_OB SARE_SUB_EXPIRED SARE_SUB_FORECLOSURE SARE_SUB_FOREVER SARE_SUB_FOR_WOMEN SARE_SUB_FREE_SAMPLE SARE_SUB_GAPPY_3 SARE_SUB_GAPPY_4 SARE_SUB_GAPPY_5 SARE_SUB_GAPPY_6 SARE_SUB_GAPPY_7 SARE_SUB_GAPPY_8 SARE_SUB_GROW_BUSINESS SARE_SUB_HARD_OB SARE_SUB_HOMEOWNER_OB SARE_SUB_INCHES SARE_SUB_INC_ONLINE SARE_SUB_INEXPEN SARE_SUB_INKJET SARE_SUB_INKJET_OB SARE_SUB_INVESTMENTS SARE_SUB_INVESTORS SARE_SUB_JOB SARE_SUB_LEAD_PUNCT SARE_SUB_LINES_CREDIT SARE_SUB_LONG_SUBJ_140 SARE_SUB_LONG_SUBJ_170 SARE_SUB_LOSE_OB SARE_SUB_LOTS_PUNC_21 SARE_SUB_LOTS_PUNC_26 SARE_SUB_MED_USE SARE_SUB_MENS_HEALTH SARE_SUB_MINUTES SARE_SUB_MISC_1 SARE_SUB_MORTGAGE SARE_SUB_MORTGAGE_OB SARE_SUB_MOVE_OB SARE_SUB_MSGSUB SARE_SUB_NEXT_DOOR SARE_SUB_NOW_TIME SARE_SUB_OBFU_V SARE_SUB_ODDWORD_G SARE_SUB_ODDWORD_I SARE_SUB_ODDWORD_P SARE_SUB_ODDWORD_Q SARE_SUB_ODDWORD_U SARE_SUB_ONLINE_OB SARE_SUB_ORIG_SOFT_OB SARE_SUB_PAREN_NUM2 SARE_SUB_PASSION_OB SARE_SUB_PENIS_OB SARE_SUB_PERFECTLY SARE_SUB_PHOTOS_OB SARE_SUB_PHYSICIAN SARE_SUB_PHYSICIAN_OB SARE_SUB_PLEASE_OB SARE_SUB_PORN_WORD10 SARE_SUB_PRINTER_OB SARE_SUB_PROVEN_OB SARE_SUB_RAND_LETTRS5 SARE_SUB_RAND_UC SARE_SUB_REAL_OB SARE_SUB_SEXY SARE_SUB_SION_OB SARE_SUB_STRETCH_MARK SARE_SUB_STRONG SARE_SUB_STRONG_OB SARE_SUB_TAXES SARE_SUB_TION_OB SARE_SUB_TONER SARE_SUB_TONER_OB SARE_SUB_VIDEO_OB SARE_SUB_VIRUSQ SARE_SUB_WEBMASTER2 SARE_SUB_WINNER SARE_SUB_YOUNGER SARE_SUB_YOUNGER_OB 17:28:36 [21892] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 17:28:36 [21892] dbg: rules: __SARE_HEAD_FALSE merged duplicates: __SARE_SUB_FALSE 17:28:36 [21892] dbg: rules: SARE_SUBJ_SLUT merged duplicates: __FPS_SLUT 17:28:36 [21892] dbg: rules: __FVGT_RAPE merged duplicates: __WORD_RAPED 17:28:36 [21892] dbg: rules: SARE_USERAG_BAT merged duplicates: __SARE_HEAD_MAIL_BAT2 17:28:36 [21892] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B 17:28:36 [21892] dbg: rules: __FH_RCV_53 merged duplicates: __RCVD_53 17:28:36 [21892] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E 17:28:36 [21892] dbg: rules: SARE_OBFU_AFFORD merged duplicates: SARE_OBFU_AMP SARE_OBFU_BETTER_SUB SARE_OBFU_CARTRDGE_SUB SARE_OBFU_CIALIS SARE_OBFU_OBLIGATION SARE_OBFU_SEX_SPL SARE_OBFU_TBL_05 SARE_URI_AFF_DIG SARE_URI_CAMPAIGNID SARE_URI_CASINO SARE_URI_DIET SARE_URI_DIG_LET_PIC SARE_URI_DOM_ENDU SARE_URI_H0 SARE_URI_HARRYDAV SARE_URI_HOUSE SARE_URI_IPPORT3333 SARE_URI_MIXED_CASE SARE_URI_MRTG SARE_URI_OC SARE_URI_OPTOUT SARE_URI_P8 SARE_URI_PORTD4 SARE_URI_REFID2 SARE_URI_REFID3 SARE_URI_SHARE_DIG SARE_URI_SIXCAPS SARE_URI_SQUARE SARE_URI_SUCCEZZ 17:28:36 [21892] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 17:28:36 [21892] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 17:28:36 [21892] dbg: rules: SARE_SPOOF_COM2OTH merged duplicates: SPOOF_COM2COM 17:28:36 [21892] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 17:28:36 [21892] dbg: rules: __FH_FRM_53 merged duplicates: __FROM_53 17:28:36 [21892] dbg: rules: SARE_HEAD_HDR_XRMDTXT merged duplicates: __SARE_HEAD_HDR_RMDB 17:28:36 [21892] dbg: rules: FH_HELO_GMAILSMTP merged duplicates: SARE_HELO_GMAILSMTP 17:28:36 [21892] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI 17:28:36 [21892] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 17:28:36 [21892] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 17:28:36 [21892] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 17:28:36 [21892] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A 17:28:36 [21892] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E 17:28:36 [21892] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 17:28:36 [21892] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI __SARE_URI_ANY 17:28:36 [21892] dbg: rules: SARE_BOUNDARY_02 merged duplicates: SARE_BOUNDARY_ANYDIG SARE_BOUNDARY_D11 SARE_BOUNDARY_D8 SARE_BOUNDARY_MULTB SARE_CONTENT_BITBITNUM SARE_FREE_WEBM_CZSEZNA SARE_FREE_WEBM_USACOPS SARE_FROM_AMERICA SARE_FROM_DEBT SARE_FROM_DVDCOPY SARE_FROM_MULTI_DASH SARE_FROM_NUM_9DIG SARE_FROM_PRINTER SARE_FROM_QUOTE SARE_FROM_SPACE2 SARE_FROM_SPAM_CHAR0 SARE_FROM_SPAM_DOMN0 SARE_FROM_SPAM_NAME2 SARE_FROM_SPAM_WORD0 SARE_FROM_SUPPORT_DIG SARE_FROM_UK2NET2 SARE_FROM_VIRUS1 SARE_FROM_WSJ SARE_HEAD_8BIT_NOSPM SARE_HEAD_8BIT_SPAM SARE_HEAD_BDY_BOUNCES SARE_HEAD_DATE18 SARE_HEAD_DATE_5L SARE_HEAD_DATE_RNDDATE SARE_HEAD_HDR_ALTREC SARE_HEAD_HDR_AUTSUBD SARE_HEAD_HDR_CONVER SARE_HEAD_HDR_JLH SARE_HEAD_HDR_MSGTYPE SARE_HEAD_HDR_NLETRID SARE_HEAD_HDR_PID SARE_HEAD_HDR_RTNPATH SARE_HEAD_HDR_X400RCV SARE_HEAD_HDR_XACWGHT SARE_HEAD_HDR_XAR SARE_HEAD_HDR_XAUTOGN SARE_HEAD_HDR_XBBOUNC SARE_HEAD_HDR_XBNCETR SARE_HEAD_HDR_XCCDIAG SARE_HEAD_HDR_XCNDINF SARE_HEAD_HDR_XCONTAC SARE_HEAD_HDR_XEMGBMS SARE_HEAD_HDR_XENVID SARE_HEAD_HDR_XGMAILA SARE_HEAD_HDR_XIDSRVR SARE_HEAD_HDR_XLEGAL2 SARE_HEAD_HDR_XLEGAL4 SARE_HEAD_HDR_XLISTAD SARE_HEAD_HDR_XMAILTH SARE_HEAD_HDR_XMCAVTP SARE_HEAD_HDR_XMEBDOM SARE_HEAD_HDR_XMLFILT SARE_HEAD_HDR_XNOSPAM SARE_HEAD_HDR_XRIPE SARE_HEAD_HDR_XSAFMMI SARE_HEAD_HDR_XSMTPSV SARE_HEAD_HDR_XUMAIL SARE_HEAD_HDR_XUNOLOOK SARE_HEAD_HDR_XWTID SARE_HEAD_HDR_XWTVERS SARE_HEAD_MSMPR_RNDSTR SARE_HEAD_ORIG_RECIP SARE_HEAD_THRD_ALNUM SARE_HEAD_XCANIT1 SARE_HEAD_XCANIT2 SARE_HEAD_XCOM_RFCMIN SARE_HEAD_XM4 SARE_HEAD_XMF_AUTHSNDR SARE_HEAD_XWORD SARE_HELO_MAIL SARE_HELO_MAILUSER SARE_HELO_SERVER SARE_HTML_ALT_WAIT1 SARE_HTML_ALT_WAIT2 SARE_HTML_A_NULL SARE_HTML_BADOPEN SARE_HTML_BAD_FG_CLR SARE_HTML_BR_MANY SARE_HTML_COLOR_B SARE_HTML_COLOR_NWHT3 SARE_HTML_EHTML_OBFU SARE_HTML_FONT_INVIS2 SARE_HTML_FSIZE_1ALL SARE_HTML_GIF_DIM SARE_HTML_H2_CLK SARE_HTML_HEAD_AFFIL SARE_HTML_HTML_AFTER SARE_HTML_HTML_DBL SARE_HTML_INV_TAGA SARE_HTML_JSCRIPT_ENC SARE_HTML_JVS_HREF SARE_HTML_LEAKTHRU1 SARE_HTML_LEAKTHRU2 SARE_HTML_MANY_BR10 SARE_HTML_NO_BODY SARE_HTML_NO_HTML1 SARE_HTML_ONE_LINE2 SARE_HTML_ONE_LINE3 SARE_HTML_POB1200 SARE_HTML_P_JUSTIFY SARE_HTML_TITLE_MNY SARE_HTML_URI_2SLASH SARE_HTML_URI_AXEL SARE_HTML_URI_BADQRY SARE_HTML_URI_BUG SARE_HTML_URI_DEFASP SARE_HTML_URI_FORMPHP SARE_HTML_URI_HIDADD SARE_HTML_URI_HREF SARE_HTML_URI_LOGOGEN SARE_HTML_URI_MANYP2 SARE_HTML_URI_MANYP3 SARE_HTML_URI_NUMPHP3 SARE_HTML_URI_OBFU4 SARE_HTML_URI_OBFU4a SARE_HTML_URI_OC SARE_HTML_URI_OFF SARE_HTML_URI_REFID SARE_HTML_URI_RID SARE_HTML_URI_RM SARE_HTML_USL_B7 SARE_HTML_USL_B9 SARE_HTML_USL_MULT SARE_MSGID_06D6 SARE_MSGID_2KDD SARE_MSGID_DBL_AT SARE_MSGID_EMPTY SARE_MSGID_HEX30 SARE_MSGID_LONG SARE_MSGID_LONG35 SARE_MSGID_LONG40 SARE_MSGID_LONG55 SARE_MSGID_LONG65 SARE_MSGID_LONG75 SARE_MSGID_SPAM_DOMN0 SARE_MSGID_SUSP2 SARE_MULT_RATW_02 SARE_MULT_RATW_03 SARE_MULT_SEXCLUB SARE_MULT_SUBJ SARE_MULT_VIA_FWCATS SARE_PHISH_HTML_01 SARE_RECV_CHAR_CARAT SARE_RECV_FREESERVE SARE_RECV_IP_004078 SARE_RECV_IP_038112147 SARE_RECV_IP_062023 SARE_RECV_IP_063106130 SARE_RECV_IP_064034 SARE_RECV_IP_064069032 SARE_RECV_IP_064080 SARE_RECV_IP_064192082 SARE_RECV_IP_064192191 SARE_RECV_IP_065205157 SARE_RECV_IP_066063 SARE_RECV_IP_066111 SARE_RECV_IP_066114a SARE_RECV_IP_066114b SARE_RECV_IP_066159017 SARE_RECV_IP_066248154 SARE_RECV_IP_069060122 SARE_RECV_IP_070096177 SARE_RECV_IP_071004246 SARE_RECV_IP_080178 SARE_RECV_IP_081019 SARE_RECV_IP_195229 SARE_RECV_IP_206248152 SARE_RECV_IP_207182 SARE_RECV_IP_208048182 SARE_RECV_IP_209190 SARE_RECV_IP_211049 SARE_RECV_IP_212164 SARE_RECV_IP_216055133 SARE_RECV_IP_222126 SARE_RECV_ISWEST SARE_RECV_LOCALHOST SARE_RECV_RANDOM SARE_RECV_RND_DATE SARE_RECV_RND_NUMBER SARE_RECV_SPAM_DOMN3 SARE_RECV_SPAM_DOMN81 SARE_RECV_SPAM_NAME0 SARE_RECV_SUSP_2 SARE_RECV_SUSP_3 SARE_RECV_TRADVALUES SARE_RECV_VIPLIST SARE_RECV_XACTRIX SARE_REPLY_SPAMWORD0 SARE_REPLY_XACTRIX SARE_TOCC_BCC_MANY SARE_TOCC_COMBO1 SARE_USERAG_Dig SARE_XMAIL_DIRUNIV SARE_XMAIL_GDI SARE_XMAIL_GOMAIL SARE_XMAIL_INTERMED SARE_XMAIL_LEO SARE_XMAIL_PHPBulkEmai SARE_XMAIL_SUSP3 SARE_XMAIL_TOLMAIL SARE_XMAIL_XMAIL 17:28:36 [21892] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING 17:28:36 [21892] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 17:28:36 [21892] dbg: conf: finish parsing 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xae4ff0c) implements 'finish_parsing_end', priority 0 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0xb13f710) implements 'finish_parsing_end', priority 0 17:28:36 [21892] dbg: replacetags: replacing tags 17:28:36 [21892] dbg: replacetags: done replacing tags 17:28:36 [21892] dbg: zoom: loading compiled ruleset from /var/lib/spamassassin/compiled/5.008/3.002005 17:28:36 [21892] dbg: zoom: using compiled ruleset in /var/lib/spamassassin/compiled/5.008/3.002005/Mail/SpamAssassin/CompiledRegexps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 17:28:36 [21892] dbg: zoom: able to use 640/640 'body_0' compiled rules (100%) 17:28:36 [21892] dbg: zoom: using compiled ruleset in /var/lib/spamassassin/compiled/5.008/3.002005/Mail/SpamAssassin/CompiledRegexps/body_500.pm for Mail::SpamAssassin::CompiledRegexps::body_500 17:28:36 [21892] dbg: zoom: able to use 1/1 'body_500' compiled rules (100%) 17:28:36 [21892] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks 17:28:36 [21892] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen 17:28:36 [21892] dbg: bayes: found bayes db version 3 17:28:36 [21892] dbg: bayes: DB journal sync: last sync: 0 17:28:36 [21892] dbg: bayes: not available for scanning, only 13 spam(s) in bayes DB < 200 17:28:36 [21892] dbg: bayes: untie-ing 17:28:36 [21892] dbg: config: score set 1 chosen. 17:28:36 [21892] dbg: message: main message type: text/plain 17:28:36 [21892] dbg: message: ---- MIME PARSER START ---- 17:28:36 [21892] dbg: message: parsing normal part 17:28:36 [21892] dbg: message: ---- MIME PARSER END ---- 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0xb02ec98) implements 'check_start', priority 0 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0xb13f710) implements 'check_start', priority 0 17:28:36 [21892] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_toks 17:28:36 [21892] dbg: bayes: tie-ing to DB file R/O /var/spool/MailScanner/spamassassin/bayes_seen 17:28:36 [21892] dbg: bayes: found bayes db version 3 17:28:36 [21892] dbg: bayes: DB journal sync: last sync: 0 17:28:36 [21892] dbg: bayes: not available for scanning, only 13 spam(s) in bayes DB < 200 17:28:36 [21892] dbg: bayes: untie-ing 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0xafe2638) implements 'check_main', priority 0 17:28:36 [21892] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually 17:28:36 [21892] dbg: metadata: X-Spam-Relays-Trusted: 17:28:36 [21892] dbg: metadata: X-Spam-Relays-Untrusted: 17:28:36 [21892] dbg: metadata: X-Spam-Relays-Internal: 17:28:36 [21892] dbg: metadata: X-Spam-Relays-External: 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xb16448c) implements 'extract_metadata', priority 0 17:28:36 [21892] dbg: metadata: X-Relay-Countries: 17:28:36 [21892] dbg: message: no encoding detected 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xaa70b00) implements 'parsed_metadata', priority 0 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xb16448c) implements 'parsed_metadata', priority 0 17:28:36 [21892] dbg: dns: is_dns_available() last checked 1255620516.0 seconds ago; re-checking 17:28:36 [21892] dbg: dns: no ipv6 17:28:36 [21892] dbg: dns: is Net::DNS::Resolver available? yes 17:28:36 [21892] dbg: dns: Net::DNS version: 0.63 17:28:36 [21892] dbg: dns: name server: 192.168.125.99, LocalAddr: 0.0.0.0 17:28:36 [21892] dbg: dns: resolver socket rx buffer size is 110592 bytes 17:28:36 [21892] dbg: dns: testing resolver nameservers: 192.168.125.99 17:28:36 [21892] dbg: dns: trying (3) msn.com... 17:28:36 [21892] dbg: dns: looking up NS for 'msn.com' 17:28:36 [21892] dbg: dns: NS lookup of msn.com using 192.168.125.99 succeeded => DNS available (set dns_available to override) 17:28:36 [21892] dbg: dns: name server: 192.168.125.99, LocalAddr: 0.0.0.0 17:28:36 [21892] dbg: dns: resolver socket rx buffer size is 110592 bytes 17:28:36 [21892] dbg: dns: NS list: 192.168.125.99 17:28:36 [21892] dbg: dns: name server: 192.168.125.99, LocalAddr: 0.0.0.0 17:28:36 [21892] dbg: dns: resolver socket rx buffer size is 110592 bytes 17:28:36 [21892] dbg: dns: is DNS available? 1 17:28:36 [21892] dbg: uridnsbl: domains to query: 17:28:36 [21892] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted 17:28:36 [21892] dbg: dns: checking RBL plus.bondedsender.org., set ssc-firsttrusted 17:28:36 [21892] dbg: dns: checking RBL combined.njabl.org., set njabl 17:28:36 [21892] dbg: dns: checking RBL bl.spamcop.net., set spamcop 17:28:36 [21892] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal 17:28:36 [21892] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal 17:28:36 [21892] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs 17:28:36 [21892] dbg: dns: checking RBL zen.spamhaus.org., set zen-lastexternal 17:28:36 [21892] dbg: dns: checking RBL list.dnswl.org., set dnswl-firsttrusted 17:28:36 [21892] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted 17:28:36 [21892] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted 17:28:36 [21892] dbg: dns: checking RBL zen.spamhaus.org., set zen 17:28:36 [21892] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted 17:28:36 [21892] dbg: check: running tests for priority: -1000 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0xb13f710) implements 'check_rules_at_priority', priority 0 17:28:36 [21892] dbg: rules: running one_line_body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled one_line_body tests 17:28:36 [21892] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0xb13f710) implements 'run_body_fast_scan', priority 0 17:28:36 [21892] dbg: rules: running head tests; score so far=0 17:28:36 [21892] dbg: rules: compiled head tests 17:28:36 [21892] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org 17:28:36 [21892] dbg: eval: all '*To' addrs: 17:28:36 [21892] dbg: rules: running body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled body tests 17:28:36 [21892] dbg: rules: running uri tests; score so far=0 17:28:36 [21892] dbg: rules: compiled uri tests 17:28:36 [21892] dbg: rules: running rawbody tests; score so far=0 17:28:36 [21892] dbg: rules: compiled rawbody tests 17:28:36 [21892] dbg: rules: running full tests; score so far=0 17:28:36 [21892] dbg: rules: compiled full tests 17:28:36 [21892] dbg: rules: running meta tests; score so far=0 17:28:36 [21892] dbg: rules: compiled meta tests 17:28:36 [21892] dbg: check: running tests for priority: -950 17:28:36 [21892] dbg: rules: running one_line_body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled one_line_body tests 17:28:36 [21892] dbg: rules: running head tests; score so far=0 17:28:36 [21892] dbg: rules: compiled head tests 17:28:36 [21892] dbg: rules: running body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled body tests 17:28:36 [21892] dbg: rules: running uri tests; score so far=0 17:28:36 [21892] dbg: rules: compiled uri tests 17:28:36 [21892] dbg: rules: running rawbody tests; score so far=0 17:28:36 [21892] dbg: rules: compiled rawbody tests 17:28:36 [21892] dbg: rules: running full tests; score so far=0 17:28:36 [21892] dbg: rules: compiled full tests 17:28:36 [21892] dbg: rules: running meta tests; score so far=0 17:28:36 [21892] dbg: rules: compiled meta tests 17:28:36 [21892] dbg: check: running tests for priority: -900 17:28:36 [21892] dbg: rules: running one_line_body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled one_line_body tests 17:28:36 [21892] dbg: rules: running head tests; score so far=0 17:28:36 [21892] dbg: rules: compiled head tests 17:28:36 [21892] dbg: rules: running body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled body tests 17:28:36 [21892] dbg: rules: running uri tests; score so far=0 17:28:36 [21892] dbg: rules: compiled uri tests 17:28:36 [21892] dbg: rules: running rawbody tests; score so far=0 17:28:36 [21892] dbg: rules: compiled rawbody tests 17:28:36 [21892] dbg: rules: running full tests; score so far=0 17:28:36 [21892] dbg: rules: compiled full tests 17:28:36 [21892] dbg: rules: running meta tests; score so far=0 17:28:36 [21892] dbg: rules: compiled meta tests 17:28:36 [21892] dbg: check: running tests for priority: -400 17:28:36 [21892] dbg: rules: running one_line_body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled one_line_body tests 17:28:36 [21892] dbg: rules: running head tests; score so far=0 17:28:36 [21892] dbg: rules: compiled head tests 17:28:36 [21892] dbg: rules: running body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled body tests 17:28:36 [21892] dbg: rules: running uri tests; score so far=0 17:28:36 [21892] dbg: rules: compiled uri tests 17:28:36 [21892] dbg: rules: running rawbody tests; score so far=0 17:28:36 [21892] dbg: rules: compiled rawbody tests 17:28:36 [21892] dbg: rules: running full tests; score so far=0 17:28:36 [21892] dbg: rules: compiled full tests 17:28:36 [21892] dbg: rules: running meta tests; score so far=0 17:28:36 [21892] dbg: rules: compiled meta tests 17:28:36 [21892] dbg: check: running tests for priority: 0 17:28:36 [21892] dbg: rules: running one_line_body tests; score so far=0 17:28:36 [21892] dbg: rules: compiled one_line_body tests 17:28:36 [21892] dbg: zoom: run_body_fast_scan for body_0 start 17:28:36 [21892] dbg: zoom: run_body_fast_scan for body_0 done 17:28:36 [21892] dbg: rules: running head tests; score so far=0 17:28:37 [21892] dbg: rules: compiled head tests 17:28:37 [21892] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" 17:28:37 [21892] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " 17:28:37 [21892] dbg: rules: Message-Id: " 17:28:37 [21892] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" 17:28:37 [21892] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" 17:28:37 [21892] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" 17:28:37 [21892] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1255620515" 17:28:37 [21892] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" 17:28:37 [21892] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1255620515.21253@spamassassin_spamd_init> 17:28:37 [21892] dbg: rules: " 17:28:37 [21892] dbg: spf: checking to see if the message has a Received-SPF header that we can use 17:28:37 [21892] dbg: spf: using Mail::SPF for SPF checks 17:28:37 [21892] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check 17:28:37 [21892] dbg: dkim: no wl entries match author ignore@compiling.spamassassin.taint.org, no need to verify sigs 17:28:37 [21892] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks 17:28:37 [21892] dbg: spf: no suitable relay for spf use found, skipping SPF check 17:28:37 [21892] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) 17:28:37 [21892] dbg: dkim: performing public key lookup and signature verification 17:28:37 [21892] dbg: dkim: signature verification result: none 17:28:37 [21892] dbg: dkim: policy: performing lookup 17:28:37 [21892] dbg: dkim: policy result neutral: o=~ 17:28:37 [21892] dbg: spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check 17:28:37 [21892] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) 17:28:37 [21892] dbg: spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check 17:28:37 [21892] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) 17:28:37 [21892] dbg: rules: running body tests; score so far=1.581 17:28:37 [21892] dbg: rules: compiled body tests 17:28:37 [21892] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" 17:28:37 [21892] dbg: rules: running uri tests; score so far=1.581 17:28:37 [21892] dbg: rules: compiled uri tests 17:28:37 [21892] dbg: eval: stock info total: 0 17:28:37 [21892] dbg: rules: running rawbody tests; score so far=1.581 17:28:37 [21892] dbg: rules: compiled rawbody tests 17:28:37 [21892] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" 17:28:37 [21892] dbg: rules: running full tests; score so far=1.581 17:28:37 [21892] dbg: rules: compiled full tests 17:28:37 [21892] dbg: info: entering helper-app run mode 17:28:39 [21892] dbg: info: leaving helper-app run mode 17:28:39 [21892] dbg: razor2: part=0 engine=4 contested=0 confidence=0 17:28:39 [21892] dbg: razor2: results: spam? 0 17:28:39 [21892] dbg: razor2: results: engine 8, highest cf score: 0 17:28:39 [21892] dbg: razor2: results: engine 4, highest cf score: 0 17:28:39 [21892] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin 17:28:39 [21892] dbg: pyzor: pyzor is not available: no pyzor executable found 17:28:39 [21892] dbg: pyzor: no pyzor found, disabling Pyzor 17:28:39 [21892] dbg: dcc: dccifd is available: /var/dcc/dccifd 17:28:39 [21892] dbg: info: entering helper-app run mode 17:28:39 [21892] dbg: dcc: dccifd got response: X-DCC-CTc-dcc1-Metrics: eumailscan.cvislabs.eu 1030; Body=many Fuz1=many Fuz2=many 17:28:39 [21892] dbg: info: leaving helper-app run mode 17:28:39 [21892] dbg: dcc: listed: BODY=999999/999999 FUZ1=999999/999999 FUZ2=999999/999999 17:28:39 [21892] dbg: rules: ran eval rule DCC_CHECK ======> got hit (1) 17:28:39 [21892] dbg: rules: running meta tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled meta tests 17:28:39 [21892] dbg: check: running tests for priority: 500 17:28:39 [21892] dbg: dns: harvest_dnsbl_queries 17:28:39 [21892] dbg: rules: running one_line_body tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled one_line_body tests 17:28:39 [21892] dbg: zoom: run_body_fast_scan for body_500 start 17:28:39 [21892] dbg: zoom: run_body_fast_scan for body_500 done 17:28:39 [21892] dbg: rules: running head tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled head tests 17:28:39 [21892] dbg: rules: running body tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled body tests 17:28:39 [21892] dbg: rules: running uri tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled uri tests 17:28:39 [21892] dbg: rules: running rawbody tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled rawbody tests 17:28:39 [21892] dbg: rules: running full tests; score so far=2.951 17:28:39 [21892] dbg: rules: compiled full tests 17:28:39 [21892] dbg: rules: running meta tests; score so far=2.951 17:28:39 [21892] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' 17:28:39 [21892] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' 17:28:39 [21892] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' 17:28:39 [21892] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' 17:28:39 [21892] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' 17:28:39 [21892] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' 17:28:39 [21892] dbg: rules: compiled meta tests 17:28:39 [21892] dbg: check: running tests for priority: 1000 17:28:39 [21892] dbg: rules: running one_line_body tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled one_line_body tests 17:28:39 [21892] dbg: rules: running head tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled head tests 17:28:39 [21892] dbg: rules: running body tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled body tests 17:28:39 [21892] dbg: rules: running uri tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled uri tests 17:28:39 [21892] dbg: rules: running rawbody tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled rawbody tests 17:28:39 [21892] dbg: rules: running full tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled full tests 17:28:39 [21892] dbg: rules: running meta tests; score so far=4.235 17:28:39 [21892] dbg: rules: compiled meta tests 17:28:39 [21892] dbg: check: is spam? score=4.235 required=5 17:28:39 [21892] dbg: check: tests=DCC_CHECK,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS 17:28:39 [21892] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID 17:28:39 Building a message batch to scan... From jonas at vrt.dk Thu Oct 15 16:34:11 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Thu Oct 15 16:34:24 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01bd01ca4da8$36c49da0$a44dd8e0$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> Message-ID: <005e01ca4dac$f1b82010$d5286030$@dk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/e7be55f5/attachment.jpe From alex at rtpty.com Thu Oct 15 16:27:12 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 16:35:49 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01bd01ca4da8$36c49da0$a44dd8e0$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> Message-ID: Doesn't sound like enough. Clam sigs + SA is kind of heavy. On Oct 15, 2009, at 10:00 AM, Logs wrote: > 1GB RAM From alex at rtpty.com Thu Oct 15 16:27:51 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 16:35:56 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01cc01ca4da8$a08ead70$e1ac0850$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <016501ca4da3$14b5b0a0$3e2111e0$@com> <6E002D04-48D9-42D2-962A-C766FD9BDDF5@rtpty.com> <01cc01ca4da8$a08ead70$e1ac0850$@com> Message-ID: For some definitions of "actually working". Read up on "caching nameservers"; it helps ease the load when using SA, specially because of RBL checking within it. On Oct 15, 2009, at 10:03 AM, Logs wrote: > Not sure what you mean by that, but it is a DNS server and is actually > working. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Alex Neuman > Sent: Thursday, October 15, 2009 10:55 AM > To: MailScanner discussion > Subject: Re: MailScanner and SpamAssassin together causes Exterme > CPU usage > > Is it caching? > > On Oct 15, 2009, at 9:23 AM, Logs wrote: > >> DNS is correctly setup and functioning. >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Oct 15 16:38:02 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 16:38:13 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01bd01ca4da8$36c49da0$a44dd8e0$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> Message-ID: <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> 2009/10/15 Logs > > Oh right, should have figured that one out? 1GB RAM, 150GB 7200 RPM Hard Drive, Intel Pentium D CPU 3.20GHZ, Bus 800 Mhz, L2 4MB (IMHO, is way more than enough, although I just ordered another 2 GIGs of RAM) > > > > And yes it is CPU tied > > Max Children = 5 1 GiB RAM might be a lot too little, especially with SA in the brew (it can be a real memory hog). Take a look at "vmstat 2", that you aren't swapping madly, then try reducing chindren to 1 and see where that brings you (remeber that all IO in *nix tend to become CPU-bound). MailScanner will rewrite the command line to reflect what it is doing, so check top with the complete commandline ("c", IIRC:-). > > DCC, Pyzor, Razor > > Blacklists: zen.spamhaus.org, b.barracudacentral.org, bl.spamcop.net > > ClamAV > clamd, I presume? Else that will be part of your problem too. > sane-security using a cron job to download scripts > > SpamAssassin with KAM downloaded daily by using cron job, sought, JKF-Anti-Phishing Version 2 > Have you verified that both sa-update and sa-compile runs to completion, without errors? > re2c, Rule2XSBody SA plugin > > FuzzyOCR (which I am not sure is working) Turn this off. If it doesn't work, it is pointless... and if it does work, it doesn't matter, since you probably lack the resources to accomodate it (RAM, mostly). When you do the above suggestions, try checking things between all the changes so that you get a grip on what really worked (No frobbing, just tweaking;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Thu Oct 15 16:39:11 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Oct 15 16:39:21 2009 Subject: spamc, spamd and spamassassin In-Reply-To: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> Message-ID: <4AD7421F.3050907@fsl.com> Roland de Lepper wrote: > Hi there, > > I'm evaluating MailScanner, the commecrial edition from FSL. > They provide a nice set of installation packages which can be downloaded > via yum groupinstall. > > I installed the software from their server, including spamassassin. > I did some test from the website declude.com. This site provide simple > tests to test your spamassassin and virus scanner. > > The badheader, spamheader and routing test fail. This means, it will go > through Mailscanner and the email is delivered to the recipient. > > This not good, because i tested it with another domain, which have > Mailscanner in front of it, and those mails were blocked. I can not see > have the other MailScanner is configured. > > So I did some tests with spamassasin. The default packages from FSL > contains only spamc. The parameter "Use Spamassassin" in MailScanner is > set to YES. > > [root@eumailscan tmp]# spamc < ClamAV.update.log > -------------------------------------- > ClamAV update process started at Thu Oct 15 15:07:02 2009 > main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: > sven) > Downloading daily-9900.cdiff [100%] > daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) > Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) > Clamd successfully notified about the update. > [root@eumailscan tmp]# > > [root@eumailscan tmp]# spamassassin < ClamAV.update.log > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > eumailscan.cvislabs.eu > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.4 required=5.0 tests=MISSING_DATE,MISSING_HB_SEP, > MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, > NO_RELAYS autolearn=no version=3.2.5 > X-Spam-Report: > * 0.0 MISSING_MID Missing Message-Id: header > * 0.0 MISSING_DATE Missing Date: header > * -0.0 NO_RELAYS Informational: message was not relayed via SMTP > * 2.5 MISSING_HB_SEP Missing blank line between message header and body > * 1.6 MISSING_HEADERS Missing To: header > * 1.3 MISSING_SUBJECT Missing Subject: header > * -0.0 NO_RECEIVED Informational: message has no Received headers > * 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 > * headers > -------------------------------------- > Subject: [SPAM] > X-Spam-Prev-Subject: (nonexistent) > ClamAV update process started at Thu Oct 15 15:07:02 2009 > main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: > sven) > Downloading daily-9900.cdiff [100%] > daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: sven) > Database updated (629882 signatures) from db.nl.clamav.net (IP: 194.109.6.97) > Clamd successfully notified about the update. > [root@eumailscan tmp]# > > You see the difference? It is checking the headers! No - it's not; the command 'spamassassin' gives totally different output to 'spamc' by default. Both are checking the headers but spamc is simply not reporting the score (you have to run 'spamc --full < message' to get the equivalent output. > MailScanne is blocking spam though, but not from the test from declude.com. The declude.com tests will pass through SpamAssassin as they are not particularly 'good' anti-spam tests; they rely on the 'filter' to reject the message bad upon one bad attribute (in the case of badheader - this is merely a mis-formatted Date: header!). SpamAssassin tests are designed so that one bad attribute does not cause the message to be tagged as spam or rejected as that would easily cause false-positives. > No spamc or spamassassin deamon is running on my system. > So how does MailScanner calls SpamAssassin? Does it call spamc instead of Spamassassin? MailScanner does not use spamd/spamd at all - it calls SpamAssassin via the Perl API, so all you will see is the MailScanner processes. > > Hope somebody can clearify my problem. > Sure - you don't have a problem; MailScanner and SpamAssassin are running as they were designed. The declude.com tests are flawed as is their implementation. It's designed to fail with anything but their own filter. The implementation of the test is so flawed that it trips my own servers pipelining checks (e.g. it sends all the SMTP commands without waiting for a response - which is illegal if using SMTP (e.g. HELO vs EHLO): 220-mta11.safeguardmail.net SMTP Welcome to smtpf #633 (l9EBY0201453145500) HELO www.declude.com 220 Copyright 2006, 2009 by SnertSoft. All rights reserved. MAIL FROM: 250 Hello declude.com [216.144.195.82] #256 (l9EBY0201453145500) RCPT TO: 250 2.1.0 sender accepted #283 (l9EBY0201453145500) DATA 550-5.3.3 pipelining not allowed #643 (l9EBY0201453145500) White list via http://mta11.safeguardmail.net/barricademx/click.php?h=l9EBY25a6134e025c9b82a9daaf928997922b2&c=click:declude.com,webmaster-vir@declude.com Sorry, an error occurred! Regards, Steve. From glenn.steen at gmail.com Thu Oct 15 16:39:23 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 16:39:38 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01cc01ca4da8$a08ead70$e1ac0850$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <016501ca4da3$14b5b0a0$3e2111e0$@com> <6E002D04-48D9-42D2-962A-C766FD9BDDF5@rtpty.com> <01cc01ca4da8$a08ead70$e1ac0850$@com> Message-ID: <223f97700910150839n1933d3b3p9c8059835a3f6815@mail.gmail.com> 2009/10/15 Logs : > Not sure what you mean by that, but it is a DNS server and is actually > working. > Yes, but if it doesn't cache the results... it'll have to do the actual lookup each time. If that is the case is rather easily measurable;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 15 16:42:11 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 16:42:21 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <005e01ca4dac$f1b82010$d5286030$@dk> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <005e01ca4dac$f1b82010$d5286030$@dk> Message-ID: <223f97700910150842u33ee7837u5f4ff4ed46798126@mail.gmail.com> 2009/10/15 Jonas A. Larsen > > I guess you disdnt find it obvious to include but for the below to be of any use we need to know how many mails you are pushing through your server. > > > > If its 1000 per day thye below should be more than enough. > > > > If its 50000 maybe not so much. > > > > /Jonas > Ah, but we DO know that 1 measly GiB RAM is way below the recommended amount for 5 children;-). You often can get away with far less RAM than the recommendation, but ... that depends on how much you try do etc. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Thu Oct 15 16:46:17 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Oct 15 16:46:36 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <01bd01ca4da8$36c49da0$a44dd8e0$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com><4AD72DAF.4020305@di.unito.it><24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA07FE1021@HC-MBX02.herefordshire.gov.uk> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/aa599a62/attachment.jpe From eddie at emcuk.com Thu Oct 15 16:49:38 2009 From: eddie at emcuk.com (Eddie Hallahan) Date: Thu Oct 15 16:50:02 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> Message-ID: <4AD74492.5080201@emcuk.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/f7f22be8/attachment-0001.html From roland.de.lepper at cvis.nl Thu Oct 15 17:03:14 2009 From: roland.de.lepper at cvis.nl (Roland de Lepper) Date: Thu Oct 15 17:03:24 2009 Subject: spamc, spamd and spamassassin In-Reply-To: <4AD7421F.3050907@fsl.com> References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> <4AD7421F.3050907@fsl.com> Message-ID: Hi Steve, Thanks for clarifying my "issue". It makes all sense now. kind regards, Roland > Roland de Lepper wrote: >> Hi there, >> >> I'm evaluating MailScanner, the commecrial edition from FSL. >> They provide a nice set of installation packages which can be downloaded >> via yum groupinstall. >> >> I installed the software from their server, including spamassassin. >> I did some test from the website declude.com. This site provide simple >> tests to test your spamassassin and virus scanner. >> >> The badheader, spamheader and routing test fail. This means, it will go >> through Mailscanner and the email is delivered to the recipient. >> >> This not good, because i tested it with another domain, which have >> Mailscanner in front of it, and those mails were blocked. I can not see >> have the other MailScanner is configured. >> >> So I did some tests with spamassasin. The default packages from FSL >> contains only spamc. The parameter "Use Spamassassin" in MailScanner is >> set to YES. >> >> [root@eumailscan tmp]# spamc < ClamAV.update.log >> -------------------------------------- >> ClamAV update process started at Thu Oct 15 15:07:02 2009 >> main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: >> sven) >> Downloading daily-9900.cdiff [100%] >> daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: >> sven) >> Database updated (629882 signatures) from db.nl.clamav.net (IP: >> 194.109.6.97) >> Clamd successfully notified about the update. >> [root@eumailscan tmp]# >> >> [root@eumailscan tmp]# spamassassin < ClamAV.update.log >> X-Spam-Flag: YES >> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on >> eumailscan.cvislabs.eu >> X-Spam-Level: ***** >> X-Spam-Status: Yes, score=5.4 required=5.0 >> tests=MISSING_DATE,MISSING_HB_SEP, >> MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,NO_HEADERS_MESSAGE,NO_RECEIVED, >> NO_RELAYS autolearn=no version=3.2.5 >> X-Spam-Report: >> * 0.0 MISSING_MID Missing Message-Id: header >> * 0.0 MISSING_DATE Missing Date: header >> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP >> * 2.5 MISSING_HB_SEP Missing blank line between message header and >> body >> * 1.6 MISSING_HEADERS Missing To: header >> * 1.3 MISSING_SUBJECT Missing Subject: header >> * -0.0 NO_RECEIVED Informational: message has no Received headers >> * 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 >> * headers >> -------------------------------------- >> Subject: [SPAM] >> X-Spam-Prev-Subject: (nonexistent) >> ClamAV update process started at Thu Oct 15 15:07:02 2009 >> main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: >> sven) >> Downloading daily-9900.cdiff [100%] >> daily.cld updated (version: 9900, sigs: 84847, f-level: 43, builder: >> sven) >> Database updated (629882 signatures) from db.nl.clamav.net (IP: >> 194.109.6.97) >> Clamd successfully notified about the update. >> [root@eumailscan tmp]# >> >> You see the difference? It is checking the headers! > > No - it's not; the command 'spamassassin' gives totally different output > to 'spamc' by default. Both are checking the headers but spamc is > simply not reporting the score (you have to run 'spamc --full < message' > to get the equivalent output. > >> MailScanne is blocking spam though, but not from the test from >> declude.com. > > The declude.com tests will pass through SpamAssassin as they are not > particularly 'good' anti-spam tests; they rely on the 'filter' to reject > the message bad upon one bad attribute (in the case of badheader - this > is merely a mis-formatted Date: header!). SpamAssassin tests are > designed so that one bad attribute does not cause the message to be > tagged as spam or rejected as that would easily cause false-positives. > >> No spamc or spamassassin deamon is running on my system. > >> So how does MailScanner calls SpamAssassin? Does it call spamc instead > of Spamassassin? > > MailScanner does not use spamd/spamd at all - it calls SpamAssassin via > the Perl API, so all you will see is the MailScanner processes. > >> >> Hope somebody can clearify my problem. >> > > Sure - you don't have a problem; MailScanner and SpamAssassin are > running as they were designed. The declude.com tests are flawed as is > their implementation. It's designed to fail with anything but their own > filter. > > The implementation of the test is so flawed that it trips my own servers > pipelining checks (e.g. it sends all the SMTP commands without waiting > for a response - which is illegal if using SMTP (e.g. HELO vs EHLO): > > 220-mta11.safeguardmail.net SMTP Welcome to smtpf #633 > (l9EBY0201453145500) > HELO www.declude.com > 220 Copyright 2006, 2009 by SnertSoft. All rights reserved. > MAIL FROM: > 250 Hello declude.com [216.144.195.82] #256 (l9EBY0201453145500) > RCPT TO: > 250 2.1.0 sender accepted #283 (l9EBY0201453145500) > DATA > 550-5.3.3 pipelining not allowed #643 (l9EBY0201453145500) White list > via > http://mta11.safeguardmail.net/barricademx/click.php?h=l9EBY25a6134e025c9b82a9daaf928997922b2&c=click:declude.com,webmaster-vir@declude.com > > > Sorry, an error occurred! > > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From GSilver at rampuptech.com Thu Oct 15 17:28:25 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Thu Oct 15 17:28:37 2009 Subject: quarantine directory change Message-ID: <7D79002C-6327-4001-A201-8A8FFD42A637@rampuptech.com> whats the best way to move /var/spool/MailScanner/quarantine directory on a running system to some subdirectory in /home/ my original partition setup on my relay was not designed for mailscanner and this "dev" box quickly became a production server because of the awesomeness of mailscanner I currently have only 6GB avail in /var and over 200GB in /home I assume this is more of a linux system question (im using ubuntu 8.04 LTS) ..maybe i can use symlinks and then not change any config files? but of course i am asking because im sure there is a few ways to do it with some being a better choice for the long term (e.g. upgrading mailscanner) wondering if anyone has done similar thanks in advance cheers -Gavin From alex at rtpty.com Thu Oct 15 17:28:49 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 17:29:03 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD74492.5080201@emcuk.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> <4AD74492.5080201@emcuk.com> Message-ID: <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> By "sorted it out" you mean "swept it under the rug", right? ;-) On Oct 15, 2009, at 10:49 AM, Eddie Hallahan wrote: > We had a similar situation and found that kicking the SpamAssassin > timeout up to 300 sorted it out. > From Kevin_Miller at ci.juneau.ak.us Thu Oct 15 17:39:52 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Oct 15 17:40:52 2009 Subject: Blackholes.us DNSBL Message-ID: <4A09477D575C2C4B86497161427DD94C126BA5C509@city-exchange07> The SANS diary page for today has to do with the continueing fallout of the demise of the blackholes.us dnsbl. Old news to most probably, but apparently not all: http://isc.sans.org/diary.html?storyid=7360 Of course, nobody on the MailScanner list would still be using that blacklist but maybe someone has an, er, friend that is. ;-) Heres's to a spam free day... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner_list at phisch.ca Thu Oct 15 17:48:31 2009 From: mailscanner_list at phisch.ca (Jared Bater) Date: Thu Oct 15 17:48:45 2009 Subject: ClamAV only scanning message headers In-Reply-To: References: <4AC26CC8.9070309@phisch.ca> Message-ID: <4AD7525F.8010604@phisch.ca> Thanks. I have reviewed the performance tips for MailScanner, and our system is extremely well optimized. We can easily push 500K messages/day through Mailscanner/Spamassassin, in addition to the several million that we drop at the MTA with DNSBLs. The problem is that clamdscan does get properly called from /opt/MailScanner/lib/clamav-wrapper (actually, a slightly modified version of it to call calmdscan rather than clamscan). The problem is that only the message headers make it into my ' Incoming Work Dir?, which is set to /tmp. Here's what clamd writes out in its log, which shows that only headers are being scanned : +++ Started at Thu Oct 15 11:15:29 2009 clamd daemon 0.95.2 (OS: solaris2.8, ARCH: sparc, CPU: sparc) Log file size limited to 2097152 bytes. Reading databases from /var/opt/csw/clamav/db Not loading PUA signatures. Loaded 1174218 signatures. LOCAL: Unix socket file /tmp/clamd.socket LOCAL: Setting connection queue length to 15 Limits: Global size limit set to 104857600 bytes. Limits: File size limit set to 26214400 bytes. Limits: Recursion level limit set to 16. Limits: Files limit set to 10000. Archive support enabled. Algorithmic detection enabled. Portable Executable support enabled. ELF support enabled. Mail files support enabled. OLE2 support enabled. PDF support enabled. HTML support enabled. Self checking every 600 seconds. /tmp/13100/8779FCC5E3.7CB46.header: OK /tmp/13100/87806CC5E4.586C4.header: OK /tmp/9684/ED86FCC5F6.81C14.header: OK /tmp/497/90E90CC5FD.57D06.header: OK /tmp/4328/A46FDCC5D7.7A0E6.header: OK /tmp/13100/B78E6CC605.48C0A.header: OK /tmp/3599/7F3A9CC5B8.8843E.header: OK What would cause only the headers to be extracted? Is there any way to debug MS to figure out what's going wrong with the interaction with Clamdscan? Spamassassin has no troubles at all, by the way. Any help and/or guidance is greatly appreciated. Jared #./MailScanner -v Running on SunOS sun4v sparc SUNW,SPARC-Enterprise-T5220 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.56.8 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.60 HTML::Entities 3.61 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.25 DBD::SQLite 1.607 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.002005 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.65 Net::DNS 0.39 Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.92 Test::Simple 1.95 Text::Balanced 1.38 URI Scott Silva wrote: > on 9-29-2009 1:23 PM Jared spake the following: >> Greetings, MailScanner community, >> >> I have been using MailScanner with Postfix and ClamAV for several years >> now and it has been an extremely effective system for combating spam and >> malware for my users. I have just refreshed our system to bring the >> relevant software up to a reasonable rev as well as putting it on much >> more capable hardware. >> >> Everything seems to be working with the exception of my virus scanning. >> Here?s the situation: >> My ?Incoming Work Dir? is set to /tmp (as it?s in RAM rather than on >> disk for speed). As mail comes in, I can see that a MailScanner child >> creates a subdirectory of /tmp with its PID, and then calls the ClamAV >> wrapper to scan that directory. My expectation is that MailScanner >> decodes all MIME parts and decodes Base64 for the AV engine to troll and >> will leave them in that temporary directory. >> >> The problem is that the only file being written out into those >> directories is the message header ? no other MIME parts (or even a >> plain-text part, for that matter) ever make it into the directory. As a >> result, ClamAV is unable to detect infections because it will never see >> them. >> >> I have confirmed that ClamAV is able to detect viruses (by using an >> EICAR test file) when run from the command line and/or the MailScanner >> wrapper script, and that Clam is only being ?fed? files like >> /tmp/PID/MessageID.header >> >> Is there something that I?m missing in my install? Do I have a >> fundamental misunderstanding of how MailScanner interacts with ClamAV >> via the wrapper? I have tried running MailScanner in debug mode, but >> there?s really no useful information in there. >> >> Any guidance would be very much appreciated! >> > > Read http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips > > and maybe > http://wiki.mailscanner.info/doku.php?id=maq:index#i_don_t_get_output_from_clamav_or_other_anti-virus_what_is_wrong > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/98854161/attachment.html From steve.freegard at fsl.com Thu Oct 15 18:00:08 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Oct 15 18:00:19 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> <4AD74492.5080201@emcuk.com> <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> Message-ID: <4AD75518.6070203@fsl.com> > On Oct 15, 2009, at 10:49 AM, Eddie Hallahan wrote: > >> We had a similar situation and found that kicking the SpamAssassin >> timeout up to 300 sorted it out. >> Alex Neuman wrote: > By "sorted it out" you mean "swept it under the rug", right? ;-) LOL; I might use that as a sig ;-) Here's a metric I use all the time; with 'Log Speed = yes' take the batch time e.g. Batch (10 messages) processed in 31.83 seconds And divide the number of seconds by the number of messages e.g. 31.83/10 = 3.183 to give you the average number of seconds per message. If the resultant number is >10 then you have a problem somewhere that you need to track down. Regards, Steve. From bpirie at rma.edu Thu Oct 15 18:55:30 2009 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Oct 15 18:55:48 2009 Subject: quarantine directory change In-Reply-To: <7D79002C-6327-4001-A201-8A8FFD42A637@rampuptech.com> References: <7D79002C-6327-4001-A201-8A8FFD42A637@rampuptech.com> Message-ID: <4AD76212.40803@rma.edu> Gavin Silver wrote: > whats the best way to move /var/spool/MailScanner/quarantine directory > on a running system to some subdirectory in /home/ > > my original partition setup on my relay was not designed for > mailscanner and this "dev" box quickly became a production server > because of the awesomeness of mailscanner > > I currently have only 6GB avail in /var and over 200GB in /home > > I assume this is more of a linux system question (im using ubuntu 8.04 > LTS) > > ..maybe i can use symlinks and then not change any config files? > This might be an appropriate situation to implement mount's --bind feature instead of using a link. > but of course i am asking because im sure there is a few ways to do it > with some being a better choice for the long term (e.g. upgrading > mailscanner) > > wondering if anyone has done similar > > thanks in advance > > cheers > > -Gavin > Brendan From campbell at cnpapers.com Thu Oct 15 19:08:51 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Oct 15 19:09:14 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD75518.6070203@fsl.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> <4AD74492.5080201@emcuk.com> <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> <4AD75518.6070203@fsl.com> Message-ID: <4AD76533.5050504@cnpapers.com> I had a problem that took forever to resolve. I, too, was using KAM for many months, when all of a sudden my machine started to creep and crawl. I started removing different things and monitoring, and replaced them back into the scheme of things when they didn't help. Once I removed KAM, things got better significantly. I didn't replace it and haven't had the problem since. I don't know why it started happening, and I don't know what the daily download might have included that particular day, but I'm attributing it to a combination of KAM and perhaps my version of Perl. I know there are a lot of people still using KAM without problems, so I'm guessing that it's just my particular combination of things here that triggered it. Steve Campbell From glenn.steen at gmail.com Thu Oct 15 20:13:27 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 20:13:43 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <4AD76533.5050504@cnpapers.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> <4AD74492.5080201@emcuk.com> <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> <4AD75518.6070203@fsl.com> <4AD76533.5050504@cnpapers.com> Message-ID: <223f97700910151213i3e55ada4h9336604d2741d3ce@mail.gmail.com> 2009/10/15 Steve Campbell : > I had a problem that took forever to resolve. I, too, was using KAM for many > months, when all of a sudden my machine started to creep and crawl. I > started removing different things and monitoring, and replaced them back > into the scheme of things when they didn't help. Once I removed KAM, things > got better significantly. > > I didn't replace it and haven't had the problem since. I don't know why it > started happening, and I don't know what the daily download might have > included that particular day, but I'm attributing it to a combination of KAM > and perhaps my version of Perl. > > I know there are a lot of people still using KAM without problems, so I'm > guessing that it's just my particular combination of things here that > triggered it. > > Steve Campbell > Probably memory-related, in your case too... Removing a significant set of rules (like KAM) probably put you in the clear again:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 15 20:18:31 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 20:18:44 2009 Subject: spamc, spamd and spamassassin In-Reply-To: References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> <223f97700910150805n74ab968dw8f5b772b5c1ebc50@mail.gmail.com> Message-ID: <223f97700910151218u4c28f4c8y83159dc18959aadd@mail.gmail.com> 2009/10/15 Roland de Lepper : > Hi, > > > It's alot of output, but here it comes: > (snip) > 17:28:39 [21892] dbg: check: is spam? score=4.235 required=5 > 17:28:39 [21892] dbg: check: > tests=DCC_CHECK,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS > 17:28:39 [21892] dbg: check: > subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID > 17:28:39 Building a message batch to scan... > So... what was the problem? Header checked and found "guilty", score assigned... All looks well to me;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 15 20:10:42 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 20:19:57 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <223f97700910150838k3a2c82efoc50e1415819e9817@mail.gmail.com> <4AD74492.5080201@emcuk.com> <92B83566-4C90-4EB2-81A3-58904D287E30@rtpty.com> Message-ID: <223f97700910151210s4694b366y97c3ded666b913ca@mail.gmail.com> 2009/10/15 Alex Neuman : > By "sorted it out" you mean "swept it under the rug", right? ;-) > Even though I too find this funny, increasing the SA timeout dramatically will have some beneficial effects.... But you know that already;-). Mostly for expiry stuff, but ...:-) > On Oct 15, 2009, at 10:49 AM, Eddie Hallahan wrote: > >> We had a similar situation and found that kicking the SpamAssassin timeout >> up to 300 sorted it out. >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 15 20:25:12 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 20:25:21 2009 Subject: Blackholes.us DNSBL In-Reply-To: <4A09477D575C2C4B86497161427DD94C126BA5C509@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C126BA5C509@city-exchange07> Message-ID: <223f97700910151225i38847fb6w2a9f5af9fec65fdf@mail.gmail.com> 2009/10/15 Kevin Miller : > The SANS diary page for today has to do with the continueing fallout of the demise of the blackholes.us dnsbl. > > Old news to most probably, but apparently not all: ?http://isc.sans.org/diary.html?storyid=7360 > > Of course, nobody on the MailScanner list would still be using that blacklist but maybe someone has an, er, friend that is. ;-) :-) > Heres's to a spam free day... That'll be the day.... Be careful with smoking anything offered by complete strangers Kevin.....:-D -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Oct 15 20:48:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Oct 15 20:48:28 2009 Subject: ClamAV only scanning message headers In-Reply-To: <4AD7525F.8010604@phisch.ca> References: <4AC26CC8.9070309@phisch.ca> <4AD7525F.8010604@phisch.ca> Message-ID: <223f97700910151248x7fedde37j76d47beee5f1f137@mail.gmail.com> 2009/10/15 Jared Bater : > Thanks. I have reviewed the performance tips for MailScanner, and our system > is extremely well optimized. We can easily push 500K messages/day through > Mailscanner/Spamassassin, in addition to the several million that we drop at > the MTA with DNSBLs. > Cool. > > The problem is that clamdscan does get properly called from clamdscan? Why on earth don't you use the clamd perl interface? It'd save you the fork overhead and still give the benefit of clamd (memory footprint, ease of updating etc). > /opt/MailScanner/lib/clamav-wrapper (actually, a slightly modified version > of it to call calmdscan rather than clamscan).? The problem is that only the > message headers make it into my ' > Incoming Work Dir?, which is set to /tmp. Why? To get some type of tmpfs? Why not make that a subdir, like /tmp/MSin? Oh well. No matter. > > Here's what clamd writes out in its log, which shows that only headers are > being scanned > : > +++ Started at Thu Oct 15 11:15:29 2009 > clamd daemon 0.95.2 (OS: solaris2.8, ARCH: sparc, CPU: sparc) > Log file size limited to 2097152 bytes. > Reading databases from /var/opt/csw/clamav/db > Not loading PUA signatures. > Loaded 1174218 signatures. > LOCAL: Unix socket file /tmp/clamd.socket > LOCAL: Setting connection queue length to 15 > Limits: Global size limit set to 104857600 bytes. > Limits: File size limit set to 26214400 bytes. > Limits: Recursion level limit set to 16. > Limits: Files limit set to 10000. > Archive support enabled. > Algorithmic detection enabled. > Portable Executable support enabled. > ELF support enabled. > Mail files support enabled. > OLE2 support enabled. > PDF support enabled. > HTML support enabled. > Self checking every 600 seconds. > /tmp/13100/8779FCC5E3.7CB46.header: OK > /tmp/13100/87806CC5E4.586C4.header: OK > /tmp/9684/ED86FCC5F6.81C14.header: OK > /tmp/497/90E90CC5FD.57D06.header: OK > /tmp/4328/A46FDCC5D7.7A0E6.header: OK > /tmp/13100/B78E6CC605.48C0A.header: OK > /tmp/3599/7F3A9CC5B8.8843E.header: OK > ? > > What would cause only the headers to be extracted???? Is there any way to > debug MS to figure out what's going wrong with the interaction with > Clamdscan? Yeah sure, just futz away at the code:-). Then run it in debug (MailScanner --debug)... Perhaps do it on a testbed, just in case you break something;-) All message headers are extracted to these files, yes, and they should be cleaned up, sooner or later. If nothing else, it'd be at child demise:-). There used to be a bug in some rather old version (a few years back), IIRC, that made these pile up... Had to do with the entropy added to the queue filename, or more specifically to the "." swparating the queue file id and the entropy. What evrsion of MS do you run? Not too old, I hope;). If you use the debian package from them... it'll be very old, but I don't think even that could be so old as to display that particular error:-D. > > Spamassassin has no troubles at all, by the way. > > > Any help and/or guidance is greatly appreciated. > > Jared > > > > > #./MailScanner? -v > Running on > SunOS ? sun4v sparc SUNW,SPARC-Enterprise-T5220 > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.56.8 Oh. Dear me, do an upgrade ASAP. This also explains why you're not using the clamd interface... It simply wasn't present in this old beast. This particular one is more than three years old. Since Spam/Virus fighting isn't static in nature (due to the crap morphing continually), one simply can't use old tools and expect to get the best from them. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From logs at comp-wiz.com Thu Oct 15 21:30:08 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 21:30:40 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <005e01ca4dac$f1b82010$d5286030$@dk> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <005e01ca4dac$f1b82010$d5286030$@dk> Message-ID: <013401ca4dd6$4a0b8710$de229530$@com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/fda6cc2e/attachment.jpe From logs at comp-wiz.com Thu Oct 15 21:33:07 2009 From: logs at comp-wiz.com (Logs) Date: Thu Oct 15 21:33:39 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA07FE1021@HC-MBX02.herefordshire.gov.uk> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com><4AD72DAF.4020305@di.unito.it><24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE1021@HC-MBX02.herefordshire.gov.uk> Message-ID: <014001ca4dd6$b4b06680$1e113380$@com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 4570 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/ddb61e92/attachment-0001.jpe From alex at rtpty.com Thu Oct 15 21:42:50 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 21:43:05 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <014001ca4dd6$b4b06680$1e113380$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com><4AD72DAF.4020305@di.unito.it><24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE1021@HC-MBX02.herefordshire.gov.uk> <014001ca4dd6$b4b06680$1e113380$@com> Message-ID: The default depends on your setup. I, for one, have two rbl's at the MTA and the rest in SA - none in MailScanner. YMWDV. On Oct 15, 2009, at 3:33 PM, Logs wrote: > I believe the answer to this is MailScanner, but whatever the > default is. > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Randal, Phil > Sent: Thursday, October 15, 2009 11:46 AM > To: MailScanner discussion > Subject: RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > Silly question, I know, but where are you doing the blacklisting? > > In the MTA or in MailScanner? > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief > Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e- > mail in error please contact the sender immediately and destroy all > copies of it. > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Logs > Sent: 15 October 2009 16:00 > To: 'MailScanner discussion' > Subject: RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > Oh right, should have figured that one out? 1GB RAM, 150GB 7200 RPM > Hard Drive, Intel Pentium D CPU 3.20GHZ, Bus 800 Mhz, L2 4MB (IMHO, > is way more than enough, although I just ordered another 2 GIGs of > RAM) > > And yes it is CPU tied > Max Children = 5 > DCC, Pyzor, Razor > Blacklists: zen.spamhaus.org, b.barracudacentral.org, bl.spamcop.net > ClamAV > sane-security using a cron job to download scripts > SpamAssassin with KAM downloaded daily by using cron job, sought, > JKF-Anti-Phishing Version 2 > re2c, Rule2XSBody SA plugin > FuzzyOCR (which I am not sure is working) > > That the info you are requesting? > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Thursday, October 15, 2009 10:23 AM > To: MailScanner discussion > Subject: Re: MailScanner and SpamAssassin together causes Exterme > CPU usage > > CPU, RAM, and the setting for Max Children = ? as well would be > crucial. > > Oh, and "slows down to a halt" because it's CPU-tied or disk-tied? > Have you checked CPU utilization? I know it's a long shot, but if > you had the SA database on a bad sector on a bad disk and the rest > of the disk were fine, using SA would slow the system down because > of the retries. This would show up as low CPU utilization and slow > disk access, for example. Maybe I've been watching too much House, > M.D. though. > > Are you using extra SA rules? DCC? Pyzor? Razor? Perhaps a more > thorough description of your system would work better. > > > On Thu, Oct 15, 2009 at 9:11 AM, Sergio Rabellino > wrote: > Please, check that the dns is correctly set-up and fully functional. > What are the hw specs of the server ? > > > Logs ha scritto: > I have version 3.2.5-1.el5 installed in I installed it VIA YUM. > However I also uninstalled and downloaded the ClamAV, SA version off > the MailScanner website but it didn?t install SA for some reason. > And so I downloaded and installed VIA YUM again, only to have the > same problem re-occur. > > Vern > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Randal, Phil > Sent: Thursday, October 15, 2009 9:55 AM > To: MailScanner discussion > Subject: RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > Start by telling us which version of spamassassin you have > installed, and where you installed it from. > > Also, if you haven't already, run sa-update to ensure you have the > current SA rules. > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief > Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e- > mail in error please contact the sender immediately and destroy all > copies of it. > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Logs > Sent: 15 October 2009 14:40 > To: 'MailScanner discussion' > Subject: MailScanner and SpamAssassin together causes Exterme CPU > usage > > I have no idea what to do as I have never come across this before. I > am using a CentOS 5.3 server and when I enable the ?Use > SpamAssassin? option my server slows to a near halt. Somehow with > the 2 enabled together something is going wrong and I don?t even > know where to begin trouble shooting this without turning > SpamAssassin off. Can anyone point me in the right direction? I > don?t even know if this a MailSacnner or SpamAssassin issue. > > Thanks, > Vernon > > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email > service. > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e- > mail in error please contact the sender immediately and destroy all > copies of it. > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > -- > Ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > alex@rtpty.com > Skype: alexneuman > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email > service. > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this e- > mail in error please contact the sender immediately and destroy all > copies of it. > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by comp-wiz.com, and is > believed to be clean. -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From bernard.lheureux at bbsoft4.org Thu Oct 15 21:51:56 2009 From: bernard.lheureux at bbsoft4.org (Bernard Lheureux) Date: Thu Oct 15 21:52:35 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <00d101ca4d9c$fa4a7120$eedf5360$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> Message-ID: <4AD78B6C.9070705@bbsoft4.org> Logs wrote: Use ClamD as antivirus, Change This to no: Use SpamAssasin If On Spam List = no And normaly, the load of your server should decrease dramaticaly > > I have no idea what to do as I have never come across this before. I > am using a CentOS 5.3 server and when I enable the ?Use SpamAssassin? > option my server slows to a near halt. Somehow with the 2 enabled > together something is going wrong and I don?t even know where to begin > trouble shooting this without turning SpamAssassin off. Can anyone > point me in the right direction? I don?t even know if this a > MailSacnner or SpamAssassin issue. > M$-Internet Exploder est le cancer de l'Internet, voyez pourquoi ici: http://www.aful.org/ressources/documentations/msie-problemes-securite -- (?- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:root@bbsoft4.org v_/_ http://www.bbsoft4.org/ <<<<<< * >>>>>> http://www.portalinux.org/ From alex at rtpty.com Thu Oct 15 22:49:57 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Oct 15 22:50:11 2009 Subject: Way OT: SugarCRM on CentOS 5.3 Message-ID: <4100BD4E-D608-4ABC-AE0B-0AB8C00EC606@rtpty.com> --- I know this is way OT but I've found that this list is a veritable fountain of the best minds in the world! so please bear with me... Thanks in advance! Hey listers, I've googled around all day for a good cookbook on how to install SugarCRM CE on CentOS 5.3, but haven't found anything conclusive. Everything either involves another distro or assumes things work out of the box. Requirements are being met in the form of mysql-server and php-mysql (even using other repos in order to comply with said requirements), but the installer says "its needs aren't being met". Forcing the installer by setting variables to "true" only gets to as far as the screen where you provide the login credentials for the database - which works from the command line. Thanks for any help or advice! From roland.de.lepper at cvis.nl Fri Oct 16 07:22:00 2009 From: roland.de.lepper at cvis.nl (Roland de Lepper) Date: Fri Oct 16 07:22:09 2009 Subject: spamc, spamd and spamassassin In-Reply-To: <223f97700910151218u4c28f4c8y83159dc18959aadd@mail.gmail.com> References: <44088f69020b88f1cd9d7c6090841f98.squirrel@webmail.xs4all.nl> <223f97700910150805n74ab968dw8f5b772b5c1ebc50@mail.gmail.com> <223f97700910151218u4c28f4c8y83159dc18959aadd@mail.gmail.com> Message-ID: <5e0a1748b28f9f65d054fb2459ac73e6.squirrel@webmail.xs4all.nl> Hi Glenn, I didn't know about the MailScanner --lint and command. I only used the spamassassin one. I've ordered the MailScanner book last week and still waiting for it. Can't hardly wait. Regrads, Roland > 2009/10/15 Roland de Lepper : >> Hi, >> >> >> It's alot of output, but here it comes: >> > (snip) >> 17:28:39 [21892] dbg: check: is spam? score=4.235 required=5 >> 17:28:39 [21892] dbg: check: >> tests=DCC_CHECK,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS >> 17:28:39 [21892] dbg: check: >> subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID >> 17:28:39 Building a message batch to scan... >> > So... what was the problem? Header checked and found "guilty", score > assigned... All looks well to me;-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From gandalf at shopzeus.com Fri Oct 16 08:46:40 2009 From: gandalf at shopzeus.com (Laszlo Nagy) Date: Fri Oct 16 08:47:02 2009 Subject: install mailscanner + postfix + freebsd (beginner) Message-ID: <4AD824E0.4080802@shopzeus.com> I would like to be accurate and tell exactly what I did on my system. I tried to follow the guides here: http://www.mailscanner.info/postfix.html It tells: > 1. Install Postfix version 2 and get it all working. > 2. Stop Postfix using a command > postfix stop > 3. Make sure you have the chroot jail set up in /var/spool/postfix. > You should be able to see "etc", "usr" and "lib" directories > inside /var/spool/postfix). If you haven't got the chroot jail > setup already, then look in the "examples" directory of the > Postfix documentation and you will find a script in there to set > up it up for your operating system. If you can't find that, then > see the "Problems or Errors" section further down this page. > 4. At this point, things change from the setup for other MTAs as we > can make it run with just one copy of Postfix, and let Postfix > do the "split MTA" setup for us. > 5. In the Postfix configuration file /etc/postfix/main.cf add this > line: > header_checks = regexp:/etc/postfix/header_checks > 6. In the file /etc/postfix/header_checks add this line: > /^Received:/ HOLD > The effect of this is to tell Postfix to move all messages to > the HOLD queue. > I'm done with #1, #2, #3. I'm not sure if I need to do anything for #4, I guess I do not. For #5: there is no /etc/postfix. No problem, I have used /usr/local/etc/postfix/header_checks instead. #6: Done. Next section from the docs: > In your MailScanner.conf file (probably in /etc/MailScanner or > /opt/MailScanner/etc), there are 5 settings you need to change. They > are all really near the top of the file. The settings are > > Run As User = postfix > Run As Group = postfix > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > MTA = postfix > > All right, it is in /usr/local/etc/MailScanner/MailScanner.conf. Holy cow, that thing is 2977 lines long! :-) config file says: >Incoming Work Dir = /var/spool/MailScanner/incoming >Quarantine Dir = /var/spool/MailScanner/quarantine I do not even have /var/spool/MailScanner. Should I create it by hand? Will subdirectories be automatically created? Or should I also create them by hand? Another question. The default config file says: > Sendmail = /usr/sbin/sendmail Shouldn't I change it to /usr/local/sbin/sendmail? (Beacuse I'm using the postfix port...) Sorry for being long. Thank you! Laszlo From drew.marshall at trunknetworks.com Fri Oct 16 08:57:37 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Fri Oct 16 08:58:02 2009 Subject: install mailscanner + postfix + freebsd (beginner) In-Reply-To: <4AD824E0.4080802@shopzeus.com> References: <4AD824E0.4080802@shopzeus.com> Message-ID: <295D3B21-FB83-429F-8AA3-47C5B6B505E3@trunknetworks.com> On 16 Oct 2009, at 08:46, Laszlo Nagy wrote: > I would like to be accurate and tell exactly what I did on my > system. I tried to follow the guides here: > > http://www.mailscanner.info/postfix.html > > It tells: > >> 1. Install Postfix version 2 and get it all working. >> 2. Stop Postfix using a command >> postfix stop >> 3. Make sure you have the chroot jail set up in /var/spool/postfix. >> You should be able to see "etc", "usr" and "lib" directories >> inside /var/spool/postfix). If you haven't got the chroot jail >> setup already, then look in the "examples" directory of the >> Postfix documentation and you will find a script in there to set >> up it up for your operating system. If you can't find that, then >> see the "Problems or Errors" section further down this page. >> 4. At this point, things change from the setup for other MTAs as we >> can make it run with just one copy of Postfix, and let Postfix >> do the "split MTA" setup for us. >> 5. In the Postfix configuration file /etc/postfix/main.cf add this >> line: >> header_checks = regexp:/etc/postfix/header_checks >> 6. In the file /etc/postfix/header_checks add this line: >> /^Received:/ HOLD >> The effect of this is to tell Postfix to move all messages to >> the HOLD queue. >> > I'm done with #1, #2, #3. I'm not sure if I need to do anything for > #4, I guess I do not. For #5: there is no /etc/postfix. No problem, > I have used /usr/local/etc/postfix/header_checks instead. #6: Done. Sounds fine to me. > > Next section from the docs: > >> In your MailScanner.conf file (probably in /etc/MailScanner or /opt/ >> MailScanner/etc), there are 5 settings you need to change. They are >> all really near the top of the file. The settings are >> >> Run As User = postfix >> Run As Group = postfix >> Incoming Queue Dir = /var/spool/postfix/hold >> Outgoing Queue Dir = /var/spool/postfix/incoming >> MTA = postfix >> >> > All right, it is in /usr/local/etc/MailScanner/MailScanner.conf. > Holy cow, that thing is 2977 lines long! :-) > > config file says: > > >Incoming Work Dir = /var/spool/MailScanner/incoming > >Quarantine Dir = /var/spool/MailScanner/quarantine > > I do not even have /var/spool/MailScanner. Should I create it by hand? Yes > Will subdirectories be automatically created? Or should I also > create them by hand? Providing the permissions are correct (The directories you create should be owned by the postfix user) you will need to only make the top level directories, /var/spool/MailScanner/incoming, /var/spool/ MailScanner/quarantine, /var/spool/MailScanner/spamassassin, /var/ spool/MailScanner/archive (If you are archiving mail) > > Another question. The default config file says: > > > Sendmail = /usr/sbin/sendmail > > Shouldn't I change it to /usr/local/sbin/sendmail? (Beacuse I'm > using the postfix port...) Did you install MS from the ports tree? If not then I would. It's been updated now so /usr/ports/mail/mailscanner is at the latest & greatest and it corrects paths for FreeBSD as part of the installation. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From gandalf at shopzeus.com Fri Oct 16 09:34:37 2009 From: gandalf at shopzeus.com (Laszlo Nagy) Date: Fri Oct 16 09:34:48 2009 Subject: install mailscanner + postfix + freebsd (beginner) In-Reply-To: <295D3B21-FB83-429F-8AA3-47C5B6B505E3@trunknetworks.com> References: <4AD824E0.4080802@shopzeus.com> <295D3B21-FB83-429F-8AA3-47C5B6B505E3@trunknetworks.com> Message-ID: <4AD8301D.9030605@shopzeus.com> >> Will subdirectories be automatically created? Or should I also create >> them by hand? > > Providing the permissions are correct (The directories you create > should be owned by the postfix user) you will need to only make the > top level directories, /var/spool/MailScanner/incoming, > /var/spool/MailScanner/quarantine, > /var/spool/MailScanner/spamassassin, /var/spool/MailScanner/archive > (If you are archiving mail) mkdir -p /var/spool/MailScanner/incoming mkdir -p /var/spool/MailScanner/quarantine mkdir -p /var/spool/MailScanner/spamassassin mkdir -p /var/spool/MailScanner/archive chown -R postfix:postfix /var/spool/MailScanner Done: >> >> Another question. The default config file says: >> >> > Sendmail = /usr/sbin/sendmail >> >> Shouldn't I change it to /usr/local/sbin/sendmail? (Beacuse I'm using >> the postfix port...) > > Did you install MS from the ports tree? If not then I would. I did. # pkg_info | grep MailScanner MailScanner-4.78.9 Powerful virus/spam scanning framework for mail gateways > It's been updated now so /usr/ports/mail/mailscanner is at the latest > & greatest and it corrects paths for FreeBSD as part of the installation. I should have known about mailwrapper, that uses mailer.conf to select the right MTA: # ls -l /usr/sbin/sendmail lrwxr-xr-x 1 root wheel 21 Nov 17 2008 /usr/sbin/sendmail -> /usr/sbin/mailwrapper So MailScanner is configured now. But before I go live with this, I still have some bad feedlings. For example, clamav and spamassassin where both installed as dependencies. Do I need to configure them, or can I start using mailscanner without further configuration? Thank you for the quick help! Laszlo From support-lists at petdoctors.co.uk Fri Oct 16 09:59:37 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Oct 16 09:59:52 2009 Subject: Way OT: SugarCRM on CentOS 5.3 In-Reply-To: <4100BD4E-D608-4ABC-AE0B-0AB8C00EC606@rtpty.com> References: <4100BD4E-D608-4ABC-AE0B-0AB8C00EC606@rtpty.com> Message-ID: Hmm, I did a SugarCRM box recently (about 2 months ago) on 5.3 and I really can't think of anything that caused me hassle apart from perhaps php-json (ISTR): pecl install json cd /etc/php.d/ echo "extension=json.so" >> json.ini service httpd restart I don't recall using any other repos apart from the standard ones + I always tend to ad DAG to the mix. Worth checking you have php-devel and php-mysql installed. HTH Nigel From alex at rtpty.com Fri Oct 16 13:08:39 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Oct 16 13:08:51 2009 Subject: Way OT: SugarCRM on CentOS 5.3 In-Reply-To: References: <4100BD4E-D608-4ABC-AE0B-0AB8C00EC606@rtpty.com> Message-ID: <0F7B51CE-86F5-4B01-8E10-7D9CC29C904C@rtpty.com> Thanks! I'll look into it. On Oct 16, 2009, at 3:59 AM, Nigel Kendrick wrote: > Hmm, > > I did a SugarCRM box recently (about 2 months ago) on 5.3 and I > really can't > think of anything that caused me hassle apart from perhaps php-json > (ISTR): > > pecl install json > > cd /etc/php.d/ > > echo "extension=json.so" >> json.ini > > service httpd restart > > I don't recall using any other repos apart from the standard ones + > I always > tend to ad DAG to the mix. > > Worth checking you have php-devel and php-mysql installed. > > HTH > > Nigel > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Oct 16 13:19:29 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Oct 16 13:19:50 2009 Subject: MailScanner and SpamAssassin together causes Exterme CPU usage In-Reply-To: <013401ca4dd6$4a0b8710$de229530$@com> References: <00d101ca4d9c$fa4a7120$eedf5360$@com> <7EF0EE5CB3B263488C8C18823239BEBA07FE0FA4@HC-MBX02.herefordshire.gov.uk> <011801ca4da0$3dcfb8d0$b96f2a70$@com> <4AD72DAF.4020305@di.unito.it> <24e3d2e40910150722t3a6cf44fr82e17bd5e3db5390@mail.gmail.com> <01bd01ca4da8$36c49da0$a44dd8e0$@com> <005e01ca4dac$f1b82010$d5286030$@dk> <013401ca4dd6$4a0b8710$de229530$@com> Message-ID: <4AD864D1.1030908@USherbrooke.ca> Logs a ?crit : > > Maybe 2000 to 3000 a day > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Jonas A. Larsen > *Sent:* Thursday, October 15, 2009 11:34 AM > *To:* 'MailScanner discussion' > *Subject:* RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > I guess you disdnt find it obvious to include but for the below to be > of any use we need to know how many mails you are pushing through your > server. > > If its 1000 per day thye below should be more than enough. > > If its 50000 maybe not so much. > > /Jonas > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Logs > *Sent:* 15. oktober 2009 17:00 > *To:* 'MailScanner discussion' > *Subject:* RE: MailScanner and SpamAssassin together causes Exterme > CPU usage > > Oh right, should have figured that one out? 1GB RAM, 150GB 7200 RPM > Hard Drive, Intel Pentium D CPU 3.20GHZ, Bus 800 Mhz, L2 4MB (IMHO, is > way more than enough, although I just ordered another 2 GIGs of RAM) > > And yes it is CPU tied > > Max Children = 5 > > DCC, Pyzor, Razor > > Blacklists: zen.spamhaus.org, b.barracudacentral.org, bl.spamcop.net > > ClamAV > > sane-security using a cron job to download scripts > > SpamAssassin with KAM downloaded daily by using cron job, sought, > JKF-Anti-Phishing Version 2 > > re2c, Rule2XSBody SA plugin > > FuzzyOCR (which I am not sure is working) > I have a VM running RHEL 5.4 processing 2K-3K messages each day with only 768MB and 1 CPU without any problems. I only run 2 MS children on that server with SA, clamd, McAfee and a caching-nameserver, but no KAM, DCC or pyzor. CPU use never goes over 25%. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3306 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091016/723b6868/smime.bin From lists at elasticmind.net Fri Oct 16 14:27:34 2009 From: lists at elasticmind.net (Mog) Date: Fri Oct 16 14:28:10 2009 Subject: install mailscanner + postfix + freebsd (beginner) In-Reply-To: <4AD8301D.9030605@shopzeus.com> References: <4AD824E0.4080802@shopzeus.com> <295D3B21-FB83-429F-8AA3-47C5B6B505E3@trunknetworks.com> <4AD8301D.9030605@shopzeus.com> Message-ID: <4AD874C6.6040908@elasticmind.net> Laszlo Nagy wrote: > > I should have known about mailwrapper, that uses mailer.conf to select > the right MTA: > > # ls -l /usr/sbin/sendmail > lrwxr-xr-x 1 root wheel 21 Nov 17 2008 /usr/sbin/sendmail -> > /usr/sbin/mailwrapper > > So MailScanner is configured now. But before I go live with this, I > still have some bad feedlings. For example, clamav and spamassassin > where both installed as dependencies. Do I need to configure them, or > can I start using mailscanner without further configuration? > Like anything, you need to quickly run through their respective configuration files to make sure they are doing what you want. Most defaults should be fine, but double check anyway. From support-lists at petdoctors.co.uk Fri Oct 16 15:22:57 2009 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Fri Oct 16 15:23:33 2009 Subject: Way OT: SugarCRM on CentOS 5.3 In-Reply-To: <0F7B51CE-86F5-4B01-8E10-7D9CC29C904C@rtpty.com> References: <4100BD4E-D608-4ABC-AE0B-0AB8C00EC606@rtpty.com> <0F7B51CE-86F5-4B01-8E10-7D9CC29C904C@rtpty.com> Message-ID: <235612A08C5646A7A92B62BC0B0C0E5D@SUPPORT01V> Just as another thought, I think I had to manually increase the memory limit in php.ini - it currently stands at: memory_limit = 128M NK From campbell at cnpapers.com Fri Oct 16 15:37:40 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Oct 16 15:37:57 2009 Subject: OT clam files in /var/tmp Message-ID: <4AD88534.2030308@cnpapers.com> I updated my clamd the other day, and had my /var pertition fill up this morning with directories named /var/tmp/clamav-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (xxx represents what appears to be a random signature). They each have a set of main.* files in them (main.db, main.fp, etc). I'm not sure why they are hanging around. I've looked at the .conf files for clamd, freshclam, and all the other files I could think of to verify any settings. I've changed the one in clamd.conf (LeaveTemporaryFiles no), but have found no other reference to files to this directory. They are not timestamped to any obvious repetitive task time. Anyone familiar with this problem? Thanks Steve Campbell From GSilver at rampuptech.com Fri Oct 16 17:07:39 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Fri Oct 16 17:08:02 2009 Subject: quarantine directory change In-Reply-To: <4AD76212.40803@rma.edu> References: <7D79002C-6327-4001-A201-8A8FFD42A637@rampuptech.com> <4AD76212.40803@rma.edu> Message-ID: Thanks ill take a look at the mount --bind option, is there any specific reason you can think of _not_ to use a sym link though? ---------------------------------- Gavin Silver -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brendan Pirie Sent: Thursday, October 15, 2009 1:56 PM To: MailScanner discussion Subject: Re: quarantine directory change Gavin Silver wrote: > whats the best way to move /var/spool/MailScanner/quarantine directory > on a running system to some subdirectory in /home/ > > my original partition setup on my relay was not designed for > mailscanner and this "dev" box quickly became a production server > because of the awesomeness of mailscanner > > I currently have only 6GB avail in /var and over 200GB in /home > > I assume this is more of a linux system question (im using ubuntu 8.04 > LTS) > > ..maybe i can use symlinks and then not change any config files? > This might be an appropriate situation to implement mount's --bind feature instead of using a link. > but of course i am asking because im sure there is a few ways to do it > with some being a better choice for the long term (e.g. upgrading > mailscanner) > > wondering if anyone has done similar > > thanks in advance > > cheers > > -Gavin > Brendan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From admin at lorodoes.com Fri Oct 16 18:17:23 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Oct 16 18:17:41 2009 Subject: MailScanner Error Message-ID: My MailScanner all of a sudden starting failing on me today. First I was getting an error inside of PFDstore that it couldn't print something on line 743. So I commented it to see if that fixed it. Well it did, but now I'm getting a Failed to receive from socket, any ideas anyone? From admin at lorodoes.com Fri Oct 16 18:29:10 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Oct 16 18:29:25 2009 Subject: MailScanner Error In-Reply-To: References: Message-ID: Oops, I meant PFDiskstore.pm. I fixed it with commenting out line 743. The weird part is that the MailScanner is still running, but no mail is flowing. Also the mail stopped flowing at 12:30 and I hadn't made any changes that day since 1:00PM. So I'm still confused on what happened. If someone can give me a hand it would be greatly appreciated. > My MailScanner all of a sudden starting failing on me today. First I was > getting an error inside of PFDstore that it couldn't print something on > line 743. So I commented it to see if that fixed it. Well it did, but now > I'm getting a Failed to receive from socket, any ideas anyone? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From mikael at syska.dk Fri Oct 16 18:48:01 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Oct 16 18:48:14 2009 Subject: MailScanner Error In-Reply-To: References: Message-ID: <6beca9db0910161048n71188a88nfaa11dbb9e3a598e@mail.gmail.com> Hi, You dont give much information ... so, its hard to help. On Fri, Oct 16, 2009 at 7:29 PM, Garrod Alwood wrote: > Oops, I meant PFDiskstore.pm. I fixed it with commenting out line 743. The > weird part is that the MailScanner is still running, but no mail is > flowing. Also the mail stopped flowing at 12:30 and I hadn't made any > changes that day since 1:00PM. So I'm still confused on what happened. If > someone can give me a hand it would be greatly appreciated. You say no mail is flowing ... that could mean a million things in my world. So I would start making sure that your MTA are receiving any mails ... and forward from there ... > >> My MailScanner all of a sudden starting failing on me today. First I was >> getting an error inside of PFDstore that it couldn't print something on >> line 743. So I commented it to see if that fixed it. Well it did, but now >> I'm getting a Failed to receive from socket, any ideas anyone? Sure its not just staling there ? try disabling is module. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > mvh From max at assuredata.com Fri Oct 16 19:41:38 2009 From: max at assuredata.com (Max Kipness) Date: Fri Oct 16 19:42:06 2009 Subject: DNS query saturating T1 Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> This is the strangest thing I've ever seen and just wondering if anyone has seen this before. I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using DNS locally for queries to speed up resolution. The last few weeks, our T1 has gone down several times and the provider reported that traffic from inside was causing saturation. They really couldn't, or didn't want to tell us what system or what port. So I narrowed it down to the MailScanner server. When the problem would occur you could see the light blinking or almost solid on the switch port. We simply disconnect and everything was fine. So I started looking at possible overload of spam, or virus/Trojan on the server, etc. Nothing on the logs looked unusual, so we would plug it back and everything would be fine for a few days. Then it would happen again. So I installed iptraf, and put in logging mode and left it there. Well it happened yesterday again, and after looking over the logs, it appears like the following log entry is the problem: Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541 to 74.66.226.117:53 There is just millions of these. In VIM you have to hit CTR-F for a while just to get to the next second! Do you think I have buggy DNS? Doesn't seem like this would be some type of malicious software doing this, as what would be the point? Any other guesses? I guess I could simply turn off the DNS client locally? I'm not positive if this is the only IP it hits, so I don't know that blocking the IP outbound would make a difference. Thanks for any suggestions you can offer. Max From dgottsc at emory.edu Fri Oct 16 19:47:07 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Oct 16 19:47:40 2009 Subject: DNS query saturating T1 In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> Message-ID: Is your local caching DNS server also being used by clients on the local network, or just the MailScanner server? David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Max Kipness Sent: Friday, October 16, 2009 2:42 PM To: MailScanner discussion Subject: DNS query saturating T1 This is the strangest thing I've ever seen and just wondering if anyone has seen this before. I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using DNS locally for queries to speed up resolution. The last few weeks, our T1 has gone down several times and the provider reported that traffic from inside was causing saturation. They really couldn't, or didn't want to tell us what system or what port. So I narrowed it down to the MailScanner server. When the problem would occur you could see the light blinking or almost solid on the switch port. We simply disconnect and everything was fine. So I started looking at possible overload of spam, or virus/Trojan on the server, etc. Nothing on the logs looked unusual, so we would plug it back and everything would be fine for a few days. Then it would happen again. So I installed iptraf, and put in logging mode and left it there. Well it happened yesterday again, and after looking over the logs, it appears like the following log entry is the problem: Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541 to 74.66.226.117:53 There is just millions of these. In VIM you have to hit CTR-F for a while just to get to the next second! Do you think I have buggy DNS? Doesn't seem like this would be some type of malicious software doing this, as what would be the point? Any other guesses? I guess I could simply turn off the DNS client locally? I'm not positive if this is the only IP it hits, so I don't know that blocking the IP outbound would make a difference. Thanks for any suggestions you can offer. Max -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From max at assuredata.com Fri Oct 16 19:55:57 2009 From: max at assuredata.com (Max Kipness) Date: Fri Oct 16 19:56:22 2009 Subject: DNS query saturating T1 Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1D72BC@addc01.assuredata.local> Just the local server. Max >Is your local caching DNS server also being used by clients on the local network, or just the MailScanner server? > >David Gottschalk >Emory University >UTS Messaging Team From clacroix at cegep-ste-foy.qc.ca Fri Oct 16 19:59:47 2009 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Fri Oct 16 20:00:01 2009 Subject: DNS query saturating T1 In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> Message-ID: <4AD8C2A3.5030303@cegep-ste-foy.qc.ca> Howmany RBL are you checking? and are you checking them with your MTA and MailScanner ? Is your caching nameserver actually caching ? Max Kipness wrote: > This is the strangest thing I've ever seen and just wondering if anyone > has seen this before. > > I'm using MailScanner (was the latest 3 months ago) on Fedora 11 using > DNS locally for queries to speed up resolution. The last few weeks, our > T1 has gone down several times and the provider reported that traffic > from inside was causing saturation. They really couldn't, or didn't want > to tell us what system or what port. So I narrowed it down to the > MailScanner server. When the problem would occur you could see the light > blinking or almost solid on the switch port. We simply disconnect and > everything was fine. So I started looking at possible overload of spam, > or virus/Trojan on the server, etc. Nothing on the logs looked unusual, > so we would plug it back and everything would be fine for a few days. > Then it would happen again. So I installed iptraf, and put in logging > mode and left it there. Well it happened yesterday again, and after > looking over the logs, it appears like the following log entry is the > problem: > > Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from 192.168.0.211:57541 > to 74.66.226.117:53 > > There is just millions of these. In VIM you have to hit CTR-F for a > while just to get to the next second! > > Do you think I have buggy DNS? Doesn't seem like this would be some type > of malicious software doing this, as what would be the point? Any other > guesses? > > I guess I could simply turn off the DNS client locally? I'm not positive > if this is the only IP it hits, so I don't know that blocking the IP > outbound would make a difference. > > Thanks for any suggestions you can offer. > > Max > From ssilva at sgvwater.com Fri Oct 16 20:19:15 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Oct 16 20:20:04 2009 Subject: Message attempted to kill MailScanner Message-ID: I have been getting a lot of bogus Internal Revenue Service messages that trigger "Message attempted to kill MailScanner" report and then stick in processing db. Does anyone have any magic on these? I know I can't be the only one that sees them! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091016/69ed53d2/signature.bin From alex at rtpty.com Fri Oct 16 20:30:13 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Oct 16 20:30:44 2009 Subject: DNS query saturating T1 In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D72BB@addc01.assuredata.local> Message-ID: Who's 0.211? You? On Oct 16, 2009, at 1:41 PM, Max Kipness wrote: > Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from > 192.168.0.211:57541 From admin at lorodoes.com Fri Oct 16 20:34:34 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Oct 16 20:34:51 2009 Subject: MailScanner Error In-Reply-To: <6beca9db0910161048n71188a88nfaa11dbb9e3a598e@mail.gmail.com> References: <6beca9db0910161048n71188a88nfaa11dbb9e3a598e@mail.gmail.com> Message-ID: <1ecb2bb6a1b1fb822a36196a68f7ec45.squirrel@www.lorodoes.com> Ok, sorry about that maybe if I walk throught exactly what is happening. >From my logs I saw that at 00:33:57 all may stopped going out, but mail was flowing in. I didn't find this out to about 10 or 11 o'clock so I had a ton of emails. Now when I set MailScanner to debug mode. I saw there was a problem with PFDiskstore.pm, I have no clue what that does. If anyone does please let me know. It was having a print issue on line 734. So just to see if it fixed it, I commented out line 734 (I know that isn't the correct thing to do, but I was in a hurry.) Now after I commented out line 734 and ran the mailscanner again it seemed to work ok. So I turned off debug but kept it in the foreground. When I ran it in the forground mail starts processing, but I get an error which states "Failed to receive from socket:" and that is all. I'm sorry I didn't give more information. Garrod M. Alwood IT Consultant > Hi, > > You dont give much information ... so, its hard to help. > > > On Fri, Oct 16, 2009 at 7:29 PM, Garrod Alwood wrote: >> Oops, I meant PFDiskstore.pm. I fixed it with commenting out line 743. >> The >> weird part is that the MailScanner is still running, but no mail is >> flowing. Also the mail stopped flowing at 12:30 and I hadn't made any >> changes that day since 1:00PM. So I'm still confused on what happened. >> If >> someone can give me a hand it would be greatly appreciated. > > You say no mail is flowing ... that could mean a million things in my > world. > > So I would start making sure that your MTA are receiving any mails ... > and forward from there ... > >> >>> My MailScanner all of a sudden starting failing on me today. First I >>> was >>> getting an error inside of PFDstore that it couldn't print something on >>> line 743. So I commented it to see if that fixed it. Well it did, but >>> now >>> I'm getting a Failed to receive from socket, any ideas anyone? > > Sure its not just staling there ? try disabling is module. >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > mvh > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From max at assuredata.com Fri Oct 16 20:42:48 2009 From: max at assuredata.com (Max Kipness) Date: Fri Oct 16 20:43:14 2009 Subject: DNS query saturating T1 Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1D72C2@addc01.assuredata.local> Yes, 192.168.0.211, is our internal address. I found this on the internet, and not sure if it was the cause, but we definitely had Bind 9 that was not updated to the 'P' version that fixes this exploit. I've since updated right now, so we will see. I hope this is it. http://www.linux-magazine.com/Online/News/DoS-Attack-Exploit-in-BIND-9 To the others that responded, I'm hitting a few RBLs at the MTA level, and through SpamAssassin. But I don't think it will matter how many are being hit, you might overload your cpu or memory, but I don't think you could ever saturate a T1 with that traffic. This was a thousands or hundreds of thousands of queries per second to some server that had nothing to do with RBLs. Max > Who's 0.211? You? > On Oct 16, 2009, at 1:41 PM, Max Kipness wrote: > Thu Oct 15 12:00:06 2009; UDP; eth0; 43 bytes; from > 192.168.0.211:57541 Thanks - Max Kipness AssureDATA, Inc. Office: 214-717-4644 Mobile: 214-417-8412 Email: max@assuredata.com Please note my new office number above. Please use this number first when attempting to contact me! From mikael at syska.dk Fri Oct 16 20:46:54 2009 From: mikael at syska.dk (Mikael Syska) Date: Fri Oct 16 20:47:07 2009 Subject: MailScanner Error In-Reply-To: <1ecb2bb6a1b1fb822a36196a68f7ec45.squirrel@www.lorodoes.com> References: <6beca9db0910161048n71188a88nfaa11dbb9e3a598e@mail.gmail.com> <1ecb2bb6a1b1fb822a36196a68f7ec45.squirrel@www.lorodoes.com> Message-ID: <6beca9db0910161246u1f388bcbjd15778bea69fb4b4@mail.gmail.com> Hi, The only thing I can think of that is using a socket would be clamd ? if using that ... try and disable the virus scanner. But its working when running in debug mode ? mvh On Fri, Oct 16, 2009 at 9:34 PM, Garrod Alwood wrote: > Ok, sorry about that maybe if I walk throught exactly what is happening. > >From my logs I saw that at 00:33:57 all may stopped going out, but mail > was flowing in. I didn't find this out to about 10 or 11 o'clock so I had > a ton of emails. Now when I set MailScanner to debug mode. I saw there was > a problem with PFDiskstore.pm, I have no clue what that does. If anyone > does please let me know. It was having a print issue on line 734. So just > to see if it fixed it, I commented out line 734 (I know that isn't the > correct thing to do, but I was in a hurry.) Now after I commented out line > 734 and ran the mailscanner again it seemed to work ok. So I turned off > debug but kept it in the foreground. When I ran it in the forground mail > starts processing, but I get an error which states "Failed to receive from > socket:" and that is all. I'm sorry I didn't give more information. > > Garrod M. Alwood > IT Consultant > > > >> Hi, >> >> You dont give much information ... so, its hard to help. >> >> >> On Fri, Oct 16, 2009 at 7:29 PM, Garrod Alwood wrote: >>> Oops, I meant PFDiskstore.pm. I fixed it with commenting out line 743. >>> The >>> weird part is that the MailScanner is still running, but no mail is >>> flowing. Also the mail stopped flowing at 12:30 and I hadn't made any >>> changes that day since 1:00PM. So I'm still confused on what happened. >>> If >>> someone can give me a hand it would be greatly appreciated. >> >> You say no mail is flowing ... that could mean a million things in my >> world. >> >> So I would start making sure that your MTA are receiving any mails ... >> and forward from there ... >> >>> >>>> My MailScanner all of a sudden starting failing on me today. First I >>>> was >>>> getting an error inside of PFDstore that it couldn't print something on >>>> line 743. So I commented it to see if that fixed it. Well it did, but >>>> now >>>> I'm getting a Failed to receive from socket, any ideas anyone? >> >> Sure its not just staling there ? try disabling is module. >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> mvh >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From alex at rtpty.com Fri Oct 16 20:57:24 2009 From: alex at rtpty.com (Alex Neuman) Date: Fri Oct 16 20:57:41 2009 Subject: DNS query saturating T1 In-Reply-To: <11375BD8FE838A409E10DB32B9BFFE9B1D72C2@addc01.assuredata.local> References: <11375BD8FE838A409E10DB32B9BFFE9B1D72C2@addc01.assuredata.local> Message-ID: <0E6DF6E5-F237-46E2-A72A-837F88646899@rtpty.com> If that's the case, and nobody else uses it, how about havind BIND bind (no pun intended) itself to 127.0.0.1? I think it's the "listen- on" thingy in /etc/named.conf... On Oct 16, 2009, at 2:42 PM, Max Kipness wrote: > Yes, 192.168.0.211, is our internal address. From dgottsc at emory.edu Fri Oct 16 21:12:11 2009 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Oct 16 21:13:16 2009 Subject: DNS query saturating T1 In-Reply-To: <0E6DF6E5-F237-46E2-A72A-837F88646899@rtpty.com> References: <11375BD8FE838A409E10DB32B9BFFE9B1D72C2@addc01.assuredata.local> <0E6DF6E5-F237-46E2-A72A-837F88646899@rtpty.com> Message-ID: Good point, I recommend that as well. I have DNS setup the same way on my MailScanner machines. David Gottschalk Emory University UTS Messaging Team -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Friday, October 16, 2009 3:57 PM To: MailScanner discussion Subject: Re: DNS query saturating T1 If that's the case, and nobody else uses it, how about havind BIND bind (no pun intended) itself to 127.0.0.1? I think it's the "listen- on" thingy in /etc/named.conf... On Oct 16, 2009, at 2:42 PM, Max Kipness wrote: > Yes, 192.168.0.211, is our internal address. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From max at assuredata.com Fri Oct 16 21:24:38 2009 From: max at assuredata.com (Max Kipness) Date: Fri Oct 16 21:24:48 2009 Subject: DNS query saturating T1 Message-ID: <11375BD8FE838A409E10DB32B9BFFE9B1D72C4@addc01.assuredata.local> > If that's the case, and nobody else uses it, how about havind BIND > bind (no pun intended) itself to 127.0.0.1? I think it's the "listen- > on" thingy in /etc/named.conf... Seems like it was already setup that way. Of course I just upgraded Bind based on the exploit, so maybe that is the new default. Thanks, Max -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091016/0168ec83/attachment.html From glenn.steen at gmail.com Sat Oct 17 10:17:33 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Oct 17 10:17:42 2009 Subject: quarantine directory change In-Reply-To: References: <7D79002C-6327-4001-A201-8A8FFD42A637@rampuptech.com> <4AD76212.40803@rma.edu> Message-ID: <223f97700910170217x15b6f6e4oa236fe3b6fd83d5a@mail.gmail.com> 2009/10/16 Gavin Silver : > Thanks ill take a look at the mount --bind option, is there any specific reason you can think of _not_ to use a sym link though? > > For the "work dir", that has historically been a bad idea, since some AV scanners (notably McAfee) have had problems when some part of the path has been via symlinks. Other than that... nope, no problem one cannot handle:-). But the mount --bind is as easy as a symlink and removes all possibility of a link-related problem, so I'd recommend doing that;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sat Oct 17 12:24:04 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Oct 17 12:24:22 2009 Subject: Message attempted to kill MailScanner In-Reply-To: References: Message-ID: <4AD9A954.6000108@vanderkooij.org> On 10/16/2009 09:19 PM, Scott Silva wrote: > I have been getting a lot of bogus Internal Revenue Service messages that > trigger "Message attempted to kill MailScanner" report and then stick in > processing db. Does anyone have any magic on these? I know I can't be the only > one that sees them! So tell who else have them? After all you KNOW that. So why not share it with us? Hugo. From brent.addis at spit.gen.nz Sun Oct 18 21:39:01 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Sun Oct 18 21:39:17 2009 Subject: Message attempted to kill MailScanner In-Reply-To: <4AD9A954.6000108@vanderkooij.org> References: <4AD9A954.6000108@vanderkooij.org> Message-ID: <1255898341.6035.0.camel@baddis-laptop> Wow. having a bad day there Hugo? It was a fairly simple question which I am sure did not deserve the tone of that response. -----Original Message----- From: Hugo van der Kooij Reply-to: MailScanner discussion To: mailscanner@lists.mailscanner.info Subject: Re: Message attempted to kill MailScanner Date: Sat, 17 Oct 2009 13:24:04 +0200 On 10/16/2009 09:19 PM, Scott Silva wrote: > I have been getting a lot of bogus Internal Revenue Service messages that > trigger "Message attempted to kill MailScanner" report and then stick in > processing db. Does anyone have any magic on these? I know I can't be the only > one that sees them! So tell who else have them? After all you KNOW that. So why not share it with us? Hugo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091019/bc193d6c/attachment.html From steve.freegard at fsl.com Sun Oct 18 22:35:40 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Oct 18 22:35:53 2009 Subject: 419 Spams Message-ID: <4ADB8A2C.3040607@fsl.com> Hi all, I have access to a system that receives a *lot* of 419-type spam e-mails, so using an SA plug-in that I wrote recently (SaveHits: http://www.fsl.com/support/SaveHits.pm); I've captured over 5000 since 15th October. These came in very useful recently for me to increase the accuracy of several bayes databases that were not accurately catching 419s so I've made it available for others that might find this useful as well. I've obfuscated the e-mail addresses, domains and source IP address within all of the messages so the originating site cannot be identified. You can download it from www.fsl.com/support/419_spams_1009.tar.gz and import it into your bayes database by running: tar -zxf 419_spams_1009.tar.gz sa-learn --spam --dir 419_spams Obviously - this won't help if the bayes database has been incorrectly trained for a considerable amount of time but worked for me when starting afresh and letting bayes autolearn 200 ham messages from the actual mail stream. Kind regards, Steve. From brent.addis at spit.gen.nz Mon Oct 19 00:19:42 2009 From: brent.addis at spit.gen.nz (Brent Addis) Date: Mon Oct 19 00:20:00 2009 Subject: 419 Spams In-Reply-To: <4ADB8A2C.3040607@fsl.com> References: <4ADB8A2C.3040607@fsl.com> Message-ID: <1255907982.6035.27.camel@baddis-laptop> Thanks for that, Downloaded and imported here. -----Original Message----- From: Steve Freegard Reply-to: MailScanner discussion To: MailScanner discussion Subject: 419 Spams Date: Sun, 18 Oct 2009 22:35:40 +0100 Hi all, I have access to a system that receives a *lot* of 419-type spam e-mails, so using an SA plug-in that I wrote recently (SaveHits: http://www.fsl.com/support/SaveHits.pm); I've captured over 5000 since 15th October. These came in very useful recently for me to increase the accuracy of several bayes databases that were not accurately catching 419s so I've made it available for others that might find this useful as well. I've obfuscated the e-mail addresses, domains and source IP address within all of the messages so the originating site cannot be identified. You can download it from www.fsl.com/support/419_spams_1009.tar.gz and import it into your bayes database by running: tar -zxf 419_spams_1009.tar.gz sa-learn --spam --dir 419_spams Obviously - this won't help if the bayes database has been incorrectly trained for a considerable amount of time but worked for me when starting afresh and letting bayes autolearn 200 ham messages from the actual mail stream. Kind regards, Steve. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091019/6345adf5/attachment.html From hvdkooij at vanderkooij.org Mon Oct 19 07:17:54 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Oct 19 07:18:04 2009 Subject: Message attempted to kill MailScanner In-Reply-To: <1255898341.6035.0.camel@baddis-laptop> References: <4AD9A954.6000108@vanderkooij.org> <1255898341.6035.0.camel@baddis-laptop> Message-ID: <4ADC0492.6050902@vanderkooij.org> On 10/18/09 22:39, Brent Addis wrote: > Wow. having a bad day there Hugo? It was a fairly simple question which > I am sure did not deserve the tone of that response. Well. Let's take the information at hand. There is little to no information to go on here. No version details, indication what bit of the complex system it is left in, resource usage, ..... But I have worked with quite a few number of customers and oddly enough some spam you might expect everywhere is most definitly not everywhere. Some sorts of spam are killed almost completely by RBL actions of the MTA by 1 customer and detected by another as spam while a third customer does not even get them at all. So I think it is safe to assume that no 2 domains MUST receive identical types of spam and providing some samples will enable people to troubleshoot and test the samples. Hugo From Amelein at dantumadiel.eu Mon Oct 19 13:25:01 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Mon Oct 19 13:25:16 2009 Subject: Betr.: Re: Message attempted to kill MailScanner In-Reply-To: <4ADC0492.6050902@vanderkooij.org> References: <4AD9A954.6000108@vanderkooij.org> <1255898341.6035.0.camel@baddis-laptop> <4ADC0492.6050902@vanderkooij.org> Message-ID: <4ADC76BD0200008E000113E9@10.1.0.206> I am having the same thing on a low volume (home server) scanner. I tracked it down to the 'child dying of old age' event which triggers MS to spawn a new process, because of the low volume all of the childs usually restart in short order of each other because the incoming mail gets handed off to the next child which also dies of old age when its triggered. This happens because my grey listing setup can keep MS idle for hours on end before something actually gets delivered. On my high volume server this problem hardly never arrises, only with the very occasional spam mail which is probably designed to actually kill the server. - Arjan >>> Op 19-10-2009 om 8:17 is door Hugo van der Kooij geschreven: On 10/18/09 22:39, Brent Addis wrote: > Wow. having a bad day there Hugo? It was a fairly simple question which > I am sure did not deserve the tone of that response. Well. Let's take the information at hand. There is little to no information to go on here. No version details, indication what bit of the complex system it is left in, resource usage, ..... But I have worked with quite a few number of customers and oddly enough some spam you might expect everywhere is most definitly not everywhere. Some sorts of spam are killed almost completely by RBL actions of the MTA by 1 customer and detected by another as spam while a third customer does not even get them at all. So I think it is safe to assume that no 2 domains MUST receive identical types of spam and providing some samples will enable people to troubleshoot and test the samples. Hugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091019/d60a30c4/attachment.html From Amelein at dantumadiel.eu Mon Oct 19 13:39:44 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Mon Oct 19 13:39:58 2009 Subject: MailScanner: No programs allowed on MS word XP/2003 Message-ID: <4ADC7A300200008E000113FA@10.1.0.206> I am getting the occasional blocked Word document which MS marks as being an executable. When I do file -i on it, it tells me: blah.doc: application/msword; charset=binary In the maillog it tells me Filetype Checks: No executables It does not do it on every .doc file but I cant seem to figure out what is causing it to mark the occasional .doc as executable. The setup is a Fedora 11 machine with MS 4.78.17 the filetype.rules.conf containst the following: deny executable No executables No programs allowed deny ELF No executables No programs allowed Any idea's where to look for this ? - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091019/58251ef2/attachment.html From housey at sme-ecom.co.uk Mon Oct 19 15:21:17 2009 From: housey at sme-ecom.co.uk (Paul) Date: Mon Oct 19 15:21:35 2009 Subject: Increase in spam Message-ID: <4ADC75DD.2080008@sme-ecom.co.uk> Hi Just wondered if anyone else was experiencing a large increase in spam? Seems to be the "Notice of Underreported Income" spam, its being caught but just did some stats over the last couple of weeks, normally I get under 1000 of these per day, last weds/thurs I got about 30000 per day, then back to around 1000 for fri, sat and sunday, but today so far ive had over 10000 I look after quite a few domains and its not targeted at one in particular. Just wondered if anyone else seeing similar? Paul From steveb_clamav at sanesecurity.com Mon Oct 19 15:27:18 2009 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon Oct 19 15:27:37 2009 Subject: Increase in spam In-Reply-To: <4ADC75DD.2080008@sme-ecom.co.uk> References: <4ADC75DD.2080008@sme-ecom.co.uk> Message-ID: <37299.93.97.28.110.1255962438.squirrel@saturn.dataflame.net> > Hi > > Just wondered if anyone else was experiencing a large increase in spam? > Seems to be the "Notice of Underreported Income" spam > Just wondered if anyone else seeing similar? Hi, The income spam/virus call it what you want... aka Fake 12690, has seen a sharp increase, according to this stats page: http://comms.oucs.ox.ac.uk/images/stats/relay/virus-day.png Cheers, Steve Sanesecurity From neilsotheby at hotmail.com Mon Oct 19 21:09:46 2009 From: neilsotheby at hotmail.com (Neil) Date: Mon Oct 19 21:10:12 2009 Subject: Increase in spam In-Reply-To: <37299.93.97.28.110.1255962438.squirrel@saturn.dataflame.net> References: <4ADC75DD.2080008@sme-ecom.co.uk> <37299.93.97.28.110.1255962438.squirrel@saturn.dataflame.net> Message-ID: Yes i've noticed this late last week but they were all on the rbl's. This week there not (yet). They all have the same subject though so nice and easy to block. Last week they were hitting backup mx records a lot too. Neil On 19 Oct 2009, at 15:27, "Steve Basford" wrote: >> Hi >> >> Just wondered if anyone else was experiencing a large increase in >> spam? >> Seems to be the "Notice of Underreported Income" spam >> Just wondered if anyone else seeing similar? > > Hi, > > The income spam/virus call it what you want... aka Fake 12690, has > seen a sharp increase, according to this stats page: > > http://comms.oucs.ox.ac.uk/images/stats/relay/virus-day.png > > Cheers, > > Steve > Sanesecurity > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From neilsotheby at hotmail.com Mon Oct 19 21:09:54 2009 From: neilsotheby at hotmail.com (Neil) Date: Mon Oct 19 21:10:16 2009 Subject: (no subject) Message-ID: Neil From ssilva at sgvwater.com Tue Oct 20 05:04:34 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Oct 20 05:05:02 2009 Subject: Message attempted to kill MailScanner In-Reply-To: <4AD9A954.6000108@vanderkooij.org> References: <4AD9A954.6000108@vanderkooij.org> Message-ID: on 10-17-2009 4:24 AM Hugo van der Kooij spake the following: > On 10/16/2009 09:19 PM, Scott Silva wrote: >> I have been getting a lot of bogus Internal Revenue Service messages that >> trigger "Message attempted to kill MailScanner" report and then stick in >> processing db. Does anyone have any magic on these? I know I can't be >> the only >> one that sees them! > > So tell who else have them? After all you KNOW that. So why not share it > with us? > > Hugo. Damn Hugo! I NEVER ask for help and sometimes give it. But I'll fix it myself if I have to! I had a PC lockup and couldn't get an example up, and then all hell broke loose. Peace out friend. No wonder some people complain. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091019/053851fa/signature.bin From Rainer.Blaes at astrium.eads.net Tue Oct 20 10:14:28 2009 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue Oct 20 10:15:48 2009 Subject: Disclaimer and "mail" command Message-ID: <4ADD7F74.7080208@astrium.eads.net> Hi all, I am using SLES 10SP2, Postfix as my MTA and MailScanner 4.78.17-1. I added a disclaimer to all my mails using *"Inline HTML Signature, Inline TXT Signature and Sign Clean Messages" *options in MailScanner . When we are using the "mail" *command *ie %mail a.b@domain.com our disclaimer will not be attached. Since we are using programs which generate automatically mails by using the comand above it would be nice to have a disclaimer. Do u have any suggestions. *_MailScanner.conf_* Sign Clean Messages = /etc/MailScanner/rules/signing.rules Inline HTML Signature = /etc/MailScanner/reports/en/inline.sig.html Inline Text Signature = /etc/MailScanner/reports/en/inline.sig.txt _*signing.rules *_From: *@mydomain.com yes FromOrTo: default no This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Reinhold Lutz, Guenter Stamerjohanns, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091020/95d46324/attachment.html From ilikeuce at bornefeld-ettmann.de Tue Oct 20 10:40:49 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Oct 20 10:41:30 2009 Subject: Disclaimer and "mail" command In-Reply-To: <4ADD7F74.7080208@astrium.eads.net> References: <4ADD7F74.7080208@astrium.eads.net> Message-ID: Rainer Blaes schrieb: > Hi all, > > I am using SLES 10SP2, Postfix as my MTA and MailScanner 4.78.17-1. I > added a disclaimer to all my mails using *"Inline HTML Signature, > Inline TXT Signature and Sign Clean Messages" *options in MailScanner . > When we are using the "mail" *command *ie %mail a.b@domain.com our > disclaimer will not be attached. Since we are using programs which > generate automatically mails by using the comand above it would be nice > to have a disclaimer. > Do u have any suggestions. > > *_MailScanner.conf_* > Sign Clean Messages = /etc/MailScanner/rules/signing.rules > Inline HTML Signature = /etc/MailScanner/reports/en/inline.sig.html > Inline Text Signature = /etc/MailScanner/reports/en/inline.sig.txt > > _*signing.rules > > *_From: *@mydomain.com yes > FromOrTo: default no > Hi, does your server use a mailaddress like server@mydomain.com or server@mail.mydomain.com? in the latter case a mail would not contain a disclaimer. Cheers Ralph > This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. > --------------------------------------------------------- > Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Reinhold Lutz, Guenter Stamerjohanns, Josef Stukenborg > Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 > > Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ > From c.granisso at dnshosting.it Tue Oct 20 10:52:33 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Tue Oct 20 10:52:35 2009 Subject: user spam score Message-ID: <200910200952.n9K9qR8n019881@safir.blacknight.ie> Hello, I have another problem about user scores spam: I've created some users (without mailwatch but directly with queries into MySQL) and I want to setup spam level for each user. MailScanner always take default value in mailscanner.conf and not "personal" value sotred in DB. I've googled for this problem and seems that other few people had this problem but I haven't found the solution. Have you got ideas? Thanks a lot, Carlo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091020/f25dca05/attachment.html From Rainer.Blaes at astrium.eads.net Tue Oct 20 10:57:36 2009 From: Rainer.Blaes at astrium.eads.net (Rainer Blaes) Date: Tue Oct 20 10:59:00 2009 Subject: Disclaimer and "mail" command In-Reply-To: References: <4ADD7F74.7080208@astrium.eads.net> Message-ID: <4ADD8990.8000506@astrium.eads.net> Ralph Bornefeld-Ettmann wrote: > > Rainer Blaes schrieb: >> Hi all, >> >> I am using SLES 10SP2, Postfix as my MTA and MailScanner 4.78.17-1. I >> added a disclaimer to all my mails using *"Inline HTML Signature, >> Inline TXT Signature and Sign Clean Messages" *options in MailScanner . >> When we are using the "mail" *command *ie %mail a.b@domain.com our >> disclaimer will not be attached. Since we are using programs which >> generate automatically mails by using the comand above it would be >> nice to have a disclaimer. >> Do u have any suggestions. >> >> *_MailScanner.conf_* >> Sign Clean Messages = /etc/MailScanner/rules/signing.rules >> Inline HTML Signature = /etc/MailScanner/reports/en/inline.sig.html >> Inline Text Signature = /etc/MailScanner/reports/en/inline.sig.txt >> >> _*signing.rules >> >> *_From: *@mydomain.com yes >> FromOrTo: default no >> > > Hi, > > does your server use a mailaddress like server@mydomain.com or > server@mail.mydomain.com? in the latter case a mail would not contain > a disclaimer. THX, Ralph! Good hint I will check it. I think the FROM: line looks like this: user@mail-s.mydomain.com before it will be masqueraded. So long, Rainer > > Cheers > Ralph > > > >> This email (including any attachments) may contain confidential >> and/or privileged information or information otherwise protected from >> disclosure. If you are not the intended recipient, please notify the >> sender immediately, do not copy this message or any attachments and >> do not use it for any purpose or disclose its content to any person, >> but delete this message and any attachments from your system. Astrium >> disclaims any and all liability if this email transmission was virus >> corrupted, altered or falsified. >> --------------------------------------------------------- >> Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - >> Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Reinhold Lutz, >> Guenter Stamerjohanns, Josef Stukenborg >> Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht >> Muenchen, HRB Nr. 107 647 >> Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ >> > This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Astrium disclaims any and all liability if this email transmission was virus corrupted, altered or falsified. --------------------------------------------------------- Astrium GmbH Vorsitzender des Aufsichtsrates: Thomas Mueller - Geschaeftsfuehrung: Evert Dudok (Vorsitzender), Dr. Reinhold Lutz, Guenter Stamerjohanns, Josef Stukenborg Sitz der Gesellschaft: Muenchen - Registergericht: Amtsgericht Muenchen, HRB Nr. 107 647 Weitere Informationen ueber EADS Astrium @ http://www.astrium.eads.net/ From mailadmin at midland-ics.ie Tue Oct 20 11:15:03 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Tue Oct 20 11:16:04 2009 Subject: Help with Disarming In-Reply-To: <4AD9A954.6000108@vanderkooij.org> References: <4AD9A954.6000108@vanderkooij.org> Message-ID: <7AF154895A006D46BA4FFB035ABC09936FAE@aragorn.midland-ics.local> I have electronic flight tickets from expedia coming through MailScanner and looking something from a programmers journal, loads of code of some form. What option stops this from being disarmed? And is it possible to use a rules set and manage this by from Domain, ie. From: support.expedia.co.uk And To: clientdomain Thanks This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From ilikeuce at bornefeld-ettmann.de Tue Oct 20 12:18:52 2009 From: ilikeuce at bornefeld-ettmann.de (Ralph Bornefeld-Ettmann) Date: Tue Oct 20 12:19:33 2009 Subject: Help with Disarming In-Reply-To: <7AF154895A006D46BA4FFB035ABC09936FAE@aragorn.midland-ics.local> References: <4AD9A954.6000108@vanderkooij.org> <7AF154895A006D46BA4FFB035ABC09936FAE@aragorn.midland-ics.local> Message-ID: MailAdmin schrieb: > I have electronic flight tickets from expedia coming through MailScanner and looking something from a programmers journal, loads of code of some form. > > What option stops this from being disarmed? And is it possible to use a rules set and manage this by from Domain, ie. From: support.expedia.co.uk And To: clientdomain > > Thanks > > > This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. > > Hi, there are some options in MailScanner that can disarm. you can define a ruleset : /etc/MailScanner/rules/dangerous_html.rules: From: *support.expedia.co.uk no FromOrTo default yes /etc/MailScanner/MailScanner.conf: Convert Dangerous HTML To Text = %rules-dir%/dangerous_html.rules This could also apply to - Convert HTML To Text - Allow Form Tags (here you have to switch yes and no!!) or you switch of all content scanning by using this rule for Dangerous Content Scanning this aould also prevent MailScanner from disarming iFrames (what would not be the best idea although it would only be for expedia, but From: can be forged!). cheers Ralph From lists at elasticmind.net Tue Oct 20 12:50:44 2009 From: lists at elasticmind.net (Mog) Date: Tue Oct 20 12:50:56 2009 Subject: Perl problems on FreeBSD (again) Message-ID: <4ADDA414.3000506@elasticmind.net> Hi all, I upgraded MailScanner last night along with a number of other ports, which unfortunately included a micro update to Perl. On FreeBSD it went from perl-5.10.0 to perl-5.10.1, and judging by the error messages in the maillog, it seems that the old taint mode problem has resurfaced: Could not use Custom Function code /usr/local/lib/MailScanner/MailScanner/CustomFunctions/SpamWhitelist.pm, it could not be "require"d. Make sure the last line is "1;" and the module is correct with perl -wc (Error: Insecure dependency in require while running with -T switch at /usr/local/lib/MailScanner/MailScanner/Config.pm line 754. I'm seeing this same error message being shown for these files as well: MyExample.pm, DavidHooton.pm, LastSpam.pm, GenericSpamScanner.pm, CustomAction.pm, Ruleset-from-Function.pm and ZMRouterDirHash.pm. From what I understand, FreeBSD runs perl programs with the -T option (taint mode), which is basically some additional security check. If I'm reading this right, the additional security check (for some reason) seems to have a problem with 'eval { require $fullfile; };', the code used to require the CustomFunction modules MailScanner uses: $fullfile = "$dir/$filename"; next unless -f $fullfile and -s $fullfile; eval { require $fullfile; }; if ($@) { MailScanner::Log::WarnLog("Could not use Custom Function code %s, " . "it could not be \"require\"d. Make sure " . "the last line is \"1;\" and the module " . "is correct with perl -wc (Error: %s)", $fullfile, $@); } Does this makes sense to anyone? Naturally I've reported this problem to the FreeBSD people as well to see if they can help work out what is going on. Regards, mog From rlopezcnm at gmail.com Tue Oct 20 14:46:43 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Oct 20 14:46:52 2009 Subject: Message attempted to kill MailScanner In-Reply-To: References: Message-ID: On Fri, Oct 16, 2009 at 1:19 PM, Scott Silva wrote: > I have been getting a lot of bogus Internal Revenue Service messages that > trigger "Message attempted to kill MailScanner" report and then stick in > processing db. Does anyone have any magic on these? I know I can't be the only > one that sees them! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > For what is is worth: I have never seen a "Message attempted to kill MailScanner" and I have not seen any IRS spam. It may be possible they are trapped by something that does log. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From christo at it4africa.co.za Tue Oct 20 14:58:48 2009 From: christo at it4africa.co.za (Christo Bezuidenhout) Date: Tue Oct 20 15:05:30 2009 Subject: MailScanner: killedmailscanner Message-ID: <8A7CA7FAD210714FB5FB35ED2E25941B62A944@it4aproj.agi.co.za> Good day all, I just started noticing a strange think on my mailserver. Out of the blue I get messages being blocked under other infection in MailScanner. What I can see in Mailwatch is that the header of the messages are repeated about 9 times on the message with no errors and on the last header it is blocked. In Mailwatch report is shows as MailScanner: killedmailscanner I have checked and the original mail files only have one mail header. Upon closer inspection I can see 9 records written to the mailwatch database with exactly the same data. Only on the last record the the other infected is 1 and the report has MailScanner: killedmailscanner This happens with mail that is actually whitelisted. I'm running FC2 with MS 4.77.10 SpamAssassin version 3.2.5 running on Perl version 5.8.1 ClamAV 0.95.2/9913/Tue Oct 20 05:42:36 2009 _______________________________________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of AGI is proprietary to the company. It is confidential, legally privileged and protected by law. AGI does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of AGI. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. AGI cannot assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. _______________________________________________________________________ From rlopezcnm at gmail.com Tue Oct 20 16:13:48 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Oct 20 16:13:56 2009 Subject: documentation edit request Message-ID: On my system I have a file named /usr/share/doc/mailscanner/examples/rules/README The file starts our stating: "This directory is where you should put ruleset files, with filenames ending in ".rules" wherever possible as it makes life easier for me." It would be more clear if "This directory" is replaced with something specific identifying the specified directory. In my case I have /etc/MailScanner/rules which I believe is "This directory". In the section that begins with "2. The pattern describes ..." it leaves me not knowing if I could do a rule with an absolute IP address. Example for A single client IP address 192.168.21.52: From: 192.168.21.52 and To: network@etp.us.blackberry.net yes (The above being a conceived rule for /etc/MailScanner/rules/spam.whitelist.rules to allow EPT.DAT files to not be blocked when they are being sent from the address of our exchange server.) -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From chris at techquility.net Tue Oct 20 18:09:13 2009 From: chris at techquility.net (Chris Barber) Date: Tue Oct 20 18:09:35 2009 Subject: SPAMVIRUS Feature Question In-Reply-To: References: Message-ID: <43F62CA225017044BC84CFAF92B4333B06FDA7@sbsserver.Techquility.net> Hi All, Running the latest MailScanner version. Is it possible to have MailScanner put the name of the signature that hit the spamvirus feature in the MailWatch detail pane? I see it show the SA score with the term "MS_FOUND_SPAMVIRUS", but it does not show what signature was hit. Previously the virus scanner would show this in the virus section. But now that MailScanner is heading these off, I don't have a way of knowing which signature was hit. Thanks, Chris From rlopezcnm at gmail.com Tue Oct 20 18:41:45 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Tue Oct 20 18:41:55 2009 Subject: MailScanner: No programs allowed on MS word XP/2003 In-Reply-To: <4ADC7A300200008E000113FA@10.1.0.206> References: <4ADC7A300200008E000113FA@10.1.0.206> Message-ID: On Mon, Oct 19, 2009 at 6:39 AM, wrote: > I am getting the occasional blocked?Word document which MS marks as being an > executable. > When?I do file -i on it, it tells me: blah.doc: application/msword; > charset=binary > In the maillog it tells me Filetype Checks: No executables > > It does not do it on every .doc file but I cant seem to figure out what > is?causing it to mark the occasional .doc as executable. > > The setup is a Fedora 11 machine with MS 4.78.17 > the filetype.rules.conf containst the following: > deny??? executable????? No executables????????? No programs allowed > deny??? ELF???????????? No executables????????? No programs allowed > > Any idea's where to look for this ? > > - > Arjan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > I have found some persons rename executables as .doc trying to sneak them through the email gateways. I have verified this by running the unix file command on the quarantined files. I spoke to some of the senders, including instructors, and apparently this renaming used to "work" at this college pre MailScanner. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Tue Oct 20 21:34:19 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Oct 20 21:34:32 2009 Subject: user spam score In-Reply-To: <200910200952.n9K9qR8n019881@safir.blacknight.ie> References: <200910200952.n9K9qR8n019881@safir.blacknight.ie> Message-ID: <223f97700910201334g347902a4qed57c7901429bd72@mail.gmail.com> 2009/10/20 Carlo Granisso : > Hello, I have another problem about user scores spam: I've created some > users (without mailwatch but directly with queries into MySQL) and I want to > setup spam level for each user. > > MailScanner always take default value in mailscanner.conf and not "personal" > value sotred in DB. > > I've googled for this problem and seems that other few people had this > problem but I haven't found the solution. > > Have you got ideas? > > > Thanks a lot, > > > Carlo IIRC i works OK, as long as one remembers that "multi-recipient" emails will only get the specific values for the _first_ recipient. If that one hasn't got a specific value, the defaults will be used (either per domain, or for the user "admin" (glocal value). If you enable this type of thing, you need make sure to have set your MTA up to split incoming mail so that a multi-recipient mail will become one mail/recipient. Also turn on the SA cache, if not already done, to alleviate any performance hit this "splitting" will incur. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jonas at vrt.dk Tue Oct 20 21:45:37 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Tue Oct 20 21:45:50 2009 Subject: SPAMVIRUS Feature Question In-Reply-To: <43F62CA225017044BC84CFAF92B4333B06FDA7@sbsserver.Techquility.net> References: <43F62CA225017044BC84CFAF92B4333B06FDA7@sbsserver.Techquility.net> Message-ID: <000a01ca51c6$47c5a4b0$d750ee10$@dk> I can only second the wish for a way to have the sigs that hit turn up in our stats/mailwatch something that lets us monitor the effectiveness of it. However since I was an early adopter of the new feature im not sure how it would work. You could do it today by writing a ton of sa rules (1 for each signature) but that would be a mess. An ugly hack fix would be to parse the log files (where message id and sig name is parseable, and then make a script that inserted the sig name intro the corresponding row in the mailwatch db. But as I said, that would be really ugly :) I'd love to hear other people's take on this, not to mention Julians :) Best regards Jonas A. Larsen > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Barber > Sent: 20. oktober 2009 19:09 > To: MailScanner discussion > Subject: SPAMVIRUS Feature Question > > Hi All, > > Running the latest MailScanner version. Is it possible to have > MailScanner put the name of the signature that hit the spamvirus > feature > in the MailWatch detail pane? > > I see it show the SA score with the term "MS_FOUND_SPAMVIRUS", but it > does not show what signature was hit. Previously the virus scanner > would > show this in the virus section. But now that MailScanner is heading > these off, I don't have a way of knowing which signature was hit. > > Thanks, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From seven at seven.dorksville.net Wed Oct 21 05:22:04 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Wed Oct 21 05:22:26 2009 Subject: OT: How do you release quarantined items from mailwatch Message-ID: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> I know this isn't the mailwatch mailing list but I thought I ask here as lots of people would use it. The website (http://mailwatch.sourceforge.net/doku.php) mentions (*Quarantine management allows you to release, delete or run sa-learn across any quarantined messages.) that mailwatch can release quarantined items but for the life of me I cant work it out. Please help Cheers, Anthony From hvdkooij at vanderkooij.org Wed Oct 21 06:06:19 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Oct 21 06:06:28 2009 Subject: OT: How do you release quarantined items from mailwatch In-Reply-To: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> References: <42701.125.168.254.15.1256098924.squirrel@seven.dorksville.net> Message-ID: <4ADE96CB.7090808@vanderkooij.org> On 10/21/09 06:22, Anthony Giggins wrote: > I know this isn't the mailwatch mailing list but I thought I ask here as > lots of people would use it. > > The website (http://mailwatch.sourceforge.net/doku.php) mentions > (*Quarantine management allows you to release, delete or run sa-learn > across any quarantined messages.) that mailwatch can release quarantined > items but for the life of me I cant work it out. I strongly suggest you go the mailwtch milinglist archives first. This question has beeen asked and answered plenty of times there. Hugo. From hvdkooij at vanderkooij.org Wed Oct 21 06:11:18 2009 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Oct 21 06:11:28 2009 Subject: SPAMVIRUS Feature Question In-Reply-To: <000a01ca51c6$47c5a4b0$d750ee10$@dk> References: <43F62CA225017044BC84CFAF92B4333B06FDA7@sbsserver.Techquility.net> <000a01ca51c6$47c5a4b0$d750ee10$@dk> Message-ID: <4ADE97F6.4070001@vanderkooij.org> On 10/20/09 22:45, Jonas A. Larsen wrote: > I can only second the wish for a way to have the sigs that hit turn up in > our stats/mailwatch something that lets us monitor the effectiveness of it. > > However since I was an early adopter of the new feature im not sure how it > would work. > > You could do it today by writing a ton of sa rules (1 for each signature) > but that would be a mess. > > An ugly hack fix would be to parse the log files (where message id and sig > name is parseable, and then make a script that inserted the sig name intro > the corresponding row in the mailwatch db. But as I said, that would be > really ugly :) > > I'd love to hear other people's take on this, not to mention Julians :) You mean something like this? --------------------- MailScanner Begin ------------------------ MailScanner Status: 779 messages Scanned by MailScanner 9.8 Total MB 206 Spam messages detected by MailScanner 193 Spam messages with action(s) store 13 Spam messages with action(s) store,deliver,header 6 hits from MailScanner SpamAssassin cache 10 Viruses found by MailScanner 4 Banned attachments found by MailScanner 13 Content Problems found by MailScanner 584 Messages delivered by MailScanner 779 Messages logged to MailWatch database 6 SpamAssassin timeout(s) Virus Sender Report: (Total Seen = 5) : 3 Time(s) 81.252.202.129 : 2 Time(s) Spam Whitelisted Host Report: (Total Seen = 452) 127.0.0.1 (forum-bounces@sixxs.net): 5 Time(s) 194.109.142.194 (clamav-virusdb-bounces@lists.clamav.net): 26 Time(s) 209.132.177.33 (fedora-package-announce-bounces@redhat.com): 199 Time(s) 213.136.17.26 (linux-bounce@lists.nllgg.nl): 10 Time(s) 216.200.241.73 (owner-fw-1-mailinglist@amadeus.us.checkpoint.com): 47 Time(s) 216.34.181.88 (simple-evcorr-users-bounces@lists.sourceforge.net): 2 Time(s) 72.26.200.202 (centos-announce-bounces@centos.org): 8 Time(s) 83.98.192.7 (mailscanner-bounces@lists.mailscanner.info): 126 Time(s) 85.13.226.40 (users-bounces@lists.rpmforge.net): 19 Time(s) 85.17.220.216 (pdns-users-bounces@mailman.powerdns.com): 10 Time(s) RBL Report: (Total Seen = 120) spamhaus-ZEN : 105 Time(s) spamhaus-ZEN, RBL-JP : 3 Time(s) spamhaus-ZEN, RBL-KR : 12 Time(s) Content Report: (Total Seen = 13) iframe, script, form, form input tags: 1 Time(s) phishing tags: 5 Time(s) web bug tags: 5 Time(s) web bug, form, form input tags: 1 Time(s) web bug, phishing tags: 1 Time(s) Banned Filename Report: (Total Seen = 2) windows/dos executable (document.htm -space- .exe) : 1 Time(s) windows/dos executable (document.pdf -space- .exe) : 1 Time(s) Banned Filetype Report: (Total Seen = 2) no executables (document.htm -space- .exe) : 1 Time(s) no executables (document.pdf -space- .exe) : 1 Time(s) Phishing Report: (Total Seen = 11) http://94d.koyojah.cn/?ifyzir=Sq14x7K738k668962cvdf93&ucixim=98073545714939353881529&aviry=a459M466h12T84a40W34DgT50&ajemi=9857588515513348581085129: 1 Time(s) http://9a1.koyojah.cn/?yairoxaug=O2wD9e89005i06H52086Te5&ifafev=118008449058988882771837&wuapihaf=80g8814P8s995238693C0&imudiwe=444220479734076160683: 1 Time(s) http://badc9.koyojah.cn/?iofaiofi=419651156J2e15E2Y286&ecylelyjo=1637324136675286613573892&yuneuqy=2n05w2E8w34763P97j0747uD&deheei=30975271946850298113: 1 Time(s) http://c8dcd9.koyojah.cn/?ikycuebavy=1KGVb65998p98TFGX9I79b&owueeja=22941960630312397626&oulau=8MVk22j4qB54je5400o1464b&ramaosisao=42459349657551249147470: 1 Time(s) http://dbaseserver.mistermail.nl/t/676885/5858236/178400/0/: 1 Time(s) http://feedproxy.google.com/~r/axvo/ZwVt/~3/4pUeKYCoWg0: 1 Time(s) http://feedproxy.google.com/~r/axvo/ZwVt/~3/iu5rNf-Z5Zo: 1 Time(s) http://url.aart06.net/t/55403/1524/5572846/3296402/0: 1 Time(s) http://url.aart06.net/t/56362/1460/5577809/3346874/0: 2 Time(s) http://us.mc1116.mail.yahoo.com/mc/compose?to=marie.diane10@yahoo.com: 1 Time(s) HTML
tag report: (Total Seen = 4) invitations@twitter.com : 1 Time(s) postmaster@vanderkooij.org : 2 Time(s) unive@emessaging.nl : 1 Time(s) HTML