From admin at homemachine.net Tue Sep 1 03:24:55 2009 From: admin at homemachine.net (Tom) Date: Tue Sep 1 03:25:06 2009 Subject: install fails Message-ID: <4A9C85F7.10308@homemachine.net> Running Centos 4 and mailscanner 4.52.2-1 (Does the same with MailScanner-4.77.10-1) After upgrading the OS to 4.8 I get this [root@tom MailScanner-4.77.10-1]# MailScanner -v Errno architecture (i386-linux-thread-multi-2.6.9-67.0.15.elvm) does not match executable architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) at /usr/lib/perl5/site_perl/5.8.5/Errno.pm line 11. Compilation failed in require at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. BEGIN failed--compilation aborted at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. Compilation failed in require at (eval 10) line 5. at /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749 BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749. Compilation failed in require at /usr/sbin/MailScanner line 67. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. Looks to me like wrong kernel, is that right? From serejk at febras.net Tue Sep 1 03:50:34 2009 From: serejk at febras.net (=?UTF-8?Q?=D0=9A=D0=BE=D1=80=D0=BE=D0=BB=D1=91=D0=B2_=D0=A1=D0=B5=D1=80=D0=B3=D0=B5=D0=B9?=) Date: Tue Sep 1 03:49:42 2009 Subject: install fails In-Reply-To: <4A9C85F7.10308@homemachine.net> References: <4A9C85F7.10308@homemachine.net> Message-ID: <10462a92562f09bfd54ac1d337885376@localhost> Which version of perl do you use? On Tue, 01 Sep 2009 14:24:55 +1200, Tom wrote: > Running Centos 4 and mailscanner 4.52.2-1 (Does the same with > MailScanner-4.77.10-1) > > After upgrading the OS to 4.8 I get this > > [root@tom MailScanner-4.77.10-1]# MailScanner -v > Errno architecture (i386-linux-thread-multi-2.6.9-67.0.15.elvm) does not > match executable > architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) at > /usr/lib/perl5/site_perl/5.8.5/Errno.pm line 11. > Compilation failed in require at > /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. > BEGIN failed--compilation aborted at > /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. > Compilation failed in require at (eval 10) line 5. > at /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749 > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749. > Compilation failed in require at /usr/sbin/MailScanner line 67. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. > > Looks to me like wrong kernel, is that right? -- ? ?????????, ??????? ??????, ????????? ????????????? ?? ??? ??? ?????????????? ????? ??? ??? ???.: +79141965534 ???.: 8(4212)703913 ICQ: 225775242 From serejk at febras.net Tue Sep 1 04:04:48 2009 From: serejk at febras.net (=?UTF-8?Q?=D0=9A=D0=BE=D1=80=D0=BE=D0=BB=D1=91=D0=B2_=D0=A1=D0=B5=D1=80=D0=B3=D0=B5=D0=B9?=) Date: Tue Sep 1 04:03:56 2009 Subject: install fails In-Reply-To: <10462a92562f09bfd54ac1d337885376@localhost> References: <4A9C85F7.10308@homemachine.net> <10462a92562f09bfd54ac1d337885376@localhost> Message-ID: Sorry for stupid question :) I use perl 5.10 and all is OK. On Tue, 01 Sep 2009 13:50:34 +1100, ??????? ?????? wrote: > Which version of perl do you use? > > On Tue, 01 Sep 2009 14:24:55 +1200, Tom wrote: >> Running Centos 4 and mailscanner 4.52.2-1 (Does the same with >> MailScanner-4.77.10-1) >> >> After upgrading the OS to 4.8 I get this >> >> [root@tom MailScanner-4.77.10-1]# MailScanner -v >> Errno architecture (i386-linux-thread-multi-2.6.9-67.0.15.elvm) does not >> match executable >> architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) at >> /usr/lib/perl5/site_perl/5.8.5/Errno.pm line 11. >> Compilation failed in require at >> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. >> BEGIN failed--compilation aborted at >> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. >> Compilation failed in require at (eval 10) line 5. >> at /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749 >> BEGIN failed--compilation aborted at >> /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749. >> Compilation failed in require at /usr/sbin/MailScanner line 67. >> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. >> >> Looks to me like wrong kernel, is that right? > > -- > ? ?????????, ??????? ??????, > ????????? ????????????? ?? ??? ??? > ?????????????? ????? ??? ??? > ???.: +79141965534 > ???.: 8(4212)703913 > ICQ: 225775242 -- ? ?????????, ??????? ??????, ????????? ????????????? ?? ??? ??? ?????????????? ????? ??? ??? ???.: +79141965534 ???.: 8(4212)703913 ICQ: 225775242 From admin at homemachine.net Tue Sep 1 04:52:55 2009 From: admin at homemachine.net (Tom) Date: Tue Sep 1 04:53:05 2009 Subject: install fails In-Reply-To: References: <4A9C85F7.10308@homemachine.net> <10462a92562f09bfd54ac1d337885376@localhost> Message-ID: <4A9C9A97.3010906@homemachine.net> Not so stupid question, built for wrong kernel, how odd. root@tom MailScanner-4.77.10-1]# perl -V Summary of my perl5 (revision 5 version 8 subversion 5) configuration: Platform: osname=linux, osvers=2.6.18-53.1.14.el5pae, archname=i386-linux-thread-multi Sorry this obviously isn't anything to do mailscanner. ) tom ??????? ?????? wrote: > Sorry for stupid question :) > I use perl 5.10 and all is OK. > > On Tue, 01 Sep 2009 13:50:34 +1100, ??????? ?????? > wrote: >> Which version of perl do you use? >> >> On Tue, 01 Sep 2009 14:24:55 +1200, Tom wrote: >>> Running Centos 4 and mailscanner 4.52.2-1 (Does the same with >>> MailScanner-4.77.10-1) >>> >>> After upgrading the OS to 4.8 I get this >>> >>> [root@tom MailScanner-4.77.10-1]# MailScanner -v >>> Errno architecture (i386-linux-thread-multi-2.6.9-67.0.15.elvm) does not >>> match executable >>> architecture (i386-linux-thread-multi-2.6.18-53.1.14.el5pae) at >>> /usr/lib/perl5/site_perl/5.8.5/Errno.pm line 11. >>> Compilation failed in require at >>> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. >>> BEGIN failed--compilation aborted at >>> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/IO/Socket.pm line 17. >>> Compilation failed in require at (eval 10) line 5. >>> at /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749 >>> BEGIN failed--compilation aborted at >>> /usr/lib/MailScanner/MailScanner/CustomConfig.pm line 749. >>> Compilation failed in require at /usr/sbin/MailScanner line 67. >>> BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 67. >>> >>> Looks to me like wrong kernel, is that right? >> -- >> ? ?????????, ??????? ??????, >> ????????? ????????????? ?? ??? ??? >> ?????????????? ????? ??? ??? >> ???.: +79141965534 >> ???.: 8(4212)703913 >> ICQ: 225775242 > From edward.prendergast at netring.co.uk Tue Sep 1 10:04:04 2009 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Tue Sep 1 10:03:27 2009 Subject: Perl module RPM package dependency problem In-Reply-To: <9CBDCEA4-2FBF-462F-ADBF-B84BE319A072@mlrw.com> References: <4A97A6EC.2000307@netring.co.uk> <9CBDCEA4-2FBF-462F-ADBF-B84BE319A072@mlrw.com> Message-ID: <4A9CE384.8090709@netring.co.uk> Hi, That seems like a bit of a rigmarole - as the rpmforge perl packages seem to be reasonable up to date what's the possibility of just removing the MailScanner perl modules and allowing rpmforge to take over? Or will this be reversed as soon as the next MailScanner update is performed? -Edward Mike Wallace wrote: > Edward, > > Yes, it is a rpmforge issue with the packages installed by MailScanner. > > What I do is disable rpmforge for yum updates and then manually enable > rpmforge to update specific packages like clamav and clamd. > > Mike > > On Aug 28, 2009, at 5:44 AM, Edward Prendergast wrote: > >> Hi, >> >> I'm not sure if this is a MailScanner package installer problem, a >> CentOS problem or a rpmforge issue. >> >> I'm running into problems upgrading CentOS 5.3 and I think it might >> be down to a conflict between the MailScanner provided RPM packages >> and those coming from the distribution. >> >> The error transcript from yum is as follows: >> >> Transaction Check Error: >> file /usr/share/man/man3/Test::Builder.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::Builder::Module.3pm.gz conflicts >> between attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch >> and perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::Builder::Tester.3pm.gz conflicts >> between attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch >> and perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz >> conflicts between attempted installs of >> perl-Test-Simple-0.92-1.el5.rf.noarch and perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::More.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::Simple.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz conflicts between >> attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/bigint.3pm.gz conflicts between attempted >> installs of perl-bignum-0.23-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/bignum.3pm.gz conflicts between attempted >> installs of perl-bignum-0.23-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/bigrat.3pm.gz conflicts between attempted >> installs of perl-bignum-0.23-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> file /usr/share/man/man3/Math::BigRat.3pm.gz conflicts between >> attempted installs of perl-Math-BigRat-0.22-1.el5.rf.noarch and >> perl-5.8.8-18.el5_3.1.i386 >> >> I'm running MailScanner-4.77.10-1. >> >> Thanks, >> Edward >> >> ************ >> The information in this email is confidential and may be legally >> privileged. >> It is intended solely for the addressee. Access to this email by >> anyone else >> is unauthorised. If you are not the intended recipient, any action >> taken or >> omitted to be taken in reliance on it, any form of reproduction, >> dissemination, copying, disclosure, modification, distribution and/or >> publication of this E-mail message is strictly prohibited and may be >> unlawful. If you have received this E-mail message in error, please >> notify >> us immediately. Please also destroy and delete the message from your >> computer. >> ************ >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > -- Edward Prendergast 01239 814545 http://www.netring.co.uk/ ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From richard.siddall at elirion.net Tue Sep 1 12:24:58 2009 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Sep 1 12:25:22 2009 Subject: Perl module RPM package dependency problem In-Reply-To: <4A9CE384.8090709@netring.co.uk> References: <4A97A6EC.2000307@netring.co.uk> <9CBDCEA4-2FBF-462F-ADBF-B84BE319A072@mlrw.com> <4A9CE384.8090709@netring.co.uk> Message-ID: <4A9D048A.70709@elirion.net> Edward Prendergast wrote: > Hi, > > That seems like a bit of a rigmarole - as the rpmforge perl packages > seem to be reasonable up to date what's the possibility of just removing > the MailScanner perl modules and allowing rpmforge to take over? Or will > this be reversed as soon as the next MailScanner update is performed? > > -Edward [snip] >>> file /usr/share/man/man3/Test::Simple.3pm.gz conflicts between >>> attempted installs of perl-Test-Simple-0.92-1.el5.rf.noarch and >>> perl-5.8.8-18.el5_3.1.i386 It's not a conflict between the RPMForge module and a MailScanner Perl module, it's a conflict between RPMForge and the core Perl RPM for your distro. And the conflicts are between the man pages for the Perl modules. It can be fixed by RPMForge updating their Perl RPMs so they don't include man pages, which they can do by adding one more switch to the "%{__perl} Makefile.PL" line in the .spec file. Something like "INSTALLDIRS=site INSTALLMAN1DIR=none INSTALLMAN3DIR=none" This only applies to Perl modules that are bundled in the distro's core Perl RPM. I hope this helps. Regards, Richard Siddall From m.anderlini at database.it Tue Sep 1 13:10:19 2009 From: m.anderlini at database.it (Marcello Anderlini) Date: Tue Sep 1 13:11:37 2009 Subject: Problem upgrading centos 4.7 to 4.8 Message-ID: <2FA349F95CF3644FAFC92070E642EB6AEE56B5@beta.dbdomain.database.it> I tried to upgrade a centos 4.7 to 4.8 and I get this errore message: ============== Transaction Check Error: file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/Sys/Syslog.pm from install of perl-5.8.5-49.el4 conflicts with file from package perl-Sys-Syslog-0.18-1 file /usr/lib64/perl5/5.8.5/x86_64-linux-thread-multi/auto/Sys/Syslog/Syslog. so from install of perl-5.8.5-49.el4 conflicts with file from package perl-Sys-Syslog-0.18-1 ============== Centos is x86_64 and I'm using a mailscanner-4.58.9-1. I know is very old but is running well for me since now. I've tried to upgrade a centos 4.7 x86 with the same version of mailscanner and the problem does not occur. Is there a way to upgrade centos without upgrading mailscanner or I have to update it ? Thanks a lot. Best regards. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From raubvogel at gmail.com Tue Sep 1 14:17:57 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Sep 1 14:18:14 2009 Subject: Fun with my own spamassassin filter: slow reacting? Message-ID: <4A9D1F05.4040606@gmail.com> Trying to write a filter that would look for a header beginning with a specific text and give me a score based on that. So, after reading http://wiki.apache.org/spamassassin/WritingRules I edit spam.assassin.prefs.conf and add the following: header LOCAL_TEST Test-Header =~ /Strange Pork/ score LOCAL_TEST -1.000 then reload MailScanner and send a test email with that header. I check the header and it seems to have found the header and graded it as it should: not spam, SpamAssassin (cached, score=1.694, required 4.7, BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, LOCAL_TEST -1.00) So, just for the fun of it, I decrease the score to -3, reload MailScanner, and send the test email. I am still getting -1 as the score for LOCAL_TEST. I try restarting it and get the same results. Today, I try it again, not having touched the mail server since that last attempt. Now it properly reports the new score for LOCAL_TEST: not spam, SpamAssassin (not cached, score=-0.306, required 4.7, BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, LOCAL_TEST -3.00) Is it me who missed some step here or it is just slow to update itself? From prandal at herefordshire.gov.uk Tue Sep 1 14:30:54 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 1 14:31:13 2009 Subject: Fun with my own spamassassin filter: slow reacting? In-Reply-To: <4A9D1F05.4040606@gmail.com> References: <4A9D1F05.4040606@gmail.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> The old score was being cached in MailScanner's spamassassin results cache. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mauricio Tavares Sent: 01 September 2009 14:18 To: MailScanner discussion Subject: Fun with my own spamassassin filter: slow reacting? Trying to write a filter that would look for a header beginning with a specific text and give me a score based on that. So, after reading http://wiki.apache.org/spamassassin/WritingRules I edit spam.assassin.prefs.conf and add the following: header LOCAL_TEST Test-Header =~ /Strange Pork/ score LOCAL_TEST -1.000 then reload MailScanner and send a test email with that header. I check the header and it seems to have found the header and graded it as it should: not spam, SpamAssassin (cached, score=1.694, required 4.7, BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, LOCAL_TEST -1.00) So, just for the fun of it, I decrease the score to -3, reload MailScanner, and send the test email. I am still getting -1 as the score for LOCAL_TEST. I try restarting it and get the same results. Today, I try it again, not having touched the mail server since that last attempt. Now it properly reports the new score for LOCAL_TEST: not spam, SpamAssassin (not cached, score=-0.306, required 4.7, BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, LOCAL_TEST -3.00) Is it me who missed some step here or it is just slow to update itself? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From raubvogel at gmail.com Tue Sep 1 15:09:24 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Sep 1 15:09:38 2009 Subject: Fun with my own spamassassin filter: slow reacting? In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> References: <4A9D1F05.4040606@gmail.com> <7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> Message-ID: <4A9D2B14.8050907@gmail.com> Randal, Phil wrote: > The old score was being cached in MailScanner's spamassassin results > cache. > Aha. Is there a way to flush it, so it is forced to read the new values in? > Cheers, > > Phil > > > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Mauricio Tavares > Sent: 01 September 2009 14:18 > To: MailScanner discussion > Subject: Fun with my own spamassassin filter: slow reacting? > > > Trying to write a filter that would look for a header beginning > with a specific text and give me a score based on that. So, after > reading http://wiki.apache.org/spamassassin/WritingRules I edit > spam.assassin.prefs.conf and add the following: > > header LOCAL_TEST Test-Header =~ /Strange Pork/ score LOCAL_TEST -1.000 > > then reload MailScanner and send a test email with that header. I check > the header and it seems to have found the header and graded it as it > should: > > not spam, SpamAssassin (cached, score=1.694, required 4.7, > BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, > LOCAL_TEST -1.00) > > So, just for the fun of it, I decrease the score to -3, reload > MailScanner, and send the test email. I am still getting -1 as the score > for LOCAL_TEST. I try restarting it and get the same results. > > Today, I try it again, not having touched the mail server since that > last attempt. Now it properly reports the new score for LOCAL_TEST: > > not spam, SpamAssassin (not cached, score=-0.306, required 4.7, > BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, > LOCAL_TEST -3.00) > > Is it me who missed some step here or it is just slow to update itself? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Tue Sep 1 15:38:06 2009 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 1 15:38:25 2009 Subject: Fun with my own spamassassin filter: slow reacting? In-Reply-To: <4A9D2B14.8050907@gmail.com> References: <4A9D1F05.4040606@gmail.com><7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> <4A9D2B14.8050907@gmail.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA078F0B78@HC-MBX02.herefordshire.gov.uk> Mauricio Tavares wrote: > Randal, Phil wrote: >> The old score was being cached in MailScanner's spamassassin results >> cache. >> > Aha. Is there a way to flush it, so it is forced to read the new > values in? > On RHEL / CentOS, I do service MailScanner stopms cd /etc/MailScanner/incoming ls -l (to make sure I'm in the right directory before executing the next command) rm -rf * service MailScanner restart Adapt as necessary for your installation. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From Denis.Beauchemin at USherbrooke.ca Tue Sep 1 16:03:02 2009 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Sep 1 16:03:33 2009 Subject: Fun with my own spamassassin filter: slow reacting? In-Reply-To: <4A9D2B14.8050907@gmail.com> References: <4A9D1F05.4040606@gmail.com> <7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> <4A9D2B14.8050907@gmail.com> Message-ID: <4A9D37A6.3050502@USherbrooke.ca> Mauricio Tavares a ?crit : > Randal, Phil wrote: >> The old score was being cached in MailScanner's spamassassin results >> cache. >> > Aha. Is there a way to flush it, so it is forced to read the new > values in? > >> Cheers, >> >> Phil >> >> -- >> Phil Randal | Networks Engineer >> NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's >> Office | I.C.T. Services Division >> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those of >> the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended solely >> for the use of the addressee. This communication may contain material >> protected by law from being passed on. If you are not the intended >> recipient and have received this e-mail in error, you are advised that >> any use, dissemination, forwarding, printing or copying of this e-mail >> is strictly prohibited. If you have received this e-mail in error please >> contact the sender immediately and destroy all copies of it. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Mauricio Tavares >> Sent: 01 September 2009 14:18 >> To: MailScanner discussion >> Subject: Fun with my own spamassassin filter: slow reacting? >> >> >> Trying to write a filter that would look for a header beginning >> with a specific text and give me a score based on that. So, after >> reading http://wiki.apache.org/spamassassin/WritingRules I edit >> spam.assassin.prefs.conf and add the following: >> >> header LOCAL_TEST Test-Header =~ /Strange Pork/ score LOCAL_TEST -1.000 >> >> then reload MailScanner and send a test email with that header. I check >> the header and it seems to have found the header and graded it as it >> should: >> >> not spam, SpamAssassin (cached, score=1.694, required 4.7, >> BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, >> LOCAL_TEST -1.00) >> >> So, just for the fun of it, I decrease the score to -3, reload >> MailScanner, and send the test email. I am still getting -1 as the score >> for LOCAL_TEST. I try restarting it and get the same results. >> >> Today, I try it again, not having touched the mail server since that >> last attempt. Now it properly reports the new score for LOCAL_TEST: >> >> not spam, SpamAssassin (not cached, score=-0.306, required 4.7, >> BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, >> LOCAL_TEST -3.00) >> >> Is it me who missed some step here or it is just slow to update itself? >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Mauricio, Look at MailScanner.conf for this line and delete that file and then restart MS (I'm not sure if a reload would be enough): SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maxsec at gmail.com Tue Sep 1 15:34:08 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 1 16:03:38 2009 Subject: Fun with my own spamassassin filter: slow reacting? In-Reply-To: <4A9D2B14.8050907@gmail.com> References: <4A9D1F05.4040606@gmail.com> <7EF0EE5CB3B263488C8C18823239BEBA078F0B29@HC-MBX02.herefordshire.gov.uk> <4A9D2B14.8050907@gmail.com> Message-ID: <72cf361e0909010734h50186659jd2e1fd8a25b69d00@mail.gmail.com> You can always just stop mailscanner, delete the cache and restart mailscanner, it is just a cache after all. -- Martin Hepworth Oxford, UK 2009/9/1 Mauricio Tavares > Randal, Phil wrote: > >> The old score was being cached in MailScanner's spamassassin results >> cache. >> >> Aha. Is there a way to flush it, so it is forced to read the new > values in? > > > Cheers, >> >> Phil >> >> -- >> Phil Randal | Networks Engineer >> NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's >> Office | I.C.T. Services Division >> Thorn Office Centre, Rotherwas, Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those of >> the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended solely >> for the use of the addressee. This communication may contain material >> protected by law from being passed on. If you are not the intended >> recipient and have received this e-mail in error, you are advised that >> any use, dissemination, forwarding, printing or copying of this e-mail >> is strictly prohibited. If you have received this e-mail in error please >> contact the sender immediately and destroy all copies of it. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Mauricio Tavares >> Sent: 01 September 2009 14:18 >> To: MailScanner discussion >> Subject: Fun with my own spamassassin filter: slow reacting? >> >> >> Trying to write a filter that would look for a header beginning >> with a specific text and give me a score based on that. So, after >> reading http://wiki.apache.org/spamassassin/WritingRules I edit >> spam.assassin.prefs.conf and add the following: >> >> header LOCAL_TEST Test-Header =~ /Strange Pork/ score LOCAL_TEST -1.000 >> >> then reload MailScanner and send a test email with that header. I check >> the header and it seems to have found the header and graded it as it >> should: >> >> not spam, SpamAssassin (cached, score=1.694, required 4.7, >> BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, >> LOCAL_TEST -1.00) >> >> So, just for the fun of it, I decrease the score to -3, reload >> MailScanner, and send the test email. I am still getting -1 as the score >> for LOCAL_TEST. I try restarting it and get the same results. >> >> Today, I try it again, not having touched the mail server since that >> last attempt. Now it properly reports the new score for LOCAL_TEST: >> >> not spam, SpamAssassin (not cached, score=-0.306, required 4.7, >> BASE64_LENGTH_79_INF 1.50, BAYES_05 -1.11, FH_HELO_ENDS_DOT 2.31, >> LOCAL_TEST -3.00) >> >> Is it me who missed some step here or it is just slow to update itself? >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090901/511c5cac/attachment.html From E.Bloodaxe at gold.ac.uk Tue Sep 1 16:12:47 2009 From: E.Bloodaxe at gold.ac.uk (Erik Bloodaxe) Date: Tue Sep 1 16:31:32 2009 Subject: e Message-ID: <4A9D39EF.2080401@gold.ac.uk> erfegf From shprahi at gmail.com Tue Sep 1 16:44:58 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Tue Sep 1 16:45:07 2009 Subject: MailScanner --lint error In-Reply-To: <64909.196.212.34.106.1251363943.squirrel@196.212.34.107> References: <64909.196.212.34.106.1251363943.squirrel@196.212.34.107> Message-ID: I think it should be postfix.apache permission on /var/spool/mailscanner On Thu, Aug 27, 2009 at 2:35 PM, wrote: > i am using postfix+clamav+mailscanner, the system runs fine but when i run > MailScanner --lint i get the following errors, maybe someone can explain > to me but i did change the directory owner with postfix.postfix > /var/spool/MailScanner but for some reason after restarting the > mailscanner service it changes back. Thank you. > > http://pastebin.com/m1b280c12 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090901/cc15539c/attachment.html From jaearick at colby.edu Tue Sep 1 19:58:40 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Sep 1 19:59:01 2009 Subject: MS 4.78.15 vs 4.78.9: TNEF fix, yippee! Message-ID: Julian, I got in the complaint of a MailScanner failure below for version 4.78.9: -----Original Message----- From: MailScanner [mailto:postmaster@colby.edu] Sent: Tuesday, September 01, 2009 12:48 PM To: jtortor@colby.edu Subject: Warning: E-mail error detected Our virus detector failed to completely analyse a message you sent:- To: info@americanawardsinc.com Subject: did you get it? Date: Tue Sep 1 12:47:59 2009 Any parts of the message that could not be analysed will not have been delivered. If you are using Microsoft Outlook, we strongly recommend you change your outgoing message format from "Rich Text" to "HTML" or "Plain Text". 1) Click on the "Tools" menu and choose "Options..." 2) Go to the "Mail Format" tab 3) For message format, select "HTML" or "Plain text" 4) Click OK The virus detector said this about the message: Report: Report: MailScanner: killedmailscanner -- MailScanner Email Virus Scanner Colby College Information Technology Services www.colby.edu/administration_cs/its For all your IT requirements visit: http://www.transtec.co.uk Looking in the system logs for this I found: Sep 1 12:28:44 jasper MailScanner[3865]: [ID 702911 mail.info] Expanding TNEF archive at /var/spool/MailScanner/incoming/3865/n81GShWn007050/winmail.dat Sep 1 12:28:44 jasper MailScanner[3865]: [ID 702911 mail.info] Message n81GShWn007050 added TNEF contents timage003.jpg Sep 1 12:28:44 jasper MailScanner[3865]: [ID 702911 mail.info] Message n81GShWn007050 has had TNEF winmail.dat removed Sep 1 12:33:05 jasper MailScanner[15474]: [ID 702911 mail.info] Making attempt 2 at processing message n81GShWn007050 Sep 1 12:33:05 jasper MailScanner[15474]: [ID 702911 mail.info] Expanding TNEF archive at /var/spool/MailScanner/incoming/15474/n81GShWn007050/winmail.dat Sep 1 12:33:05 jasper MailScanner[15474]: [ID 702911 mail.info] Message n81GShWn007050 added TNEF contents timage003.jpg Sep 1 12:33:05 jasper MailScanner[15474]: [ID 702911 mail.info] Message n81GShWn007050 has had TNEF winmail.dat removed Sep 1 12:38:39 jasper MailScanner[26970]: [ID 702911 mail.info] Making attempt 3 at processing message n81GShWn007050 Sep 1 12:38:39 jasper MailScanner[26970]: [ID 702911 mail.info] Expanding TNEF archive at /var/spool/MailScanner/incoming/26970/n81GShWn007050/winmail.dat Sep 1 12:38:39 jasper MailScanner[26970]: [ID 702911 mail.info] Message n81GShWn007050 added TNEF contents timage003.jpg Sep 1 12:38:39 jasper MailScanner[26970]: [ID 702911 mail.info] Message n81GShWn007050 has had TNEF winmail.dat removed (etc) Sep 1 12:47:59 jasper MailScanner[11155]: [ID 702911 mail.warning] Warning: skipping message n81GShWn007050 as it has been attempted too many times Sep 1 12:47:59 jasper MailScanner[11155]: [ID 702911 mail.warning] Quarantined message n81GShWn007050 as it caused MailScanner to crash several times Sep 1 12:47:59 jasper MailScanner[11155]: [ID 702911 mail.notice] Saved entire message to /var/spool/MailScanner/quarantine/20090901/n81GShWn007050 So I upgraded to 4.78.15 (remembering the blurbs about TNEF issues recently), and things worked when this person resent their message. My TNEF settings: Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /opt/MailScanner/bin/tnef --maxsize=100000000 TNEF Timeout = 120 My setup: Solaris 10. So, thank you, your TNEF work on 4.78 has helped a lonely Sun user. Jeff Earickson Colby College From Kevin_Miller at ci.juneau.ak.us Tue Sep 1 22:28:10 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Sep 1 22:28:33 2009 Subject: Spamassassin rules Message-ID: <4A09477D575C2C4B86497161427DD94C10EE646048@city-exchange07> If I change a home grown spamassassin rule, do I need to restart MailScanner or are the sa rules read for each batch? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From steve.freegard at fsl.com Tue Sep 1 22:44:13 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 1 22:44:24 2009 Subject: Spamassassin rules In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE646048@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE646048@city-exchange07> Message-ID: <4A9D95AD.6020304@fsl.com> Kevin Miller wrote: > If I change a home grown spamassassin rule, do I need to restart MailScanner or are the sa rules read for each batch? You need to reload MailScanner if you make changes to SA. e.g. service MailScanner reload or kill -HUP Cheers, Steve. From ecasarero at gmail.com Tue Sep 1 22:46:35 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Sep 1 22:46:45 2009 Subject: Spamassassin rules In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE646048@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE646048@city-exchange07> Message-ID: <7d9b3cf20909011446yacbe48fw4ee1ffd45a1d21ae@mail.gmail.com> 2009/9/1 Kevin Miller > If I change a home grown spamassassin rule, do I need to restart > MailScanner or are the sa rules read for each batch? > No MailScanner automatically restart every child every 7200 secs (see mailscanner.conf), in this restart takes new rules from spamassassin. if you have re2c after a sa-compile you can send a restart to mailscanner. > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090901/8aae0d8b/attachment.html From Kevin_Miller at ci.juneau.ak.us Tue Sep 1 22:46:51 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Sep 1 22:47:03 2009 Subject: Selectively bypassing Bayes Message-ID: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> I'm fighting a lot of joe-job blowback from Russia (still), and have been posting to the spamassassin list for some help. I enabled/configured the VBounce ruleset but it was suggested to me that I use that as a trigger to quarantine the messages but to not feed them to Bayes, since it could skew the results of legitimate NDRs. It was suggested that I use procmail to pre-sort the messages. My MailScanner boxes are just gateways, forwarding to an internal Exchange server and doesn't have any local mailboxes so I don't think procmail is the right tool. (If I'm wrong let me know.) I have a custom rule that examines the headers for .ru and ANY_BOUNCE_MESSAGE which comes from the VBounce ruleset. How to I tell MailScanner and/or spamassassin not to feed those messages to Bayes but still block them? Or can I even do that? Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From steve.freegard at fsl.com Wed Sep 2 00:22:51 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 2 00:23:15 2009 Subject: Selectively bypassing Bayes In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> Message-ID: <4A9DACCB.7050207@fsl.com> Kevin Miller wrote: > I'm fighting a lot of joe-job blowback from Russia (still), and have been posting to the spamassassin list for some help. I enabled/configured the VBounce ruleset but it was suggested to me that I use that as a trigger to quarantine the messages but to not feed them to Bayes, since it could skew the results of legitimate NDRs. It was suggested that I use procmail to pre-sort the messages. My MailScanner boxes are just gateways, forwarding to an internal Exchange server and doesn't have any local mailboxes so I don't think procmail is the right tool. (If I'm wrong let me know.) > > I have a custom rule that examines the headers for .ru and ANY_BOUNCE_MESSAGE which comes from the VBounce ruleset. How to I tell MailScanner and/or spamassassin not to feed those messages to Bayes but still block them? Or can I even do that? > Add: tflags CUSTOM_RULE_NAME noautolearn after your rule definition; it will not prevent auto-learning but it will not include the score of your custom rule when calculating the auto-learn thresholds. See man Mail::SpamAssassin::Conf From Kevin_Miller at ci.juneau.ak.us Wed Sep 2 00:31:22 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 2 00:31:37 2009 Subject: Selectively bypassing Bayes In-Reply-To: <4A9DACCB.7050207@fsl.com> References: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> <4A9DACCB.7050207@fsl.com> Message-ID: <4A09477D575C2C4B86497161427DD94C10EE64604C@city-exchange07> Steve Freegard wrote: > > Add: > > tflags CUSTOM_RULE_NAME noautolearn > > after your rule definition; it will not prevent auto-learning but it > will not include the score of your custom rule when calculating the > auto-learn thresholds. > > See man Mail::SpamAssassin::Conf Thanks Steve - much apperciated... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From maxsec at gmail.com Wed Sep 2 11:00:41 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 2 11:00:50 2009 Subject: Selectively bypassing Bayes In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> Message-ID: <72cf361e0909020300n577a95f7k5fdef5a926be9e15@mail.gmail.com> Kevin if you mailScanner gateways also scan outgoing you can use the watermark feature of MailScanner to help remove this blow-back too. -- Martin Hepworth Oxford, UK 2009/9/1 Kevin Miller > I'm fighting a lot of joe-job blowback from Russia (still), and have been > posting to the spamassassin list for some help. I enabled/configured the > VBounce ruleset but it was suggested to me that I use that as a trigger to > quarantine the messages but to not feed them to Bayes, since it could skew > the results of legitimate NDRs. It was suggested that I use procmail to > pre-sort the messages. My MailScanner boxes are just gateways, forwarding > to an internal Exchange server and doesn't have any local mailboxes so I > don't think procmail is the right tool. (If I'm wrong let me know.) > > I have a custom rule that examines the headers for .ru and > ANY_BOUNCE_MESSAGE which comes from the VBounce ruleset. How to I tell > MailScanner and/or spamassassin not to feed those messages to Bayes but > still block them? Or can I even do that? > > Thanks much... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/2125a1d3/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed Sep 2 17:12:15 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 2 17:12:39 2009 Subject: Selectively bypassing Bayes In-Reply-To: <72cf361e0909020300n577a95f7k5fdef5a926be9e15@mail.gmail.com> References: <4A09477D575C2C4B86497161427DD94C10EE64604A@city-exchange07> <72cf361e0909020300n577a95f7k5fdef5a926be9e15@mail.gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C10EE64604E@city-exchange07> At this point they don't, but I'll be building a new MailScanner box soon, as the distro it's on is now out of support. When I do I'm going to see about getting all my internal boxes pointed to it so I can watermark. It's a great feature that I probably should have jumped on long ago! The current box that I'll be replacing doesn't quite have the horsepower to send all my outbound mail through. Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Wednesday, September 02, 2009 2:01 AM To: MailScanner discussion Subject: Re: Selectively bypassing Bayes Kevin if you mailScanner gateways also scan outgoing you can use the watermark feature of MailScanner to help remove this blow-back too. -- Martin Hepworth Oxford, UK 2009/9/1 Kevin Miller > I'm fighting a lot of joe-job blowback from Russia (still), and have been posting to the spamassassin list for some help. I enabled/configured the VBounce ruleset but it was suggested to me that I use that as a trigger to quarantine the messages but to not feed them to Bayes, since it could skew the results of legitimate NDRs. It was suggested that I use procmail to pre-sort the messages. My MailScanner boxes are just gateways, forwarding to an internal Exchange server and doesn't have any local mailboxes so I don't think procmail is the right tool. (If I'm wrong let me know.) I have a custom rule that examines the headers for .ru and ANY_BOUNCE_MESSAGE which comes from the VBounce ruleset. How to I tell MailScanner and/or spamassassin not to feed those messages to Bayes but still block them? Or can I even do that? Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/f9dab5bd/attachment.html From joakim at cefalk.com Wed Sep 2 17:52:57 2009 From: joakim at cefalk.com (Joakim Cefalk) Date: Wed Sep 2 17:53:12 2009 Subject: Filling up logfile Message-ID: <4A9EA2E9.5000309@cefalk.com> My server crashed yesterday, when i have installed mailscanner on my new machine i got a lot rows in my logfile. The text below are showing every 2-3 seconds in my logfile is this normal? Sep 2 17:57:49 linux MailScanner[4739]: MailScanner E-Mail Virus Scanner version 4.77.10 starting... Sep 2 17:57:49 linux MailScanner[4739]: Read 854 hostnames from the phishing whitelist Sep 2 17:57:49 linux MailScanner[4739]: Read 10457 hostnames from the phishing blacklists Sep 2 17:57:49 linux MailScanner[4739]: Using SpamAssassin results cache Sep 2 17:57:49 linux MailScanner[4739]: Connected to SpamAssassin cache database Sep 2 17:57:52 linux MailScanner[4739]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Joakim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/0cc0dcd1/attachment.html From maxsec at gmail.com Wed Sep 2 20:04:45 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 2 20:04:54 2009 Subject: Filling up logfile In-Reply-To: <4A9EA2E9.5000309@cefalk.com> References: <4A9EA2E9.5000309@cefalk.com> Message-ID: <72cf361e0909021204j39b93232s5616244df20e52b1@mail.gmail.com> sounds like you've got problems with the mailscanner.conf file. what does "MailScanner --lint" show? 2009/9/2 Joakim Cefalk > > My server crashed yesterday, when i have installed mailscanner on my new > machine i got a lot rows in my logfile. The text below are showing every 2-3 > seconds in my logfile is this normal? > > Sep 2 17:57:49 linux MailScanner[4739]: MailScanner E-Mail Virus Scanner version 4.77.10 starting... > Sep 2 17:57:49 linux MailScanner[4739]: Read 854 hostnames from the phishing whitelist > Sep 2 17:57:49 linux MailScanner[4739]: Read 10457 hostnames from the phishing blacklists > Sep 2 17:57:49 linux MailScanner[4739]: Using SpamAssassin results cache > Sep 2 17:57:49 linux MailScanner[4739]: Connected to SpamAssassin cache database > Sep 2 17:57:52 linux MailScanner[4739]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > > > > Joakim > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/64d941b7/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed Sep 2 20:04:47 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 2 20:05:02 2009 Subject: Uninstalling clamav Message-ID: <4A09477D575C2C4B86497161427DD94C10EE646053@city-exchange07> I originally installed clamav using Julian's combo package, but SUSE seems to be keeping up w/the clamav updates so am thinking of using the RPM version instead to take advantage of online updates. Currently I have clamav version .94 installed. I'd like to remove it before intalling the rpm, to avoid conflicts. There doesn't seem to be an uninstall option in the setup script. What's the best way to uninstall the old version? Thanks much... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Wed Sep 2 20:35:12 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 2 20:35:43 2009 Subject: Uninstalling clamav In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE646053@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE646053@city-exchange07> Message-ID: on 9-2-2009 12:04 PM Kevin Miller spake the following: > I originally installed clamav using Julian's combo package, but SUSE seems to be keeping up w/the clamav updates so am thinking of using the RPM version instead to take advantage of online updates. Currently I have clamav version .94 installed. I'd like to remove it before intalling the rpm, to avoid conflicts. There doesn't seem to be an uninstall option in the setup script. What's the best way to uninstall the old version? > You could just remove the executables, the config files, and the libraries manually. Maybe even the definitions. Look at this for some ideas; http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/9848df70/signature.bin From ssilva at sgvwater.com Wed Sep 2 20:49:50 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 2 20:50:22 2009 Subject: Latest beta Message-ID: Do most of you consider the new beta pretty stable? Julian probably won't release it as stable until the first of next month since the first of this month is already gone by. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090902/90b60eff/signature.bin From jaearick at colby.edu Wed Sep 2 21:00:29 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Sep 2 21:01:23 2009 Subject: Latest beta In-Reply-To: References: Message-ID: Yes. My last jump from 78.9 to 78.15 fixed both the "TNEF replace" issues that a lot of people had (including me), and my earlier report of "MailScanner: waiting for children to die: ... Process did not exit cleanly, returned 2 with signal 0" issue. They were probably related. 78.15 has been smooth. Julian is probably wrapped up with beginning-of-semester stuff. Jeff Earickson Colby College On Wed, 2 Sep 2009, Scott Silva wrote: > Date: Wed, 02 Sep 2009 12:49:50 -0700 > From: Scott Silva > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Latest beta > > Do most of you consider the new beta pretty stable? Julian probably won't > release it as stable until the first of next month since the first of this > month is already gone by. > > From joakim at cefalk.com Thu Sep 3 06:37:00 2009 From: joakim at cefalk.com (Joakim Cefalk) Date: Thu Sep 3 06:37:12 2009 Subject: Filling up logfile (Solved) In-Reply-To: <72cf361e0909021204j39b93232s5616244df20e52b1@mail.gmail.com> References: <4A9EA2E9.5000309@cefalk.com> <72cf361e0909021204j39b93232s5616244df20e52b1@mail.gmail.com> Message-ID: <4A9F55FC.6010900@cefalk.com> MailScanner --lint gives me this output. /Trying to setlogsock(unix) Can't call method "close" on an undefined value at /opt/MailScanner/bin/mailscanner_create_locks line 47. Error: Attempt to create locks in /var/spool/MailScanner/incoming/Locks failed! Read 854 hostnames from the phishing whitelist Read 10457 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.77.10) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-linux-MailScanner-From Cannot create temporary Work Dir /var/spool/MailScanner/incoming/26432. Are the permissions and ownership of /var/spool/MailScanner/incoming correct? at /opt/MailScanner/lib/MailScanner/WorkArea.pm line 151/ My solution was to add /"envelope_sender_header //X-linux-MailScanner-From" /to my spamassassin.prefs.conf Thanks for the help. Martin Hepworth skrev: > sounds like you've got problems with the mailscanner.conf file. > > what does "MailScanner --lint" show? > > 2009/9/2 Joakim Cefalk > > > > My server crashed yesterday, when i have installed mailscanner on > my new machine i got a lot rows in my logfile. The text below are > showing every 2-3 seconds in my logfile is this normal? > > Sep 2 17:57:49 linux MailScanner[4739]: MailScanner E-Mail Virus Scanner version 4.77.10 starting... > Sep 2 17:57:49 linux MailScanner[4739]: Read 854 hostnames from the phishing whitelist > Sep 2 17:57:49 linux MailScanner[4739]: Read 10457 hostnames from the phishing blacklists > Sep 2 17:57:49 linux MailScanner[4739]: Using SpamAssassin results cache > Sep 2 17:57:49 linux MailScanner[4739]: Connected to SpamAssassin cache database > Sep 2 17:57:52 linux MailScanner[4739]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > > > > > Joakim > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Martin Hepworth > Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090903/0fcd7cf6/attachment.html From MailScanner at ecs.soton.ac.uk Thu Sep 3 09:08:36 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 3 09:08:55 2009 Subject: Latest beta In-Reply-To: References: <4A9F7984.2040501@ecs.soton.ac.uk> Message-ID: I'm not *yet* wrapped up with beginning-of-semester stuff, but will be soon! :-) I didn't want to do a stable release the day after I put out a bug-fix beta, as there could still have been other problems. If people would like me to do a stable release in a couple of weeks, then I could do that for you. Otherwise I'll just wait till the start of next month. Your thoughts? Cheers, Jules. On 02/09/2009 21:00, Jeff A. Earickson wrote: > Yes. My last jump from 78.9 to 78.15 fixed both the "TNEF replace" > issues that a lot of people had (including me), and my earlier report > of "MailScanner: waiting for children to die: ... Process did not > exit cleanly, returned 2 with signal 0" issue. They were probably > related. 78.15 has been smooth. > > Julian is probably wrapped up with beginning-of-semester stuff. > > Jeff Earickson > Colby College > > On Wed, 2 Sep 2009, Scott Silva wrote: > >> Date: Wed, 02 Sep 2009 12:49:50 -0700 >> From: Scott Silva >> Reply-To: MailScanner discussion >> To: mailscanner@lists.mailscanner.info >> Subject: Latest beta >> >> Do most of you consider the new beta pretty stable? Julian probably >> won't >> release it as stable until the first of next month since the first of >> this >> month is already gone by. >> >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Sep 3 09:37:10 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 3 09:37:19 2009 Subject: Latest beta In-Reply-To: References: <4A9F7984.2040501@ecs.soton.ac.uk> Message-ID: <223f97700909030137o732b1c52w80fee19dfc549cc1@mail.gmail.com> 2009/9/3 Julian Field : > I'm not *yet* wrapped up with beginning-of-semester stuff, but will be soon! > :-) > > I didn't want to do a stable release the day after I put out a bug-fix beta, > as there could still have been other problems. If people would like me to do > a stable release in a couple of weeks, then I could do that for you. > > Otherwise I'll just wait till the start of next month. > > Your thoughts? > > Cheers, > Jules. ... There's not that much difference between the two...;-). Personally, I'd love a new stable very soon, since I'll have a slot for upgrade'n'all next week:D. But if the choice is between two or four weeks, it just don't matter much:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Sep 3 19:13:14 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 3 19:13:56 2009 Subject: Latest beta In-Reply-To: <223f97700909030137o732b1c52w80fee19dfc549cc1@mail.gmail.com> References: <4A9F7984.2040501@ecs.soton.ac.uk> <223f97700909030137o732b1c52w80fee19dfc549cc1@mail.gmail.com> Message-ID: on 9-3-2009 1:37 AM Glenn Steen spake the following: > 2009/9/3 Julian Field : >> I'm not *yet* wrapped up with beginning-of-semester stuff, but will be soon! >> :-) >> >> I didn't want to do a stable release the day after I put out a bug-fix beta, >> as there could still have been other problems. If people would like me to do >> a stable release in a couple of weeks, then I could do that for you. >> >> Otherwise I'll just wait till the start of next month. >> >> Your thoughts? >> >> Cheers, >> Jules. > > ... There's not that much difference between the two...;-). > Personally, I'd love a new stable very soon, since I'll have a slot > for upgrade'n'all next week:D. But if the choice is between two or > four weeks, it just don't matter much:). > > Cheers I was just going to wait a week or so to see if there are any bugs reported. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090903/58d76965/signature.bin From rlopezcnm at gmail.com Thu Sep 3 19:18:41 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Sep 3 19:18:50 2009 Subject: BAD FILENAME DETECTED: something.[common-extension].pdf Message-ID: In watching all the BAD FILENAME DETECTED emails MailScanner sends to Postmaster ( Doing a wonderful job! ) I have noticed a lot of files that have that last ".pdf" after ".doc", ".docx", ".xls", etc. What is bothering me there are so many coming from US government agencies. Is there any chance some applications used by government agencies actually produce files named like these? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From Kevin_Miller at ci.juneau.ak.us Thu Sep 3 19:36:29 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 3 19:36:40 2009 Subject: BAD FILENAME DETECTED: something.[common-extension].pdf In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C10EE646067@city-exchange07> Most likely user error. Well, not error exactly, but user generated. There are any number of tools out there such as pdf995 or pdfCreator that will allow you to "print" a document to a pdf file. (Openoffice will export to a .pdf w/o a "printer" driver.) Makes it easy to share something in a universal format. What happens is users name their document "MyImportStuff.doc" then print/export to pdf via some mechanism which takes the original document name and appends .pdf to the end. Presto, it becomes MyImportStuff.doc.pdf, MailScanner steps on it, and Linux users the world over have a good chuckle at the foolishness of Microsoft for hiding file extensions by default, thus making social engineering exploits that much easier for the bad guys... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Robert Lopez Sent: Thursday, September 03, 2009 10:19 AM To: MailScanner discussion Subject: BAD FILENAME DETECTED: something.[common-extension].pdf In watching all the BAD FILENAME DETECTED emails MailScanner sends to Postmaster ( Doing a wonderful job! ) I have noticed a lot of files that have that last ".pdf" after ".doc", ".docx", ".xls", etc. What is bothering me there are so many coming from US government agencies. Is there any chance some applications used by government agencies actually produce files named like these? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rlopezcnm at gmail.com Thu Sep 3 19:45:25 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Sep 3 19:45:34 2009 Subject: BAD FILENAME DETECTED: something.[common-extension].pdf In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE646067@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE646067@city-exchange07> Message-ID: On Thu, Sep 3, 2009 at 12:36 PM, Kevin Miller wrote: > Most likely user error. Well, not error exactly, but user generated. ?There are any number of tools out there such as pdf995 or pdfCreator that will allow you to "print" a document to a pdf file. ?(Openoffice will export to a .pdf w/o a "printer" driver.) ?Makes it easy to share something in a universal format. > > What happens is users name their document "MyImportStuff.doc" then print/export to pdf via some mechanism which takes the original document name and appends .pdf to the end. ?Presto, it becomes MyImportStuff.doc.pdf, MailScanner steps on it, and Linux users the world over have a good chuckle at the foolishness of Microsoft for hiding file extensions by default, thus making social engineering exploits that much easier for the bad guys... > > > ...Kevin > -- > Kevin Miller ? ? ? ? ? ? ? ?Registered Linux User No: 307357 > CBJ MIS Dept. ? ? ? ? ? ? ? Network Systems Admin., Mail Admin. > 155 South Seward Street ? ? ph: (907) 586-0242 > Juneau, Alaska 99801 ? ? ? ?fax: (907 586-4500 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Robert Lopez > Sent: Thursday, September 03, 2009 10:19 AM > To: MailScanner discussion > Subject: BAD FILENAME DETECTED: something.[common-extension].pdf > > In watching all the BAD FILENAME DETECTED emails MailScanner sends to Postmaster ( Doing a wonderful job! ) I have noticed a lot of files that have that last ".pdf" after ".doc", ".docx", ".xls", etc. > > What is bothering me there are so many coming from US government agencies. > > Is there any chance some applications used by government agencies actually produce files named like these? > > -- > Robert Lopez > Unix Systems Administrator > Central New Mexico Community College (CNM) > 525 Buena Vista SE > Albuquerque, New Mexico 87106 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks Kevin. So I should be concerned I will sooner or later get complaints as this may be interfering in business. At first thoughts I do not want to change the file name rule but I may have to white list those government agencies. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From Kevin_Miller at ci.juneau.ak.us Thu Sep 3 20:07:18 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 3 20:07:28 2009 Subject: BAD FILENAME DETECTED: something.[common-extension].pdf In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C10EE646067@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C10EE646069@city-exchange07> Robert Lopez wrote: > > Thanks Kevin. So I should be concerned I will sooner or later get > complaints as this may be interfering in business. > > At first thoughts I do not want to change the file name rule but I > may have to white list those government agencies. So far I've just explained to the sender why it's a good idea for them to change their filenames. Guess I could add an exception to filename.rules.conf but there are .pdf exploits so I kind of hesitate to. If you get enough flak for pushing the problem back on the source, you could create a ruleset for the particular .gov (sub)domains and add that into fileame.rules. Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From lists at designmedia.com Thu Sep 3 23:15:23 2009 From: lists at designmedia.com (Henry Kwan) Date: Thu Sep 3 23:15:57 2009 Subject: Password-protected Archvies aren't saved? Message-ID: Hi, I was testing my MailScanner config (delivers to Exchange 2007 on the backend) and noticed that whenever I send a password protected archive, MailScanner detects it and sends me a "The following e-mails were found to have: Other Bad Content Detected : Password-protected Archive Detected" message with the headers but then doesn't quarantine the file or make it available for recovery. Is there a way to recover the archive once MailScanner detects it or is is gone forever? Thanks. From maxsec at gmail.com Fri Sep 4 08:29:03 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 4 08:29:12 2009 Subject: Password-protected Archvies aren't saved? In-Reply-To: References: Message-ID: <72cf361e0909040029w1c87dfcan3630bb0547586210@mail.gmail.com> 2009/9/3 Henry Kwan > Hi, > > I was testing my MailScanner config (delivers to Exchange 2007 on the > backend) > and noticed that whenever I send a password protected archive, MailScanner > detects it and sends me a "The following e-mails were found to have: Other > Bad > Content Detected : Password-protected Archive Detected" message with the > headers > but then doesn't quarantine the file or make it available for recovery. > > Is there a way to recover the archive once MailScanner detects it or is is > gone > forever? > > Thanks. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Henry check your "Quarantine Silent Viruses" and "Maximum Archive Depth"settings in MailScanner.conf.* *I'd also check if you archive all email then the email will be in there too. * * -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/ca1b5202/attachment.html From glenn.steen at gmail.com Fri Sep 4 08:52:58 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 4 08:53:09 2009 Subject: BAD FILENAME DETECTED: something.[common-extension].pdf In-Reply-To: <4A09477D575C2C4B86497161427DD94C10EE646069@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C10EE646067@city-exchange07> <4A09477D575C2C4B86497161427DD94C10EE646069@city-exchange07> Message-ID: <223f97700909040052h22473acap90cd376d2e32a9c4@mail.gmail.com> 2009/9/3 Kevin Miller : > Robert Lopez wrote: >> >> Thanks Kevin. ?So I should be concerned I will sooner or later get >> complaints as this may be interfering in business. >> >> At first thoughts I do not want to change the file name rule but I >> may have to white list those government agencies. > > So far I've just explained to the sender why it's a good idea for them to change their filenames. > > Guess I could add an exception to filename.rules.conf but there are .pdf exploits so I kind of hesitate to. ?If you get enough flak for pushing the problem back on the source, you could create a ruleset for the particular .gov (sub)domains and add that into fileame.rules. > > Best... > > ...Kevin You can actually put something like: # Allow .doc.pdf ... Bloody MorganStanley allow \.[a-z0-9]{3,4}\.pdf$ - - just above the double extension test in filename.rules.conf (adjust the comment to suit your irritant;-):-) ... There's also a standard example in there, from Jules, on how to do this (the .doc and .doc thing). Be careful to separate columns with characters, and be sure to run "MailScanner --lint" after doing your edits ... and you should be fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Sep 4 09:08:23 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 09:08:46 2009 Subject: Password-protected Archvies aren't saved? In-Reply-To: <72cf361e0909040029w1c87dfcan3630bb0547586210@mail.gmail.com> References: <72cf361e0909040029w1c87dfcan3630bb0547586210@mail.gmail.com> <4AA0CAF7.7030301@ecs.soton.ac.uk> Message-ID: On 04/09/2009 08:29, Martin Hepworth wrote: > > > 2009/9/3 Henry Kwan > > > Hi, > > I was testing my MailScanner config (delivers to Exchange 2007 on > the backend) > and noticed that whenever I send a password protected archive, > MailScanner > detects it and sends me a "The following e-mails were found to > have: Other Bad > Content Detected : Password-protected Archive Detected" message > with the headers > but then doesn't quarantine the file or make it available for > recovery. > > Is there a way to recover the archive once MailScanner detects it > or is is gone > forever? > > Thanks. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Henry > > check your "Quarantine Silent Viruses" and "Maximum Archive > Depth"settings in MailScanner.conf.* > > *I'd also check if you archive all email then the email will be in > there too. > ** Also, to make it keep the Password-Protected Archives in future, you might want to read the comments above the "Silent Viruses" and "Non-Forging Viruses" settings as well, and possibly add "Zip-Password" to the "Non-Forging Viruses" list. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Sep 4 09:21:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 09:22:06 2009 Subject: Latest beta In-Reply-To: References: <4A9F7984.2040501@ecs.soton.ac.uk> <223f97700909030137o732b1c52w80fee19dfc549cc1@mail.gmail.com> <4AA0CE17.7010600@ecs.soton.ac.uk> Message-ID: On 03/09/2009 19:13, Scott Silva wrote: > on 9-3-2009 1:37 AM Glenn Steen spake the following: > >> 2009/9/3 Julian Field: >> >>> I'm not *yet* wrapped up with beginning-of-semester stuff, but will be soon! >>> :-) >>> >>> I didn't want to do a stable release the day after I put out a bug-fix beta, >>> as there could still have been other problems. If people would like me to do >>> a stable release in a couple of weeks, then I could do that for you. >>> >>> Otherwise I'll just wait till the start of next month. >>> >>> Your thoughts? >>> >>> Cheers, >>> Jules. >>> >> ... There's not that much difference between the two...;-). >> Personally, I'd love a new stable very soon, since I'll have a slot >> for upgrade'n'all next week:D. But if the choice is between two or >> four weeks, it just don't matter much:). >> >> Cheers >> > I was just going to wait a week or so to see if there are any bugs reported. > > Me too! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From c.granisso at dnshosting.it Fri Sep 4 09:47:28 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Fri Sep 4 09:47:34 2009 Subject: RBL configuration problem Message-ID: <200909040847.n848lP6n015571@safir.blacknight.ie> Hello every body, I've a system with lot of incoming mail. I've added RBL checks on postfix but I'd like to itegrate them into MailScanner.conf to give ability to our clients to enable/disable filtering through MailWatch. Now I've this configuration: # # Spam Detection and Virus Scanner Definitions # -------------------------------------------- # # This is the name of the file that translates the names of the "Spam List" # values to the real DNS names of the spam blacklists. Spam List Definitions = %etc-dir%/spam.lists.conf # This is the name of the file that translates the names of the virus # scanners into the commands that have to be run to do the actual scanning. Virus Scanner Definitions = %etc-dir%/virus.scanners.conf # # Spam Detection and Spam Lists (DNS blocklists) # ---------------------------------------------- # # Do you want to check messages to see if they are spam? # Note: If you switch this off then *no* spam checks will be done at all. # This includes both MailScanner's own checks and SpamAssassin. # If you want to just disable the "Spam List" feature then set # "Spam List =" (i.e. an empty list) in the setting below. # This can also be the filename of a ruleset. Spam Checks = yes # This is the list of spam blacklists (RBLs) which you are using. # See the "Spam List Definitions" file for more information about what # you can put here. # This can also be the filename of a ruleset. # spamhaus-ZEN is NOT FREE for commercial/government users. Please # see http://www.spamhaus.org Spam List = BACKSCATTER spamcop.net BARRACUDA SPAM-CANNIB SORBS-RHSBL Of course in spam.lists.conf I've defined them (and disabled from postfix) but seems that MailScanner doesn't perform checks. I must change other parameters? Thanks, Carlo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/427a2aa4/attachment.html From MailScanner at ecs.soton.ac.uk Fri Sep 4 10:06:43 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 10:07:04 2009 Subject: RBL configuration problem In-Reply-To: <200909040847.n848lP6n015571@safir.blacknight.ie> References: <200909040847.n848lP6n015571@safir.blacknight.ie> <4AA0D8A3.80400@ecs.soton.ac.uk> Message-ID: On 04/09/2009 09:47, Carlo Granisso wrote: > Hello every body, I've a system with lot of incoming mail. I've added > RBL checks on postfix but I'd like to itegrate them into > MailScanner.conf to give ability to our clients to enable/disable > filtering through MailWatch. > Now I've this configuration: > # > # Spam Detection and Virus Scanner Definitions > # -------------------------------------------- > # > # This is the name of the file that translates the names of the "Spam > List" > # values to the real DNS names of the spam blacklists. > Spam List Definitions = %etc-dir%/spam.lists.conf > # This is the name of the file that translates the names of the virus > # scanners into the commands that have to be run to do the actual > scanning. > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf > # > # Spam Detection and Spam Lists (DNS blocklists) > # ---------------------------------------------- > # > # Do you want to check messages to see if they are spam? > # Note: If you switch this off then *no* spam checks will be done at all. > # This includes both MailScanner's own checks and SpamAssassin. > # If you want to just disable the "Spam List" feature then set > # "Spam List =" (i.e. an empty list) in the setting below. > # This can also be the filename of a ruleset. > Spam Checks = yes > # This is the list of spam blacklists (RBLs) which you are using. > # See the "Spam List Definitions" file for more information about what > # you can put here. > # This can also be the filename of a ruleset. > # spamhaus-ZEN is NOT FREE for commercial/government users. Please > # see http://www.spamhaus.org > Spam List = BACKSCATTER spamcop.net BARRACUDA SPAM-CANNIB SORBS-RHSBL > Of course in spam.lists.conf I've defined them (and disabled from > postfix) but seems that MailScanner doesn't perform checks. > I must change other parameters? Do you have sensible settings for Spam Lists To Be Spam = Check SpamAssassin If On Spam List = ? Did you do a "service MailScanner reload" after changing the MailScanner.conf file? Do your logs mention the spam lists at all? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From c.granisso at dnshosting.it Fri Sep 4 10:58:35 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Fri Sep 4 10:58:42 2009 Subject: R: RBL configuration problem In-Reply-To: Message-ID: <200909040958.n849wYQi019442@safir.blacknight.ie> "Spam Lists To Be Spam" isn't present in my configuration. "Check SpamAssassin If On Spam List" was "yes" now is "no". Of course I've restarted MailScanner and in logs I haven't mention of BL... Thanks for your help. Carlo -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: venerd? 4 settembre 2009 11.07 A: MailScanner discussion Oggetto: Re: RBL configuration problem On 04/09/2009 09:47, Carlo Granisso wrote: > Hello every body, I've a system with lot of incoming mail. I've added > RBL checks on postfix but I'd like to itegrate them into > MailScanner.conf to give ability to our clients to enable/disable > filtering through MailWatch. > Now I've this configuration: > # > # Spam Detection and Virus Scanner Definitions # > -------------------------------------------- > # > # This is the name of the file that translates the names of the "Spam > List" > # values to the real DNS names of the spam blacklists. > Spam List Definitions = %etc-dir%/spam.lists.conf # This is the name > of the file that translates the names of the virus # scanners into the > commands that have to be run to do the actual scanning. > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf # # Spam > Detection and Spam Lists (DNS blocklists) # > ---------------------------------------------- > # > # Do you want to check messages to see if they are spam? > # Note: If you switch this off then *no* spam checks will be done at all. > # This includes both MailScanner's own checks and SpamAssassin. > # If you want to just disable the "Spam List" feature then set > # "Spam List =" (i.e. an empty list) in the setting below. > # This can also be the filename of a ruleset. > Spam Checks = yes > # This is the list of spam blacklists (RBLs) which you are using. > # See the "Spam List Definitions" file for more information about what > # you can put here. > # This can also be the filename of a ruleset. > # spamhaus-ZEN is NOT FREE for commercial/government users. Please # > see http://www.spamhaus.org Spam List = BACKSCATTER spamcop.net > BARRACUDA SPAM-CANNIB SORBS-RHSBL Of course in spam.lists.conf I've > defined them (and disabled from > postfix) but seems that MailScanner doesn't perform checks. > I must change other parameters? Do you have sensible settings for Spam Lists To Be Spam = Check SpamAssassin If On Spam List = ? Did you do a "service MailScanner reload" after changing the MailScanner.conf file? Do your logs mention the spam lists at all? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.76/2343 - Release Date: 09/04/09 05:51:00 From MailScanner at ecs.soton.ac.uk Fri Sep 4 11:09:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 11:10:10 2009 Subject: R: RBL configuration problem In-Reply-To: <200909040958.n849wYQi019442@safir.blacknight.ie> References: <200909040958.n849wYQi019442@safir.blacknight.ie> <4AA0E76A.3010809@ecs.soton.ac.uk> Message-ID: On 04/09/2009 10:58, Carlo Granisso wrote: > "Spam Lists To Be Spam" isn't present in my configuration. > In which case you need to run "upgrade_MailScanner_conf" and follow the instructions. If you're missing that one, you are probably missing a whole bunch of settings! > "Check SpamAssassin If On Spam List" was "yes" now is "no". > > Of course I've restarted MailScanner and in logs I haven't mention of BL... > That would tend to imply your definitions are wrong. What do the relevant bits of your spam.lists.conf say? > > Thanks for your help. > > > Carlo > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian > Field > Inviato: venerd? 4 settembre 2009 11.07 > A: MailScanner discussion > Oggetto: Re: RBL configuration problem > > > > On 04/09/2009 09:47, Carlo Granisso wrote: > >> Hello every body, I've a system with lot of incoming mail. I've added >> RBL checks on postfix but I'd like to itegrate them into >> MailScanner.conf to give ability to our clients to enable/disable >> filtering through MailWatch. >> Now I've this configuration: >> # >> # Spam Detection and Virus Scanner Definitions # >> -------------------------------------------- >> # >> # This is the name of the file that translates the names of the "Spam >> List" >> # values to the real DNS names of the spam blacklists. >> Spam List Definitions = %etc-dir%/spam.lists.conf # This is the name >> of the file that translates the names of the virus # scanners into the >> commands that have to be run to do the actual scanning. >> Virus Scanner Definitions = %etc-dir%/virus.scanners.conf # # Spam >> Detection and Spam Lists (DNS blocklists) # >> ---------------------------------------------- >> # >> # Do you want to check messages to see if they are spam? >> # Note: If you switch this off then *no* spam checks will be done at all. >> # This includes both MailScanner's own checks and SpamAssassin. >> # If you want to just disable the "Spam List" feature then set >> # "Spam List =" (i.e. an empty list) in the setting below. >> # This can also be the filename of a ruleset. >> Spam Checks = yes >> # This is the list of spam blacklists (RBLs) which you are using. >> # See the "Spam List Definitions" file for more information about what >> # you can put here. >> # This can also be the filename of a ruleset. >> # spamhaus-ZEN is NOT FREE for commercial/government users. Please # >> see http://www.spamhaus.org Spam List = BACKSCATTER spamcop.net >> BARRACUDA SPAM-CANNIB SORBS-RHSBL Of course in spam.lists.conf I've >> defined them (and disabled from >> postfix) but seems that MailScanner doesn't perform checks. >> I must change other parameters? >> > Do you have sensible settings for > Spam Lists To Be Spam = > Check SpamAssassin If On Spam List = > ? > Did you do a "service MailScanner reload" after changing the > MailScanner.conf file? > > Do your logs mention the spam lists at all? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me > at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.409 / Virus Database: 270.13.76/2343 - Release Date: 09/04/09 > 05:51:00 > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lists at elasticmind.net Fri Sep 4 11:59:04 2009 From: lists at elasticmind.net (Mog) Date: Fri Sep 4 11:59:22 2009 Subject: image spam again :) In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com> <72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com> Message-ID: <4AA0F2F8.6020709@elasticmind.net> Richard Mealing wrote: > > Hi Martin, > > Thanks for this, sorry if I?m being stupid, but I?m using freebsd and > I?ve updated my port tree, however I don?t see the latest version in > there ? > > less distinfo > > MD5 (MailScanner-install-4.60.5-1.tar.gz) = > cf1e87131f90ff7f43e1f4c1d787a245 > > SHA256 (MailScanner-install-4.60.5-1.tar.gz) = > 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 > > SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 > > Can this be updated? > > Rich > Indeed, the MailScanner port is getting a little out of date again. Yes it should be periodically updated, but unfortunately the maintainer of the MailScanner port is AWOL and doesn't respond to emails, meaning that the MailScanner port is currently not being maintained. Maintaining FreeBSD ports requires a basic working knowledge of the ports system and the program in question (MailScanner in this case), and of course, the free time necessary to update and check the port works before submitting a patch to the committers. Sadly, as of yet, no one with the free time/skills has volunteered to help with this. From maxsec at gmail.com Fri Sep 4 12:24:24 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 4 12:24:34 2009 Subject: image spam again :) In-Reply-To: <4AA0F2F8.6020709@elasticmind.net> References: <768671.54354.qm@web33302.mail.mud.yahoo.com> <72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com> <4AA0F2F8.6020709@elasticmind.net> Message-ID: <72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> 2009/9/4 Mog > Richard Mealing wrote: > >> >> Hi Martin, >> >> Thanks for this, sorry if I?m being stupid, but I?m using freebsd and I?ve >> updated my port tree, however I don?t see the latest version in there ? >> >> less distinfo >> >> MD5 (MailScanner-install-4.60.5-1.tar.gz) = >> cf1e87131f90ff7f43e1f4c1d787a245 >> >> SHA256 (MailScanner-install-4.60.5-1.tar.gz) = >> 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 >> >> SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 >> >> Can this be updated? >> >> Rich >> >> > Indeed, the MailScanner port is getting a little out of date again. Yes it > should be periodically updated, but unfortunately the maintainer of the > MailScanner port is AWOL and doesn't respond to emails, meaning that the > MailScanner port is currently not being maintained. > > Maintaining FreeBSD ports requires a basic working knowledge of the ports > system and the program in question (MailScanner in this case), and of > course, the free time necessary to update and check the port works before > submitting a patch to the committers. Sadly, as of yet, no one with the free > time/skills has volunteered to help with this. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Some did do an independant update for the FreeBSD port a while ago (see the archives of this list). But in the mean-time if you want to keep up-to date and esp with the beta's you'll need to use the generic tar.gz installer instead. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/d62a2cbc/attachment.html From richard at fastnet.co.uk Fri Sep 4 12:53:07 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Sep 4 12:52:45 2009 Subject: image spam again :) In-Reply-To: <72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net> <72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> Message-ID: From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 12:24 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Mog Richard Mealing wrote: Hi Martin, Thanks for this, sorry if I'm being stupid, but I'm using freebsd and I've updated my port tree, however I don't see the latest version in there - less distinfo MD5 (MailScanner-install-4.60.5-1.tar.gz) = cf1e87131f90ff7f43e1f4c1d787a245 SHA256 (MailScanner-install-4.60.5-1.tar.gz) = 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 Can this be updated? Rich Indeed, the MailScanner port is getting a little out of date again. Yes it should be periodically updated, but unfortunately the maintainer of the MailScanner port is AWOL and doesn't respond to emails, meaning that the MailScanner port is currently not being maintained. Maintaining FreeBSD ports requires a basic working knowledge of the ports system and the program in question (MailScanner in this case), and of course, the free time necessary to update and check the port works before submitting a patch to the committers. Sadly, as of yet, no one with the free time/skills has volunteered to help with this. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Some did do an independant update for the FreeBSD port a while ago (see the archives of this list). But in the mean-time if you want to keep up-to date and esp with the beta's you'll need to use the generic tar.gz installer instead. -- Martin Hepworth Oxford, UK Hi Martin, I did try that but it's an rpm and you can't install that on freebsd. Do you think the mailscanner port (non beta) will update next time it's released? I did contact the maintainer and he told me I could do it, but I'm new to all this (I'm still learning) I don't think I have the skills to do it. I can't wait to add sanesecurity to my config, it's just awesome from my testing last week. Many thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/b623d11d/attachment.html From maxsec at gmail.com Fri Sep 4 13:18:53 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 4 13:19:02 2009 Subject: image spam again :) In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com> <72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com> <4AA0F2F8.6020709@elasticmind.net> <72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> Message-ID: <72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> 2009/9/4 Richard Mealing > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 04 September 2009 12:24 > *To:* MailScanner discussion > *Subject:* Re: image spam again :) > > > > > > 2009/9/4 Mog > > Richard Mealing wrote: > > > Hi Martin, > > Thanks for this, sorry if I?m being stupid, but I?m using freebsd and I?ve > updated my port tree, however I don?t see the latest version in there ? > > less distinfo > > MD5 (MailScanner-install-4.60.5-1.tar.gz) = > cf1e87131f90ff7f43e1f4c1d787a245 > > SHA256 (MailScanner-install-4.60.5-1.tar.gz) = > 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 > > SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 > > Can this be updated? > > Rich > > > > Indeed, the MailScanner port is getting a little out of date again. Yes it > should be periodically updated, but unfortunately the maintainer of the > MailScanner port is AWOL and doesn't respond to emails, meaning that the > MailScanner port is currently not being maintained. > > Maintaining FreeBSD ports requires a basic working knowledge of the ports > system and the program in question (MailScanner in this case), and of > course, the free time necessary to update and check the port works before > submitting a patch to the committers. Sadly, as of yet, no one with the free > time/skills has volunteered to help with this. > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Some did do an independant update for the FreeBSD port a while ago (see the > archives of this list). But in the mean-time if you want to keep up-to date > and esp with the beta's you'll need to use the generic tar.gz installer > instead. > > -- > Martin Hepworth > Oxford, UK > > > > > > Hi Martin, > > > > I did try that but it?s an rpm and you can?t install that on freebsd. Do > you think the mailscanner port (non beta) will update next time it?s > released? > > > > I did contact the maintainer and he told me I could do it, but I?m new to > all this (I?m still learning) I don?t think I have the skills to do it. > > > > I can?t wait to add sanesecurity to my config, it?s just awesome from my > testing last week. > > > > Many thanks, > > Rich > > > > Richard no the generic unix installer...not he RPM version ;-) Stable - Version 4.77.10-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) (PGP signature) - Version 4.77.10-1 for SuSE (PGP signature) - Version 4.77.10-1 for Solaris / BSD / Other Linux / Other Unix <********************************************** (PGP signature) - Debian Linux package and the init.d scriptfrom it - Latest "port" for FreeBSD ? Please read the instructions - Solaris OpenCSW package - ClamAV 0.95.2 and SpamAssassin 3.2.5 easy installation package. Each of the packages above is a compressed tar file. Download it, unpack it (with "tar xzvf **.tar.gz") and run the "install.sh" script in it. Version 4.75 - Version 4.75.11-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) - Version 4.75.11-1 for SuSE - Version 4.75.11-1 for Solaris / BSD / Other Linux / Other Unix Beta - Version 4.78.15-1 for RedHat, CentOS and Fedora Linux (and other RPM-based Linux distributions) - Version 4.78.15-1 for SuSE Linux - Version 4.78.15-1 for Solaris / BSD / Other Linux / Other Unix <**************************************************** - Latest FreeBSD beta release "port" -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/96193aea/attachment.html From richard at fastnet.co.uk Fri Sep 4 13:43:27 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Sep 4 13:43:03 2009 Subject: image spam again :) In-Reply-To: <72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> <72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> Message-ID: From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 13:19 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Richard Mealing From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 12:24 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Mog Richard Mealing wrote: Hi Martin, Thanks for this, sorry if I'm being stupid, but I'm using freebsd and I've updated my port tree, however I don't see the latest version in there - less distinfo MD5 (MailScanner-install-4.60.5-1.tar.gz) = cf1e87131f90ff7f43e1f4c1d787a245 SHA256 (MailScanner-install-4.60.5-1.tar.gz) = 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 Can this be updated? Rich Indeed, the MailScanner port is getting a little out of date again. Yes it should be periodically updated, but unfortunately the maintainer of the MailScanner port is AWOL and doesn't respond to emails, meaning that the MailScanner port is currently not being maintained. Maintaining FreeBSD ports requires a basic working knowledge of the ports system and the program in question (MailScanner in this case), and of course, the free time necessary to update and check the port works before submitting a patch to the committers. Sadly, as of yet, no one with the free time/skills has volunteered to help with this. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Some did do an independant update for the FreeBSD port a while ago (see the archives of this list). But in the mean-time if you want to keep up-to date and esp with the beta's you'll need to use the generic tar.gz installer instead. -- Martin Hepworth Oxford, UK Hi Martin, I did try that but it's an rpm and you can't install that on freebsd. Do you think the mailscanner port (non beta) will update next time it's released? I did contact the maintainer and he told me I could do it, but I'm new to all this (I'm still learning) I don't think I have the skills to do it. I can't wait to add sanesecurity to my config, it's just awesome from my testing last week. Many thanks, Rich Richard no the generic unix installer...not he RPM version ;-) Stable * Version 4.77.10-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) (PGP signature) * Version 4.77.10-1 for SuSE (PGP signature) * Version 4.77.10-1 for Solaris / BSD / Other Linux / Other Unix <********************************************** (PGP signature) * Debian Linux package and the init.d script from it * Latest "port" for FreeBSD - Please read the instructions * Solaris OpenCSW package * ClamAV 0.95.2 and SpamAssassin 3.2.5 easy installation package . Each of the packages above is a compressed tar file. Download it, unpack it (with "tar xzvf .tar.gz") and run the "install.sh" script in it. Version 4.75 * Version 4.75.11-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) * Version 4.75.11-1 for SuSE * Version 4.75.11-1 for Solaris / BSD / Other Linux / Other Unix Beta * Version 4.78.15-1 for RedHat, CentOS and Fedora Linux (and other RPM-based Linux distributions) * Version 4.78.15-1 for SuSE Linux * Version 4.78.15-1 for Solaris / BSD / Other Linux / Other Unix <**************************************************** * Latest FreeBSD beta release "port" -- Martin Hepworth Oxford, UK Hi Martin - I know, that's what I've tried already. [richard@mailfilter9 ~/MailScanner-install-4.78.15]$ /home/richard/MailScanner-install-4.78.15/install.sh I am logging everything into "install.log". You appear to be running on a system that does not use the RPM packaging system. If you think you can use RPM, then press Ctrl-C right now, make sure the "rpm" and "rpmbuild" programs can be found and run this script again. I will install MailScanner under /opt, from where you can move it if you want. I will need to build the tnef program for you too. You appear to have 2 versions of Perl installed, the normal one in /usr/bin and one in /usr/local. This often happens if you have used CPAN to install modules. I strongly advise you remove all traces of perl from within /usr/local and then run this script again. If you do not want to do that, and really want to continue, then you will need to run this script as /home/richard/MailScanner-install-4.78.15/install.sh --perl=/path/to/perl substituting '/path/to' appropriately. I've been told Freebsd does not support rpm, so I'm just stuck at the moment. Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/b49bda17/attachment.html From maxsec at gmail.com Fri Sep 4 13:56:20 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 4 13:56:29 2009 Subject: image spam again :) In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com> <72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com> <4AA0F2F8.6020709@elasticmind.net> <72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com> <72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> Message-ID: <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> 2009/9/4 Richard Mealing > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 04 September 2009 13:19 > > *To:* MailScanner discussion > *Subject:* Re: image spam again :) > > > > > > 2009/9/4 Richard Mealing > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Martin Hepworth > *Sent:* 04 September 2009 12:24 > > > *To:* MailScanner discussion > *Subject:* Re: image spam again :) > > > > > > 2009/9/4 Mog > > Richard Mealing wrote: > > > Hi Martin, > > Thanks for this, sorry if I?m being stupid, but I?m using freebsd and I?ve > updated my port tree, however I don?t see the latest version in there ? > > less distinfo > > MD5 (MailScanner-install-4.60.5-1.tar.gz) = > cf1e87131f90ff7f43e1f4c1d787a245 > > SHA256 (MailScanner-install-4.60.5-1.tar.gz) = > 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 > > SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 > > Can this be updated? > > Rich > > > > Indeed, the MailScanner port is getting a little out of date again. Yes it > should be periodically updated, but unfortunately the maintainer of the > MailScanner port is AWOL and doesn't respond to emails, meaning that the > MailScanner port is currently not being maintained. > > Maintaining FreeBSD ports requires a basic working knowledge of the ports > system and the program in question (MailScanner in this case), and of > course, the free time necessary to update and check the port works before > submitting a patch to the committers. Sadly, as of yet, no one with the free > time/skills has volunteered to help with this. > -- > > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > Some did do an independant update for the FreeBSD port a while ago (see the > archives of this list). But in the mean-time if you want to keep up-to date > and esp with the beta's you'll need to use the generic tar.gz installer > instead. > > -- > Martin Hepworth > Oxford, UK > > > > > > Hi Martin, > > > > I did try that but it?s an rpm and you can?t install that on freebsd. Do > you think the mailscanner port (non beta) will update next time it?s > released? > > > > I did contact the maintainer and he told me I could do it, but I?m new to > all this (I?m still learning) I don?t think I have the skills to do it. > > > > I can?t wait to add sanesecurity to my config, it?s just awesome from my > testing last week. > > > > Many thanks, > > Rich > > > > > Richard > > no the generic unix installer...not he RPM version ;-) > Stable > > - Version 4.77.10-1 for RedHat, CentOS, and Fedora Linux (and other > RPM-based Linux distributions) > (PGP signature) > - Version 4.77.10-1 for SuSE > (PGP signature) > - Version 4.77.10-1 for Solaris / BSD / Other Linux / Other Unix > <********************************************** > (PGP signature) > - Debian Linux package and the init.d > script from it > - Latest "port" for FreeBSD ? Please read > the instructions > - Solaris OpenCSW package > - ClamAV 0.95.2 and SpamAssassin 3.2.5 easy installation package. > > > Each of the packages above is a compressed tar file. Download it, unpack it > (with "tar xzvf **.tar.gz") and run the "install.sh" script in > it. > Version 4.75 > > - Version 4.75.11-1 for RedHat, CentOS, and Fedora Linux (and other > RPM-based Linux distributions) > - Version 4.75.11-1 for SuSE > - Version 4.75.11-1 for Solaris / BSD / Other Linux / Other Unix > > Beta > > - Version 4.78.15-1 for RedHat, CentOS and Fedora Linux (and other > RPM-based Linux distributions) > - Version 4.78.15-1 for SuSE Linux > - Version 4.78.15-1 for Solaris / BSD / Other Linux / Other Unix > <**************************************************** > - Latest FreeBSD beta release "port" > > > -- > Martin Hepworth > Oxford, UK > > > > > > Hi Martin ? > > > > I know, that?s what I?ve tried already. > > > > [richard@mailfilter9 ~/MailScanner-install-4.78.15]$ > /home/richard/MailScanner-install-4.78.15/install.sh > > > > I am logging everything into "install.log". > > > > You appear to be running on a system that does not use the > > RPM packaging system. > > If you think you can use RPM, then press Ctrl-C right now, > > make sure the "rpm" and "rpmbuild" programs can be found > > and run this script again. > > I will install MailScanner under /opt, from where you can > > move it if you want. > > I will need to build the tnef program for you too. > > > > You appear to have 2 versions of Perl installed, > > the normal one in /usr/bin and one in /usr/local. > > This often happens if you have used CPAN to install modules. > > I strongly advise you remove all traces of perl from > > within /usr/local and then run this script again. > > > > If you do not want to do that, and really want to continue, > > then you will need to run this script as > > /home/richard/MailScanner-install-4.78.15/install.sh > --perl=/path/to/perl > > substituting '/path/to' appropriately. > > > > > > > > I?ve been told Freebsd does not support rpm, so I?m just stuck at the > moment. > > > > Thanks, > > Rich > > > Rich the above debug is fine - it's says you're not running an RPM based system so it'll install inder /opt. Now after that it sees both perls (system and ports) and as it' can't work out which one to use it asks to run ./install.sh with the (non-symlinked) path to the perl binary actually used. (have a look at /usr/bin/perl and find out where it's actually going). so you need to type something like the following in a ports perl example. ./install.sh --perl=/usr/local/bin/perl then it''ll install in to /opt/MailScanner-4.78.15-1 (or similar). Then you'll need to setup your MTA and MailScanner.conf by hand to route email through MailScanner, finally creating a symlink from /opt/mailscanner- to /opt/MailScanner Have a look at the install docs on the mail site and the wiki for your MTA -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/34e4ca1c/attachment.html From richard at fastnet.co.uk Fri Sep 4 14:09:24 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Sep 4 14:08:58 2009 Subject: image spam again :) In-Reply-To: <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> Message-ID: From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 13:56 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Richard Mealing From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 13:19 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Richard Mealing From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 04 September 2009 12:24 To: MailScanner discussion Subject: Re: image spam again :) 2009/9/4 Mog Richard Mealing wrote: Hi Martin, Thanks for this, sorry if I'm being stupid, but I'm using freebsd and I've updated my port tree, however I don't see the latest version in there - less distinfo MD5 (MailScanner-install-4.60.5-1.tar.gz) = cf1e87131f90ff7f43e1f4c1d787a245 SHA256 (MailScanner-install-4.60.5-1.tar.gz) = 1ec3fd536e05f5da0b1551cc57664bb4379e049e8243e0ed112e33325c53b994 SIZE (MailScanner-install-4.60.5-1.tar.gz) = 7704758 Can this be updated? Rich Indeed, the MailScanner port is getting a little out of date again. Yes it should be periodically updated, but unfortunately the maintainer of the MailScanner port is AWOL and doesn't respond to emails, meaning that the MailScanner port is currently not being maintained. Maintaining FreeBSD ports requires a basic working knowledge of the ports system and the program in question (MailScanner in this case), and of course, the free time necessary to update and check the port works before submitting a patch to the committers. Sadly, as of yet, no one with the free time/skills has volunteered to help with this. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Some did do an independant update for the FreeBSD port a while ago (see the archives of this list). But in the mean-time if you want to keep up-to date and esp with the beta's you'll need to use the generic tar.gz installer instead. -- Martin Hepworth Oxford, UK Hi Martin, I did try that but it's an rpm and you can't install that on freebsd. Do you think the mailscanner port (non beta) will update next time it's released? I did contact the maintainer and he told me I could do it, but I'm new to all this (I'm still learning) I don't think I have the skills to do it. I can't wait to add sanesecurity to my config, it's just awesome from my testing last week. Many thanks, Rich Richard no the generic unix installer...not he RPM version ;-) Stable * Version 4.77.10-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) (PGP signature) * Version 4.77.10-1 for SuSE (PGP signature) * Version 4.77.10-1 for Solaris / BSD / Other Linux / Other Unix <********************************************** (PGP signature) * Debian Linux package and the init.d script from it * Latest "port" for FreeBSD - Please read the instructions * Solaris OpenCSW package * ClamAV 0.95.2 and SpamAssassin 3.2.5 easy installation package . Each of the packages above is a compressed tar file. Download it, unpack it (with "tar xzvf .tar.gz") and run the "install.sh" script in it. Version 4.75 * Version 4.75.11-1 for RedHat, CentOS, and Fedora Linux (and other RPM-based Linux distributions) * Version 4.75.11-1 for SuSE * Version 4.75.11-1 for Solaris / BSD / Other Linux / Other Unix Beta * Version 4.78.15-1 for RedHat, CentOS and Fedora Linux (and other RPM-based Linux distributions) * Version 4.78.15-1 for SuSE Linux * Version 4.78.15-1 for Solaris / BSD / Other Linux / Other Unix <**************************************************** * Latest FreeBSD beta release "port" -- Martin Hepworth Oxford, UK Hi Martin - I know, that's what I've tried already. [richard@mailfilter9 ~/MailScanner-install-4.78.15]$ /home/richard/MailScanner-install-4.78.15/install.sh I am logging everything into "install.log". You appear to be running on a system that does not use the RPM packaging system. If you think you can use RPM, then press Ctrl-C right now, make sure the "rpm" and "rpmbuild" programs can be found and run this script again. I will install MailScanner under /opt, from where you can move it if you want. I will need to build the tnef program for you too. You appear to have 2 versions of Perl installed, the normal one in /usr/bin and one in /usr/local. This often happens if you have used CPAN to install modules. I strongly advise you remove all traces of perl from within /usr/local and then run this script again. If you do not want to do that, and really want to continue, then you will need to run this script as /home/richard/MailScanner-install-4.78.15/install.sh --perl=/path/to/perl substituting '/path/to' appropriately. I've been told Freebsd does not support rpm, so I'm just stuck at the moment. Thanks, Rich Rich the above debug is fine - it's says you're not running an RPM based system so it'll install inder /opt. Now after that it sees both perls (system and ports) and as it' can't work out which one to use it asks to run ./install.sh with the (non-symlinked) path to the perl binary actually used. (have a look at /usr/bin/perl and find out where it's actually going). so you need to type something like the following in a ports perl example. ./install.sh --perl=/usr/local/bin/perl then it''ll install in to /opt/MailScanner-4.78.15-1 (or similar). Then you'll need to setup your MTA and MailScanner.conf by hand to route email through MailScanner, finally creating a symlink from /opt/mailscanner- to /opt/MailScanner Have a look at the install docs on the mail site and the wiki for your MTA -- Martin Hepworth Oxford, UK Hi Martin, OK, I'll give it a go.! Thanks very much for your help. Have a good weekend. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/5e69b11d/attachment-0001.html From brian.duncan at kattenlaw.com Fri Sep 4 15:06:11 2009 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Sep 4 15:06:25 2009 Subject: OT: Question related to From: field in x-headers vs who the message actually came from. Message-ID: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com> First, our sendmail servers are either incoming or outgoing for my company. The incoming sendmail servers REJECT any messages coming in from any of our domains. To help keep spoofed messages out of our environment, we reject around 35,000 spoofed messages combined per day at the edge. So I have started to see what I show in the headers below occasionally now. Can someone explain to me what is happening that knows? And does anyone know how to remove this possibility from occurring? I can't replicate the behavior below with a mail client externally, so I am guessing it has to be specifically manipulated in a non RFC compliant manner. I don't understand how Mailscanner has the proper From: listed in the x-header that this message came from, but there is an x-header with the wrong From: that outlook then displays on a users client when they open the message. (And any local Outlook rules act upon) If I check the sendmail logs on the message below, it shows the message coming from whereforeji09@maycruz.com. Thanks for any help! Brian Received: from host-92-11-178-251.as43234.net (host-92-11-178-251.as43234.net [92.11.178.251] (may be forged)) by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297; Fri, 4 Sep 2009 07:16:01 -0400 Received: from 92.11.178.251 by 72.47.228.70; Fri, 4 Sep 2009 12:14:59 +0000 Message-ID: <000d01ca2d50$f124e100$6400a8c0@whereforeji09> From: Juliana Rollins To: Subject: Lose 12lbs in 1 month :. Date: Fri, 4 Sep 2009 12:14:59 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CA2D50.F124E100" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506 X-Kattenlaw-MailScanner-Information: X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl, MAPS-ALL X-MailScanner-From: whereforeji09@maycruz.com X-MailScanner-SPAM: yes Return-Path: whereforeji09@maycruz.com X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC) FILETIME=[1D03F540:01CA2D51 =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/14e613f5/attachment.html From maxsec at gmail.com Fri Sep 4 15:36:12 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 4 15:36:23 2009 Subject: OT: Question related to From: field in x-headers vs who the message actually came from. In-Reply-To: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com> Message-ID: <72cf361e0909040736u7342e006le7917cb640bc6482@mail.gmail.com> 2009/9/4 Duncan, Brian M. > First, our sendmail servers are either incoming or outgoing for my > company. The incoming sendmail servers REJECT any messages coming in from > any of our domains. To help keep spoofed messages out of our environment, > we reject around 35,000 spoofed messages combined per day at the edge. > > So I have started to see what I show in the headers below occasionally > now. Can someone explain to me what is happening that knows? And does > anyone know how to remove this possibility from occurring? I can't replicate > the behavior below with a mail client externally, so I am guessing it has to > be specifically manipulated in a non RFC compliant manner. > > I don't understand how Mailscanner has the proper From: listed in the > x-header that this message came from, but there is an x-header with the > wrong From: that outlook then displays on a users client when they open the > message. (And any local Outlook rules act upon) If I check the sendmail > logs on the message below, it shows the message coming from > whereforeji09@maycruz.com. > > Thanks for any help! > > Brian > > Received: from host-92-11-178-251.as43234.net ( > host-92-11-178-251.as43234.net [92.11.178.251] (may be forged)) > by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297; > Fri, 4 Sep 2009 07:16:01 -0400 > Received: from 92.11.178.251 by 72.47.228.70; Fri, 4 Sep 2009 12:14:59 > +0000 > Message-ID: <000d01ca2d50$f124e100$6400a8c0@whereforeji09> > From: Juliana Rollins > To: > Subject: Lose 12lbs in 1 month :. > Date: Fri, 4 Sep 2009 12:14:59 +0000 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0007_01CA2D50.F124E100" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1506 > X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506 > X-Kattenlaw-MailScanner-Information: > X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl, > MAPS-ALL > X-MailScanner-From: whereforeji09@maycruz.com > X-MailScanner-SPAM: yes > Return-Path: whereforeji09@maycruz.com > X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC) > FILETIME=[1D03F540:01CA2D51 > > > > > > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before > the Internal Revenue Service, any tax advice contained herein is not > intended or written to be used and cannot be used by a taxpayer for the > purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information > intended for the exclusive use of the individual or entity to whom it is > addressed and may contain information that is proprietary, privileged, > confidential and/or exempt from disclosure under applicable law. If you are > not the intended recipient, you are hereby notified that any viewing, > copying, disclosure or distribution of this information may be subject to > legal restriction or sanction. Please notify the sender, by electronic mail > or telephone, of any unintended recipients and delete the original message > without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability > partnership that has elected to be governed by the Illinois Uniform > Partnership Act (1997). > =========================================================== > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Duncan the X-MailScanner-From: header is showing the envelope-from and not the From: header. It does this so you can see what 'from' header the mailscanner rules operate on. FYI you may wish to populate the 'org-name' field in the MailScanner.conf so the X-MailScanner headers are reasonably unique. This addition was introduced as a virus came out a few years that targetted mailscanner hosts and the work around was to make the X-Mailscanner headers less predictable. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/21c97283/attachment.html From MailScanner at ecs.soton.ac.uk Fri Sep 4 15:44:51 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 15:45:12 2009 Subject: OT: Question related to From: field in x-headers vs who the message actually came from. In-Reply-To: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com> <4AA127E3.5030205@ecs.soton.ac.uk> Message-ID: On 04/09/2009 15:06, Duncan, Brian M. wrote: > First, our sendmail servers are either incoming or outgoing for my > company. The incoming sendmail servers REJECT any messages coming in > from any of our domains. To help keep spoofed messages out of our > environment, we reject around 35,000 spoofed messages combined per day > at the edge. > So I have started to see what I show in the headers below occasionally > now. Can someone explain to me what is happening that knows? And > does anyone know how to remove this possibility from occurring? I > can't replicate the behavior below with a mail client externally, so I > am guessing it has to be specifically manipulated in a non RFC > compliant manner. > I don't understand how Mailscanner has the proper From: listed in the > x-header that this message came from, but there is an x-header with > the wrong From: Where is this wrong x-header? The only headers I can see are the Return-Path (which shows the real envelope sender address) and the X-MailScanner-From (which also shows the real envelope sender address). The "From:" header can contain any random string the sender wants it to contain, there's no protection on the value of that header at all. Which is why email apps are the wrong place to do sender filtering, unless you have a header (such as X-MailScanner-From) which you know will contain the real sender address. But that can still be any value they want, so it doesn't help enormously. Fundamentally, there is no protection applied to either the contents of the headers (which aren't used for mail routing at all), nor the sender (which is also not used, but may be checked for validity); it is only the envelope recipient that actually counts (as that determines the destination of the message). Many moons ago I wrote up how mail delivery actually works, but I doubt I can find it. There's quite a good description, written by someone else, in the back of my book. It's another great reason for you to buy the book! :-) Jules. > that outlook then displays on a users client when they open the > message. (And any local Outlook rules act upon) If I check the > sendmail logs on the message below, it shows the message coming from > whereforeji09@maycruz.com . > Thanks for any help! > Brian > Received: from host-92-11-178-251.as43234.net > (host-92-11-178-251.as43234.net [92.11.178.251] (may be forged)) > by callisto.kattenlaw.com (8.13.8/8.13.4) with ESMTP id n84BFvwA012297; > Fri, 4 Sep 2009 07:16:01 -0400 > Received: from 92.11.178.251 by 72.47.228.70; Fri, 4 Sep 2009 12:14:59 > +0000 > Message-ID: <000d01ca2d50$f124e100$6400a8c0@whereforeji09 > > > From: Juliana Rollins > > To: > > Subject: Lose 12lbs in 1 month :. > Date: Fri, 4 Sep 2009 12:14:59 +0000 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0007_01CA2D50.F124E100" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1506 > X-MimeOLE: Produced By Microsoft MimeOLE 6.00.2800.1506 > X-Kattenlaw-MailScanner-Information: > X-MailScanner-SpamCheck: spam, spamcop.net, zen.spamhaus.org, cbl, > MAPS-ALL > X-MailScanner-From: whereforeji09@maycruz.com > > X-MailScanner-SPAM: yes > Return-Path: whereforeji09@maycruz.com > X-OriginalArrivalTime: 04 Sep 2009 11:16:13.0588 (UTC) > FILETIME=[1D03F540:01CA2D51 > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice > Before the Internal Revenue Service, any tax advice contained herein > is not intended or written to be used and cannot be used by a taxpayer > for the purpose of avoiding tax penalties that may be imposed on the > taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain > information intended for the exclusive use of the individual or entity > to whom it is addressed and may contain information that is > proprietary, privileged, confidential and/or exempt from disclosure > under applicable law. If you are not the intended recipient, you are > hereby notified that any viewing, copying, disclosure or distribution > of this information may be subject to legal restriction or sanction. > Please notify the sender, by electronic mail or telephone, of any > unintended recipients and delete the original message without making > any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited > liability partnership that has elected to be governed by the Illinois > Uniform Partnership Act (1997). > =========================================================== > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brian.duncan at kattenlaw.com Fri Sep 4 16:02:21 2009 From: brian.duncan at kattenlaw.com (Duncan, Brian M.) Date: Fri Sep 4 16:02:33 2009 Subject: OT: Question related to From: field in x-headers vs who the message actually came from. In-Reply-To: References: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com><4AA127E3.5030205@ecs.soton.ac.uk> Message-ID: <65234743FE1555428435CE39E6AC407801D7F6DA@CHI-US-EXCH-01.us.kmz.com> On 04/09/2009 15:06, Duncan, Brian M. wrote: > First, our sendmail servers are either incoming or outgoing for my > company. The incoming sendmail servers REJECT any messages coming in > from any of our domains. To help keep spoofed messages out of our > environment, we reject around 35,000 spoofed messages combined per day > at the edge. > So I have started to see what I show in the headers below occasionally > now. Can someone explain to me what is happening that knows? And > does anyone know how to remove this possibility from occurring? I > can't replicate the behavior below with a mail client externally, so I > am guessing it has to be specifically manipulated in a non RFC > compliant manner. > I don't understand how Mailscanner has the proper From: listed in the > x-header that this message came from, but there is an x-header with > the wrong From: Where is this wrong x-header? The only headers I can see are the Return-Path (which shows the real envelope sender address) and the X-MailScanner-From (which also shows the real envelope sender address). The "From:" header can contain any random string the sender wants it to contain, there's no protection on the value of that header at all. Which is why email apps are the wrong place to do sender filtering, unless you have a header (such as X-MailScanner-From) which you know will contain the real sender address. But that can still be any value they want, so it doesn't help enormously. Fundamentally, there is no protection applied to either the contents of the headers (which aren't used for mail routing at all), nor the sender (which is also not used, but may be checked for validity); it is only the envelope recipient that actually counts (as that determines the destination of the message). Many moons ago I wrote up how mail delivery actually works, but I doubt I can find it. There's quite a good description, written by someone else, in the back of my book. It's another great reason for you to buy the book! :-) Jules. Thanks Julian, that helps. So the from that sendmail lists in the logs should always match the return-path header then. And from: is NOT the envelope sender? That is where I was confused, I thought the from: header was the envelope sender. =========================================================== CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. =========================================================== CONFIDENTIALITY NOTICE: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). =========================================================== From MailScanner at ecs.soton.ac.uk Fri Sep 4 16:14:17 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 4 16:14:38 2009 Subject: OT: Question related to From: field in x-headers vs who the message actually came from. In-Reply-To: <65234743FE1555428435CE39E6AC407801D7F6DA@CHI-US-EXCH-01.us.kmz.com> References: <65234743FE1555428435CE39E6AC407801D7F6D8@CHI-US-EXCH-01.us.kmz.com><4AA127E3.5030205@ecs.soton.ac.uk> <65234743FE1555428435CE39E6AC407801D7F6DA@CHI-US-EXCH-01.us.kmz.com> <4AA12EC9.1080604@ecs.soton.ac.uk> Message-ID: On 04/09/2009 16:02, Duncan, Brian M. wrote: > > On 04/09/2009 15:06, Duncan, Brian M. wrote: > >> First, our sendmail servers are either incoming or outgoing for my >> company. The incoming sendmail servers REJECT any messages coming in >> from any of our domains. To help keep spoofed messages out of our >> environment, we reject around 35,000 spoofed messages combined per day >> > >> at the edge. >> So I have started to see what I show in the headers below occasionally >> > >> now. Can someone explain to me what is happening that knows? And >> does anyone know how to remove this possibility from occurring? I >> can't replicate the behavior below with a mail client externally, so I >> > >> am guessing it has to be specifically manipulated in a non RFC >> compliant manner. >> I don't understand how Mailscanner has the proper From: listed in the >> x-header that this message came from, but there is an x-header with >> the wrong From: >> > Where is this wrong x-header? The only headers I can see are the > Return-Path (which shows the real envelope sender address) and the > X-MailScanner-From (which also shows the real envelope sender address). > The "From:" header can contain any random string the sender wants it to > contain, there's no protection on the value of that header at all. > > Which is why email apps are the wrong place to do sender filtering, > unless you have a header (such as X-MailScanner-From) which you know > will contain the real sender address. But that can still be any value > they want, so it doesn't help enormously. > > Fundamentally, there is no protection applied to either the contents of > the headers (which aren't used for mail routing at all), nor the sender > (which is also not used, but may be checked for validity); it is only > the envelope recipient that actually counts (as that determines the > destination of the message). > > Many moons ago I wrote up how mail delivery actually works, but I doubt > I can find it. There's quite a good description, written by someone > else, in the back of my book. It's another great reason for you to buy > the book! :-) > > Jules. > > > Thanks Julian, that helps. > > So the from that sendmail lists in the logs should always match the > return-path header then. Correct. > And from: is NOT the envelope sender? Correct, it is not the envelope sender. It's anything the sender feels like putting in there. > That is > where I was confused, I thought the from: header was the envelope > sender. > No, it's not. > > > > > > =========================================================== > CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue Service, any tax advice contained herein is not intended or written to be used and cannot be used by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. > =========================================================== > CONFIDENTIALITY NOTICE: > This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. > =========================================================== > NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has elected to be governed by the Illinois Uniform Partnership Act (1997). > =========================================================== > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Sep 4 21:09:47 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 4 21:10:16 2009 Subject: R: RBL configuration problem In-Reply-To: <200909040958.n849wYQi019442@safir.blacknight.ie> References: <200909040958.n849wYQi019442@safir.blacknight.ie> Message-ID: on 9-4-2009 2:58 AM Carlo Granisso spake the following: > "Spam Lists To Be Spam" isn't present in my configuration. > "Check SpamAssassin If On Spam List" was "yes" now is "no". > > Of course I've restarted MailScanner and in logs I haven't mention of BL... > > Silly question, but did you disable the checks in postfix? If postfix catches them first, they won't get thriugh to mailscanner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090904/c207d261/signature.bin From drew.marshall at trunknetworks.com Sat Sep 5 09:37:04 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Sat Sep 5 09:37:35 2009 Subject: image spam again :) In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> Message-ID: <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> On 4 Sep 2009, at 14:09, Richard Mealing wrote: > Hi Martin, > > OK, I?ll give it a go.! Thanks very much for your help. > > Have a good weekend. I'm due to update our systems early next week so I'll roll another FreeBSD .tgz port and post it on the list. I'm quite happy hacking JP's fine work and have a reasonable knowledge of the ports tree. If that's good enough and the FreeBSD community could live with only a stable version (The beta in the ports tree is so old any way and if you are using a beta version then you should know what you are doing... ;-) ) or a 'stable' beta if the feature/ bug fix is urgent enough then I could push myself forward. I might need a hand if the build script ever needs taking a part completely (I am not a programmer!) but I'm sure that's not insurmountable. If this is of interest to the MS community then I'll have a word with Jan-Peter next week. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090905/3da5b310/attachment.html From c.granisso at dnshosting.it Sat Sep 5 15:19:57 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Sat Sep 5 15:19:59 2009 Subject: R: R: RBL configuration problem In-Reply-To: Message-ID: <200909051419.n85EJorF021428@safir.blacknight.ie> Yes, of course, I've disabled all checks (RBL) in postfix. :) Thanks, Carlo -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Scott Silva Inviato: venerd? 4 settembre 2009 22.10 A: mailscanner@lists.mailscanner.info Oggetto: Re: R: RBL configuration problem on 9-4-2009 2:58 AM Carlo Granisso spake the following: > "Spam Lists To Be Spam" isn't present in my configuration. > "Check SpamAssassin If On Spam List" was "yes" now is "no". > > Of course I've restarted MailScanner and in logs I haven't mention of BL... > > Silly question, but did you disable the checks in postfix? If postfix catches them first, they won't get thriugh to mailscanner No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.76/2345 - Release Date: 09/04/09 05:51:00 From MailScanner at ecs.soton.ac.uk Sat Sep 5 15:38:24 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Sep 5 15:38:51 2009 Subject: image spam again :) In-Reply-To: <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> <4AA277E0.90006@ecs.soton.ac.uk> Message-ID: On 05/09/2009 09:37, Drew Marshall wrote: > On 4 Sep 2009, at 14:09, Richard Mealing wrote: >> Hi Martin, >> OK, I?ll give it a go.! Thanks very much for your help. >> Have a good weekend. > > I'm due to update our systems early next week so I'll roll another > FreeBSD .tgz port and post it on the list. I'm quite happy hacking > JP's fine work and have a reasonable knowledge of the ports tree. If > that's good enough and the FreeBSD community could live with only a > stable version (The beta in the ports tree is so old any way and if > you are using a beta version then you should know what you are > doing... ;-) ) or a 'stable' beta if the feature/ bug fix is urgent > enough then I could push myself forward. I might need a hand if the > build script ever needs taking a part completely (I am not a > programmer!) but I'm sure that's not insurmountable. > > If this is of interest to the MS community then I'll have a word with > Jan-Peter next week. > That sounds great. If there's anything I can do to help, do give me a shout. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From drew.marshall at trunknetworks.com Sun Sep 6 10:00:48 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Sun Sep 6 10:01:23 2009 Subject: FreeBSD Port - [Was image spam again :)] In-Reply-To: <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> Message-ID: <01DF9F55-296B-4924-9133-942FE328F3F2@trunknetworks.com> On 5 Sep 2009, at 09:37, Drew Marshall wrote: > On 4 Sep 2009, at 14:09, Richard Mealing wrote: >> Hi Martin, >> >> OK, I?ll give it a go.! Thanks very much for your help. >> >> Have a good weekend. > > I'm due to update our systems early next week so I'll roll another > FreeBSD .tgz port and post it on the list. I'm quite happy hacking > JP's fine work and have a reasonable knowledge of the ports tree. If > that's good enough and the FreeBSD community could live with only a > stable version (The beta in the ports tree is so old any way and if > you are using a beta version then you should know what you are > doing... ;-) ) or a 'stable' beta if the feature/ bug fix is urgent > enough then I could push myself forward. I might need a hand if the > build script ever needs taking a part completely (I am not a > programmer!) but I'm sure that's not insurmountable. > > If this is of interest to the MS community then I'll have a word > with Jan-Peter next week. > > Drew Well it's a bit earlier than expected but here you are. Just remove the directory /usr/ports/mail/mailscanner/ and untar this one in it's place. I have used this on my machines and it's working a treat (It's the latest 'stable' beta with the SpamVirus code, which is what I think was the one wanted ;-) Have fun! Drew -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ -------------- next part -------------- Skipped content of type multipart/mixed From drew.marshall at trunknetworks.com Sun Sep 6 10:53:55 2009 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Sun Sep 6 10:54:24 2009 Subject: FreeBSD Port - [Was image spam again :)] In-Reply-To: <01DF9F55-296B-4924-9133-942FE328F3F2@trunknetworks.com> References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com> <72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com> <2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com> <01DF9F55-296B-4924-9133-942FE328F3F2@trunknetworks.com> Message-ID: So the original of this is too big for the list... <---Original---> On 6 Sep 2009, at 10:00, Drew Marshall wrote: > Well it's a bit earlier than expected but here you are. Just remove > the directory /usr/ports/mail/mailscanner/ and untar this one in > it's place. I have used this on my machines and it's working a treat > (It's the latest 'stable' beta with the SpamVirus code, which is > what I think was the one wanted ;-) Must stop replying to myself... Doh - small omission in the last file. Try this one instead. It will install the last extra file, which I only discovered once all my cron jobs had run properly :-( Sorry. Let me know if I have missed anything else. Drew <---Ends---> So download the new file from http://www.trunknetworks.com/downloads/mailscanner.tgz -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ From logs at comp-wiz.com Sun Sep 6 14:15:12 2009 From: logs at comp-wiz.com (Logs) Date: Sun Sep 6 14:15:45 2009 Subject: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? Message-ID: <03bd01ca2ef4$11d1a3d0$3574eb70$@com> I know there is a FuzzyOCR list, but I can't seem to join the list for some reason. In any event I'm wondering if someone here can help me. I have a CentOS 5.3 box setup with MailSacnner (v4.78.7-2), SpamAssassin (v3.2.5-1.el5), clam and a few other things, all of which seem to work fine. I've installed FuzzyOCR following the instructions on the instruction page on the web site, however, when I do a test using the sample files, there is no mention of FuzzyOCR, which I'm assuming is a bad thing. Here is the output: [root@samwise samples]# spamassassin -t animated-gif.eml | more Return-Path: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on samwise.comp-wiz.com X-Spam-Level: ******** X-Spam-Status: Yes, score=8.2 required=5.0 tests=BAYES_50,BILLION_DOLLARS, DATE_IN_PAST_06_12,DC_GIF_UNO_LARGO,EXTRA_MPART_TYPE,HTML_MESSAGE, PART_CID_STOCK,PART_CID_STOCK_LESS,T_TVD_FW_GRAPHIC_ID1 autolearn=no version=3.2.5 X-Spam-Report: * 1.0 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date * 1.9 BILLION_DOLLARS BODY: Talks about lots of money * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1 * 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID) * 0.4 PART_CID_STOCK_LESS Has a spammy image attachment (by Content- ID, * more specific) * 2.3 DC_GIF_UNO_LARGO Message contains a single large inline gif X Is not FuzzyOCR supposed to be listed here somewhere? What could be wrong? I have followed all the instructions and installed all the required other programs. What am I missing here? Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090906/c8051fd8/attachment.html From uxbod at splatnix.net Sun Sep 6 15:54:52 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Sep 6 15:55:28 2009 Subject: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <11809742.521252248761539.JavaMail.root@office.splatnix.net> Message-ID: <28488432.541252248892122.JavaMail.root@office.splatnix.net> ----- "Logs" wrote: | | I know there is a FuzzyOCR list, but I can?t seem to join the list for some reason. In any event I?m wondering if someone here can help me. I have a CentOS 5.3 box setup with MailSacnner (v4.78.7-2), SpamAssassin (v3.2.5-1.el5), clam and a few other things, all of which seem to work fine. I've installed FuzzyOCR following the instructions on the instruction page on the web site, however, when I do a test using the sample files, there is no mention of FuzzyOCR, which I'm assuming is a bad thing. Here is the output: [root@samwise samples]# spamassassin -t animated-gif.eml | more Return-Path: < jacuwoqfkhu@europe.eds.com > X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on samwise.comp-wiz.com X-Spam-Level: ******** X-Spam-Status: Yes, score=8.2 required=5.0 tests=BAYES_50,BILLION_DOLLARS, DATE_IN_PAST_06_12,DC_GIF_UNO_LARGO,EXTRA_MPART_TYPE,HTML_MESSAGE, PART_CID_STOCK,PART_CID_STOCK_LESS,T_TVD_FW_GRAPHIC_ID1 autolearn=no version=3.2.5 X-Spam-Report: * 1.0 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date * 1.9 BILLION_DOLLARS BODY: Talks about lots of money * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1 * 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID) * 0.4 PART_CID_STOCK_LESS Has a spammy image attachment (by Content- ID, * more specific) * 2.3 DC_GIF_UNO_LARGO Message contains a single large inline gif X Is not FuzzyOCR supposed to be listed here somewhere? What could be wrong? I have followed all the instructions and installed all the required other programs. What am I missing here? Thanks | -- What do you have focr_autodisable_score set to in FuzzyOcr.cf ? Also, have you tested with spamassassin -D --lint to ensure everything is being picked up correctly ? Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090906/94cf9836/attachment.html From logs at comp-wiz.com Sun Sep 6 16:33:31 2009 From: logs at comp-wiz.com (Logs) Date: Sun Sep 6 16:33:53 2009 Subject: {Spam?} RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <28488432.541252248892122.JavaMail.root@office.splatnix.net> References: <11809742.521252248761539.JavaMail.root@office.splatnix.net> <28488432.541252248892122.JavaMail.root@office.splatnix.net> Message-ID: <03f001ca2f07$64020150$2c0603f0$@com> | -- What do you have focr_autodisable_score set to in FuzzyOcr.cf ? It appears to be commented out, should I uncomment and set to 10 as it suggest? | -- Also, have you tested with spamassassin -D --lint to ensure everything is being picked up correctly ? How do I get that to display so I can see the entire output? I have tried the | more command but it still flies by. Is there a way to send to a text file? I?m sure there is nut can?t remember how. Vern -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090906/9d0adc14/attachment.html From uxbod at splatnix.net Sun Sep 6 17:40:55 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Sep 6 17:41:17 2009 Subject: {Spam?} RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <03f001ca2f07$64020150$2c0603f0$@com> Message-ID: <7456336.691252255255494.JavaMail.root@office.splatnix.net> spamassassin -D --lint > /tmp/sadebug.txt 2>&1 Best Regards, ----- "Logs" wrote: | | | -- What do you have focr_autodisable_score set to in FuzzyOcr.cf ? It appears to be commented out, should I uncomment and set to 10 as it suggest? | -- Also, have you tested with spamassassin -D --lint to ensure everything is being picked up correctly ? How do I get that to display so I can see the entire output? I have tried the | more command but it still flies by. Is there a way to send to a text file? I?m sure there is nut can?t remember how. Vern | -- | This message has been scanned for viruses and | dangerous content by comp-wiz.com , and is | believed to be clean. | -- | This message has been scanned for viruses and | dangerous content and is believed to be clean. | SplatNIX IT Services :: Innovation through collaboration | -- | MailScanner mailing list | mailscanner@lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! | -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090906/b9938507/attachment.html From jonas at vrt.dk Mon Sep 7 12:39:14 2009 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Sep 7 12:39:29 2009 Subject: Latest beta In-Reply-To: References: <4A9F7984.2040501@ecs.soton.ac.uk> Message-ID: <00bc01ca2faf$d3404fb0$79c0ef10$@dk> > > I'm not *yet* wrapped up with beginning-of-semester stuff, but will be > soon! :-) > > I didn't want to do a stable release the day after I put out a bug-fix > beta, as there could still have been other problems. If people would > like me to do a stable release in a couple of weeks, then I could do > that for you. > > Otherwise I'll just wait till the start of next month. > > Your thoughts? > I'd say wait till start of next month, better safe than sorry etc. Just my opinion. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From logs at comp-wiz.com Mon Sep 7 18:27:35 2009 From: logs at comp-wiz.com (Logs) Date: Mon Sep 7 18:28:03 2009 Subject: {Spam?} RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <7456336.691252255255494.JavaMail.root@office.splatnix.net> References: <03f001ca2f07$64020150$2c0603f0$@com> <7456336.691252255255494.JavaMail.root@office.splatnix.net> Message-ID: <055101ca2fe0$7e147490$7a3d5db0$@com> OK, I came up with a huge file and was sure if I could post the entire file to the list, but these are the problems that I could see: [12513] dbg: diag: module not installed: Net::Ident ('require' failed) [12513] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [12513] dbg: diag: module not installed: Mail::DKIM ('require' failed) [12513] dbg: diag: module not installed: Encode::Detect ('require' failed) I trued to install these on a CentOS 5.3 box and have had nothing but trouble trying to get them installed. Are they important? Should I continue my effort? I?m not even sure if you can as I think I have a newer version of OpenSSL that is not supported. [12513] dbg: pyzor: local tests only, disabling Pyzor Not sure why I?m getting this either. Not I have to enable something in order for Pyzor to work? [12513] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [12513] dbg: plugin: FuzzyOcr=HASH(0xa8cc560) implements 'parse_config', priority 0 [12513] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [12513] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [12513] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [12513] dbg: rules: __SEEK_FRAUD_F_PU0Q merged duplicates: __SEEK_F_PU0Q [12513] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE [12513] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [12513] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [12513] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [12513] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [12513] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [12513] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [12513] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [12513] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [12513] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [12513] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [12513] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [12513] dbg: rules: __SEEK_FRAUD_YM7Q1U merged duplicates: __SEEK_YM7Q1U [12513] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [12513] dbg: rules: __SEEK_FRAUD_KBGNWU merged duplicates: __SEEK_KBGNWU [12513] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [12513] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [12513] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [12513] dbg: rules: FUZZY_OCR_CORRUPT_IMG merged duplicates: FUZZY_OCR_KNOWN_HASH FUZZY_OCR_WRONG_CTYPE [12513] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [12513] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [12513] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 This appears to be all the FuzzyOCR stuff. Not that I know what any of it means. I assume that it means it should be working, but what the heck do I know. [12513] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [12513] dbg: dns: is DNS available? 0 [12513] dbg: rules: local tests only, ignoring RBL eval [12513] dbg: spf: spf_whitelist_from: could not find useable envelope sender Are any of these lines important? Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090907/2326ac72/attachment.html From mark at msapiro.net Mon Sep 7 20:31:01 2009 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 7 20:31:17 2009 Subject: Suggested change to http://www.mailscanner.info/files/4/KAM.cf.sh script Message-ID: <20090907193101.GA14979@sbh16.songbird.com> I note the script at http://www.mailscanner.info/files/4/KAM.cf.sh has been recently changed. The prior script contained /usr/bin/wget -N -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf With my version of wget at least, the -N option was inneffective in preventing unnecessary retrieval of unchanged data because of the (unnecessary) -O KAM.cf option. This has apparently been recognized as the script was changed to do /usr/bin/wget -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf instead, but it also always downloads the file and reloads MailScanner. I have changed the script somewhat differently, and with my changes, wget does not retrieve the file if it is unchanged, and only reloads MailScanner if it does change the file. Attached is a patch KAM_cf_sh.patch to convert the current http://www.mailscanner.info/files/4/KAM.cf.sh script, and KAM_cf_sh is the converted script. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- KAM.cf.sh 2009-09-07 12:06:03.000000000 -0700 +++ .cron/KAM.cf.sh 2009-09-07 08:08:35.000000000 -0700 @@ -17,23 +17,34 @@ fi # JKF Fetch KAM.cf +reload=1 echo Fetching KAM.cf... cd /etc/mail/spamassassin -rm -f KAM.cf -/usr/bin/wget -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf +/usr/bin/wget -N http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf if [ "$?" = "0" ]; then - echo It completed and fetched something - if ( tail -10 KAM.cf | grep -q '^#.*EOF' ); then - echo It succeeded so make a backup - cp -f KAM.cf KAM.cf.backup + echo It completed OK + if [ KAM.cf -nt KAM.cf.backup ]; then + if ( tail -10 KAM.cf | grep -q '^#.*EOF' ); then + echo It succeeded so make a backup + cp -f KAM.cf KAM.cf.backup + else + echo ERROR: Could not find EOF marker + cp -f KAM.cf.backup KAM.cf + fi else - echo ERROR: Could not find EOF marker - cp -f KAM.cf.backup KAM.cf + echo Remote file not newer than local + reload=0 fi else echo It failed to complete properly cp -f KAM.cf.backup KAM.cf fi -echo Reloading MailScanner and SpamAssassin configuration rules -/etc/init.d/MailScanner reload +# Do this here based on switch rather than just putting it in the +# echo It succeeded so make a backup +# block on the remote chance that the file got corrupted and a child +# was started before we restored the backup. +if [ reload == 1 ] ; then + echo Reloading MailScanner and SpamAssassin configuration rules + /etc/init.d/MailScanner reload +fi -------------- next part -------------- #!/bin/bash # Insert a random delay up to this value, to spread virus updates round # the clock. 1800 seconds = 30 minutes. # Set this to 0 to disable it. UPDATEMAXDELAY=600 if [ -f /etc/sysconfig/MailScanner ] ; then . /etc/sysconfig/MailScanner fi export UPDATEMAXDELAY if [ "x$UPDATEMAXDELAY" = "x0" ]; then : else logger -p mail.info -t KAM.cf.sh Delaying cron job up to $UPDATEMAXDELAY seconds perl -e "sleep int(rand($UPDATEMAXDELAY));" fi # JKF Fetch KAM.cf reload=1 echo Fetching KAM.cf... cd /etc/mail/spamassassin /usr/bin/wget -N http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf if [ "$?" = "0" ]; then echo It completed OK if [ KAM.cf -nt KAM.cf.backup ]; then if ( tail -10 KAM.cf | grep -q '^#.*EOF' ); then echo It succeeded so make a backup cp -f KAM.cf KAM.cf.backup else echo ERROR: Could not find EOF marker cp -f KAM.cf.backup KAM.cf fi else echo Remote file not newer than local reload=0 fi else echo It failed to complete properly cp -f KAM.cf.backup KAM.cf fi # Do this here based on switch rather than just putting it in the # echo It succeeded so make a backup # block on the remote chance that the file got corrupted and a child # was started before we restored the backup. if [ reload == 1 ] ; then echo Reloading MailScanner and SpamAssassin configuration rules /etc/init.d/MailScanner reload fi From MailScanner at ecs.soton.ac.uk Tue Sep 8 09:24:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 8 09:25:08 2009 Subject: Suggested change to http://www.mailscanner.info/files/4/KAM.cf.sh script In-Reply-To: <20090907193101.GA14979@sbh16.songbird.com> References: <20090907193101.GA14979@sbh16.songbird.com> <4AA614CE.70507@ecs.soton.ac.uk> Message-ID: I basically like it. You've got 2 small problems 1) The "if [ reload ==1 ]; then" line should of course read "if [ "$reload" = "1" ]; then" (i.e. you mean "=" for comparing strings (though == does appear to work, it's not documented in test(1)), and you missed the "$" off the front of $reload which is rather more critical! :-) 2) What happens if the downloaded file is bad and you haven't already got a backup of it? I have solved that one by deleting the downloaded file in that case. But otherwise, your code looks good. I have attached my new copy of the script. Please let me know what you think. On 07/09/2009 20:31, Mark Sapiro wrote: > I note the script at http://www.mailscanner.info/files/4/KAM.cf.sh has > been recently changed. The prior script contained > > /usr/bin/wget -N -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > > With my version of wget at least, the -N option was inneffective in > preventing unnecessary retrieval of unchanged data because of the > (unnecessary) -O KAM.cf option. > > This has apparently been recognized as the script was changed to do > > /usr/bin/wget -O KAM.cf http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > > instead, but it also always downloads the file and reloads MailScanner. > > I have changed the script somewhat differently, and with my changes, > wget does not retrieve the file if it is unchanged, and only reloads > MailScanner if it does change the file. > > Attached is a patch KAM_cf_sh.patch to convert the current > http://www.mailscanner.info/files/4/KAM.cf.sh script, and KAM_cf_sh > is the converted script. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: KAM.cf.sh.zip Type: application/zip Size: 896 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/a9cd203a/KAM.cf.sh.zip From Amelein at dantumadiel.eu Tue Sep 8 12:36:24 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 12:36:39 2009 Subject: Notice to ruleset not being read - MS 4.78.15-1 Message-ID: <4AA65DD80200008E00010DD3@10.1.0.206> Instead of parsing the rule file for the notice to: setting, it tries to literally send e-mail to the filename. With MS 4.78.9-1 it gave me: <%rules-dir@/notices.to.rules> (expanded from <%rules-dir%/notices.to.rules>): bad address syntax after updating to 4.78.15-1 it gave me: (expanded from ): unknown user: /etc/mailscanner/rules/notices.to.rules" I have(/had) it set up so each domain has a different postmaster. The system is FC11 which is fully patched, made it live a few hours ago. Any suggestions on what I could have messed up or if its an actual problem with MS ? - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/b5a75ce1/attachment.html From maxsec at gmail.com Tue Sep 8 12:45:32 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 8 12:45:41 2009 Subject: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA65DD80200008E00010DD3@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> Message-ID: <72cf361e0909080445r6dcd9ab2o6175acaf986cbfda@mail.gmail.com> 2009/9/8 > Instead of parsing the rule file for the notice to: setting, it tries to > literally send e-mail to the filename. > > With MS 4.78.9-1 it gave me: > <%rules-dir@/notices.to.rules> (expanded from > <%rules-dir%/notices.to.rules>): bad address syntax > > after updating to 4.78.15-1 it gave me: > (expanded from > ): unknown user: > /etc/mailscanner/rules/notices.to.rules" > > I have(/had) it set up so each domain has a different postmaster. > > The system is FC11 which is fully patched, made it live a few hours ago. > > Any suggestions on what I could have messed up or if its an actual problem > with MS ? > - > Arjan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Ajan looks like you've got an @ in the rules path rather than a %. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/17f96cec/attachment.html From Amelein at dantumadiel.eu Tue Sep 8 12:56:46 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 12:57:07 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <72cf361e0909080445r6dcd9ab2o6175acaf986cbfda@mail.gmail.com> References: <4AA65DD80200008E00010DD3@10.1.0.206> <72cf361e0909080445r6dcd9ab2o6175acaf986cbfda@mail.gmail.com> Message-ID: <4AA6629E0200008E00010DD8@10.1.0.206> >>> Op 8-9-2009 om 13:45 is door Martin Hepworth geschreven: 2009/9/8 Instead of parsing the rule file for the notice to: setting, it tries to literally send e-mail to the filename. With MS 4.78.9-1 it gave me: <%rules-dir@/notices.to.rules> (expanded from <%rules-dir%/notices.to.rules>): bad address syntax after updating to 4.78.15-1 it gave me: (expanded from ): unknown user: /etc/mailscanner/rules/notices.to.rules" I have(/had) it set up so each domain has a different postmaster. The system is FC11 which is fully patched, made it live a few hours ago. Any suggestions on what I could have messed up or if its an actual problem with MS ? - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Ajan looks like you've got an @ in the rules path rather than a %. -- Martin Hepworth Oxford, UK Thats what postfix makes of it to get a 'valid' e-mail adres. the .conf has: Notices To = %rules-dir%/notices.to.rules - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/4442e38b/attachment.html From Amelein at dantumadiel.eu Tue Sep 8 13:18:56 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 13:19:17 2009 Subject: Betr.: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA65DD80200008E00010DD3@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> Message-ID: <4AA667D00200008E00010DDD@10.1.0.206> >>> Op 8-9-2009 om 13:36 is door geschreven: Instead of parsing the rule file for the notice to: setting, it tries to literally send e-mail to the filename. With MS 4.78.9-1 it gave me: <%rules-dir@/notices.to.rules> (expanded from <%rules-dir%/notices.to.rules>): bad address syntax after updating to 4.78.15-1 it gave me: (expanded from ): unknown user: /etc/mailscanner/rules/notices.to.rules" I have(/had) it set up so each domain has a different postmaster. The system is FC11 which is fully patched, made it live a few hours ago. Any suggestions on what I could have messed up or if its an actual problem with MS ? - Arjan Looks like its doing the same for the postmaster rules, its putting the filename as sender e-mail adres. - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/44af9b90/attachment.html From maxsec at gmail.com Tue Sep 8 13:36:25 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 8 13:36:33 2009 Subject: Betr.: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA667D00200008E00010DDD@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA667D00200008E00010DDD@10.1.0.206> Message-ID: <72cf361e0909080536s5fd3b16ek6034ab2057abbbbf@mail.gmail.com> 2009/9/8 > >>> Op 8-9-2009 om 13:36 is door geschreven: > Instead of parsing the rule file for the notice to: setting, it tries > to literally send e-mail to the filename. > > With MS 4.78.9-1 it gave me: > <%rules-dir@/notices.to.rules> (expanded from > <%rules-dir%/notices.to.rules>): bad address syntax > > after updating to 4.78.15-1 it gave me: > (expanded from > ): unknown user: > /etc/mailscanner/rules/notices.to.rules" > > I have(/had) it set up so each domain has a different postmaster. > > The system is FC11 which is fully patched, made it live a few hours ago. > > Any suggestions on what I could have messed up or if its an actual problem > with MS ? > - > Arjan > > Looks like its doing the same for the postmaster rules, its putting the > filename as sender e-mail adres. > > - > Arjan > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > odd - what does" MailScanner --lint" run as the postfix user show? -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/a50de2e0/attachment.html From Amelein at dantumadiel.eu Tue Sep 8 13:51:14 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 13:51:32 2009 Subject: Betr.: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <72cf361e0909080536s5fd3b16ek6034ab2057abbbbf@mail.gmail.com> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA667D00200008E00010DDD@10.1.0.206> <72cf361e0909080536s5fd3b16ek6034ab2057abbbbf@mail.gmail.com> Message-ID: <4AA66F620200008E00010DF4@10.1.0.206> >>> Op 8-9-2009 om 14:36 is door Martin Hepworth geschreven: 2009/9/8 >>> Op 8-9-2009 om 13:36 is door geschreven: Instead of parsing the rule file for the notice to: setting, it tries to literally send e-mail to the filename. With MS 4.78.9-1 it gave me: <%rules-dir@/notices.to.rules> (expanded from <%rules-dir%/notices.to.rules>): bad address syntax after updating to 4.78.15-1 it gave me: (expanded from ): unknown user: /etc/mailscanner/rules/notices.to.rules" I have(/had) it set up so each domain has a different postmaster. The system is FC11 which is fully patched, made it live a few hours ago. Any suggestions on what I could have messed up or if its an actual problem with MS ? - Arjan Looks like its doing the same for the postmaster rules, its putting the filename as sender e-mail adres. - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! odd - what does" MailScanner --lint" run as the postfix user show? -- Martin Hepworth Oxford, UK No errors except a missing unrar command which I just fixed. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/f9ea9acc/attachment.html From theodrake.mailscanner at gmail.com Tue Sep 8 14:04:28 2009 From: theodrake.mailscanner at gmail.com (Ed Bruce) Date: Tue Sep 8 14:04:39 2009 Subject: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA65DD80200008E00010DD3@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> Message-ID: <4AA6565C.2060509@gmail.com> Amelein@dantumadiel.eu wrote: > Instead of parsing the rule file for the notice to: setting, it tries > to literally send e-mail to the filename. > > With MS 4.78.9-1 it gave me: > <%rules-dir@/notices.to.rules> (expanded from > <%rules-dir%/notices.to.rules>): bad address syntax > > after updating to 4.78.15-1 it gave me: > (expanded from > ): unknown user: > /etc/mailscanner/rules/notices.to.rules" Just adding a me too. I'm getting the following error now: Final-Recipient: rfc822; /etc/mailscanner/rules/notices.to.rules@ Original-Recipient: rfc822; /etc/MailScanner/rules/notices.to.rules -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/e8fd7655/attachment.html From maxsec at gmail.com Tue Sep 8 14:09:07 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 8 14:09:16 2009 Subject: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA6565C.2060509@gmail.com> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> Message-ID: <72cf361e0909080609w3c3e804ct76ae6bc35c05bd5f@mail.gmail.com> Sounds like the reason we have beta's and also one for Jules.. -- Martin Hepworth Oxford, UK 2009/9/8 Ed Bruce > Amelein@dantumadiel.eu wrote: > > Instead of parsing the rule file for the notice to: setting, it tries to > literally send e-mail to the filename. > > With MS 4.78.9-1 it gave me: > <%rules-dir@/notices.to.rules> (expanded from > <%rules-dir%/notices.to.rules>): bad address syntax > > after updating to 4.78.15-1 it gave me: > (expanded from > ): unknown user: > /etc/mailscanner/rules/notices.to.rules" > > Just adding a me too. I'm getting the following error now: > > Final-Recipient: rfc822; /etc/mailscanner/rules/notices.to.rules@ host name> > Original-Recipient: rfc822; /etc/MailScanner/rules/notices.to.rules > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/4d7e6291/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 8 14:16:29 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 8 14:16:54 2009 Subject: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA6565C.2060509@gmail.com> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> Message-ID: On 08/09/2009 14:04, Ed Bruce wrote: > Amelein@dantumadiel.eu wrote: >> Instead of parsing the rule file for the notice to: setting, it tries >> to literally send e-mail to the filename. >> With MS 4.78.9-1 it gave me: >> <%rules-dir@/notices.to.rules> (expanded from >> <%rules-dir%/notices.to.rules>): bad address syntax >> after updating to 4.78.15-1 it gave me: >> (expanded from >> ): unknown user: >> /etc/mailscanner/rules/notices.to.rules" > Just adding a me too. I'm getting the following error now: > > Final-Recipient: rfc822; /etc/mailscanner/rules/notices.to.rules@ email host name> > Original-Recipient: rfc822; /etc/MailScanner/rules/notices.to.rules I can't reproduce this :-( I've tried 2 setups: this one... [root@alegria MailScanner]# egrep '^Notices To|^include' /etc/MailScanner/MailScanner.conf /etc/MailScanner/conf.d/* /etc/MailScanner/MailScanner.conf:Notices To = postmaster /etc/MailScanner/MailScanner.conf:include /etc/MailScanner/conf.d/* /etc/MailScanner/conf.d/notices.to:Notices To = %rules-dir%/notices.to.rules [root@alegria MailScanner]# cat /etc/MailScanner/rules/notices.to.rules To: jkf@ecs.soton.ac.uk postmaster-ecs@ecs.soton.ac.uk To: jkf@soton.ac.uk postmaster-soton@ecs.soton.ac.uk FromOrTo: default postmaster-default@ecs.soton.ac.uk And the same thing but without the 'include' stuff at all. And it works fine both times. The logs show it sending mail to the various defined postmaster addresses. Just in case I've got a change you haven't got, attached is my /usr/lib/MailScanner/MailScanner/Config.pm (compressed). Please compare it against yours and let me know if there are any differences of note. Can you try it using an "include" and not using an "include" and let me know if that makes any difference at all please? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: Config.pm.zip Type: application/zip Size: 25707 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/433b64bf/Config.pm.zip From richard at fastnet.co.uk Tue Sep 8 14:31:08 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Tue Sep 8 14:30:41 2009 Subject: FreeBSD Port - [Was image spam again :)] In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com><72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com><2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com><01DF9F55-296B-4924-9133-942FE328F3F2@trunknetworks.com> Message-ID: Hi Drew, I'd just like to say thank-you for putting this together. It's all live now and working a treat. Many thanks, Rich -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew Marshall Sent: 06 September 2009 10:54 To: MailScanner discussion Subject: Re: FreeBSD Port - [Was image spam again :)] So the original of this is too big for the list... <---Original---> On 6 Sep 2009, at 10:00, Drew Marshall wrote: > Well it's a bit earlier than expected but here you are. Just remove > the directory /usr/ports/mail/mailscanner/ and untar this one in > it's place. I have used this on my machines and it's working a treat > (It's the latest 'stable' beta with the SpamVirus code, which is > what I think was the one wanted ;-) Must stop replying to myself... Doh - small omission in the last file. Try this one instead. It will install the last extra file, which I only discovered once all my cron jobs had run properly :-( Sorry. Let me know if I have missed anything else. Drew <---Ends---> So download the new file from http://www.trunknetworks.com/downloads/mailscanner.tgz -- In line with our policy, this message has been scanned for viruses and dangerous content. Our email policy can be found at www.trunknetworks.com/policy Trunk Networks Limited is registered in Scotland with registration number: SC351063 Registered Office 55-57 West High Street Inverurie AB51 3QQ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Amelein at dantumadiel.eu Tue Sep 8 14:46:21 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 14:46:39 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> Message-ID: <4AA67C4D0200008E00010DFE@10.1.0.206> >>> Op 8-9-2009 om 15:16 is door Julian Field geschreven: > I can't reproduce this :-( > > I've tried 2 setups: this one... > > [root@alegria MailScanner]# egrep '^Notices To|^include' > /etc/MailScanner/MailScanner.conf /etc/MailScanner/conf.d/* > /etc/MailScanner/MailScanner.conf:Notices To = postmaster > /etc/MailScanner/MailScanner.conf:include /etc/MailScanner/conf.d/* > /etc/MailScanner/conf.d/notices.to:Notices To = %rules-dir%/notices.to.rules > > [root@alegria MailScanner]# cat /etc/MailScanner/rules/notices.to.rules > To: jkf@ecs.soton.ac.uk postmaster-ecs@ecs.soton.ac.uk > To: jkf@soton.ac.uk postmaster-soton@ecs.soton.ac.uk > FromOrTo: default postmaster-default@ecs.soton.ac.uk > > And the same thing but without the 'include' stuff at all. > > And it works fine both times. The logs show it sending mail to the > various defined postmaster addresses. > > Just in case I've got a change you haven't got, attached is my > /usr/lib/MailScanner/MailScanner/Config.pm (compressed). Please compare > it against yours and let me know if there are any differences of note. > > Can you try it using an "include" and not using an "include" and let me > know if that makes any difference at all please? > > Jules Nothing different but the version: # diff /usr/lib/MailScanner/MailScanner/Config.pm Config.pm 5c5 < # $Id: Config.pm 4913 2009-08-28 01:24:15Z sysjkf $ --- > # $Id: Config.pm 4908 2009-08-27 04:51:32Z sysjkf $ 43c43 < $VERSION = substr q$Revision: 4913 $, 10; --- > $VERSION = substr q$Revision: 4908 $, 10; I added the file in the conf.d and it loaded but I need to figure out a way to make it actually trigger a notice .. - Arjan From jethro.binks at strath.ac.uk Tue Sep 8 14:50:14 2009 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue Sep 8 14:50:26 2009 Subject: FreeBSD Port - [Was image spam again :)] In-Reply-To: References: <768671.54354.qm@web33302.mail.mud.yahoo.com><72cf361e0908270120t264b45c6mcd2ac8d7a5330f00@mail.gmail.com><4AA0F2F8.6020709@elasticmind.net><72cf361e0909040424qfb4193en4280bb6191d3a622@mail.gmail.com><72cf361e0909040518q182ca84ehf34a4f18981883eb@mail.gmail.com><72cf361e0909040556k4d9940acmc6857a19c450511f@mail.gmail.com><2DD0E1AC-71AF-42CA-983C-A0C7D8C144A0@trunknetworks.com><01DF9F55-296B-4924-9133-942FE328F3F2@trunknetworks.com> Message-ID: On Tue, 8 Sep 2009, Richard Mealing wrote: > I'd just like to say thank-you for putting this together. It's all live > now and working a treat. I concur. I had a go with this as well last night, and it seems to be fine so far. I did make one change; I did not like to overwrite the standard ports distribution as I automatically update it nightly, so I extracted it in /usr/ports/local/mailscanner-devel, and added the following lines near the top of the Makefile: CATEGORIES= local VALID_CATEGORIES+= ${CATEGORIES} PKGNAMESUFFIX= -devel Then I might have done something like: portupgrade -o local/mailscanner-devel MailScanner-4.75.11 (can't remember now!). The above worked for me, although more voodoo may be required in some cases, there is an interesting thread here: http://lists.freebsd.org/pipermail/freebsd-ports/2007-April/040363.html Thanks, Jethro. > > Many thanks, > Rich > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew > Marshall > Sent: 06 September 2009 10:54 > To: MailScanner discussion > Subject: Re: FreeBSD Port - [Was image spam again :)] > > So the original of this is too big for the list... > > <---Original---> > On 6 Sep 2009, at 10:00, Drew Marshall wrote: > > > Well it's a bit earlier than expected but here you are. Just remove > > the directory /usr/ports/mail/mailscanner/ and untar this one in > > it's place. I have used this on my machines and it's working a treat > > (It's the latest 'stable' beta with the SpamVirus code, which is > > what I think was the one wanted ;-) > > Must stop replying to myself... > > Doh - small omission in the last file. Try this one instead. It will > install the last extra file, which I only discovered once all my cron > jobs had run properly :-( > > Sorry. Let me know if I have missed anything else. > > Drew > > <---Ends---> > > So download the new file from > http://www.trunknetworks.com/downloads/mailscanner.tgz > > -- > In line with our policy, this message has been scanned for viruses and > dangerous content. > Our email policy can be found at www.trunknetworks.com/policy > > Trunk Networks Limited is registered in Scotland with registration > number: SC351063 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From MailScanner at ecs.soton.ac.uk Tue Sep 8 15:06:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 8 15:06:30 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA67C4D0200008E00010DFE@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> <4AA67C4D0200008E00010DFE@10.1.0.206> <4AA664D1.9080608@ecs.soton.ac.uk> Message-ID: On 08/09/2009 14:46, Amelein@dantumadiel.eu wrote: >>>> Op 8-9-2009 om 15:16 is door Julian Field >>>> > geschreven: > > >> I can't reproduce this :-( >> >> I've tried 2 setups: this one... >> >> [root@alegria MailScanner]# egrep '^Notices To|^include' >> /etc/MailScanner/MailScanner.conf /etc/MailScanner/conf.d/* >> /etc/MailScanner/MailScanner.conf:Notices To = postmaster >> /etc/MailScanner/MailScanner.conf:include /etc/MailScanner/conf.d/* >> /etc/MailScanner/conf.d/notices.to:Notices To = %rules-dir%/notices.to.rules >> >> [root@alegria MailScanner]# cat /etc/MailScanner/rules/notices.to.rules >> To: jkf@ecs.soton.ac.uk postmaster-ecs@ecs.soton.ac.uk >> To: jkf@soton.ac.uk postmaster-soton@ecs.soton.ac.uk >> FromOrTo: default postmaster-default@ecs.soton.ac.uk >> >> And the same thing but without the 'include' stuff at all. >> >> And it works fine both times. The logs show it sending mail to the >> various defined postmaster addresses. >> >> Just in case I've got a change you haven't got, attached is my >> /usr/lib/MailScanner/MailScanner/Config.pm (compressed). Please compare >> it against yours and let me know if there are any differences of note. >> >> Can you try it using an "include" and not using an "include" and let me >> know if that makes any difference at all please? >> >> Jules >> > Nothing different but the version: > > # diff /usr/lib/MailScanner/MailScanner/Config.pm Config.pm > 5c5 > < # $Id: Config.pm 4913 2009-08-28 01:24:15Z sysjkf $ > --- > >> # $Id: Config.pm 4908 2009-08-27 04:51:32Z sysjkf $ >> > 43c43 > < $VERSION = substr q$Revision: 4913 $, 10; > --- > >> $VERSION = substr q$Revision: 4908 $, 10; >> > > I added the file in the conf.d and it loaded but I need to figure out a way to make it actually trigger a notice .. > Send yourself copies of EICAR should do it nicely. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Amelein at dantumadiel.eu Tue Sep 8 15:06:52 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 15:07:09 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA67C4D0200008E00010DFE@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> <4AA67C4D0200008E00010DFE@10.1.0.206> Message-ID: <4AA6811C0200008E00010E0C@10.1.0.206> Just got another mail which it tried to send to filename@fqdn the contents of the message is: -- Archive: Number of messages: 1 Tries Message Last Tried ===== ======= ========== 6 5210725B3.AC562 Tue Sep 8 12:15:58 2009 -- MailScanner -- If I remember correctly this message triggered a crash loop protection earlier because of a configuration error I hadn't discovered till putting the server into the actual e-mail stream, I had forgotten to update the language conf and it was looking for something which wasn't in there. - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/2f116be2/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 8 15:24:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 8 15:24:27 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA6811C0200008E00010E0C@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> <4AA67C4D0200008E00010DFE@10.1.0.206> <4AA6811C0200008E00010E0C@10.1.0.206> <4AA66903.4000600@ecs.soton.ac.uk> Message-ID: That is not from MailScanner itself, but from the hourly cron job which calls /usr/sbin/processing_messages_alert. You are quite correct that this script is incapable of handling rulesets. I'm not overly convinced that is worth fixing as it's quite a lot of work for a tiny gain. The easy thing would be to just default to the "localpostmaster" setting if it finds a ruleset. That would probably be better than the current situation. Try the attached (compresssed) script instead of /usr/sbin/processing_messages_alert. Remember to make it executable! ("chmod +x /usr/sbin/processing_messages_alert"). On 08/09/2009 15:06, Amelein@dantumadiel.eu wrote: > Just got another mail which it tried to send to filename@fqdn > > the contents of the message is: > -- > Archive: > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 5210725B3.AC562 Tue Sep 8 12:15:58 2009 > -- > MailScanner > -- > If I remember correctly this message triggered a crash loop > protection earlier because of a configuration error I hadn't > discovered till putting the server into the actual e-mail stream, I > had forgotten to update the language conf and it was looking for > something which wasn't in there. > - > Arjan Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: processing_messages_alert.zip Type: application/zip Size: 736 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/a75ce84d/processing_messages_alert.zip From Amelein at dantumadiel.eu Tue Sep 8 15:46:40 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Tue Sep 8 15:47:01 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> <4AA67C4D0200008E00010DFE@10.1.0.206> <4AA6811C0200008E00010E0C@10.1.0.206> <4AA66903.4000600@ecs.soton.ac.uk> Message-ID: <4AA68A700200008E00010E19@10.1.0.206> >>> Op 8-9-2009 om 16:24 is door Julian Field geschreven: That is not from MailScanner itself, but from the hourly cron job which calls /usr/sbin/processing_messages_alert. You are quite correct that this script is incapable of handling rulesets. I'm not overly convinced that is worth fixing as it's quite a lot of work for a tiny gain. The easy thing would be to just default to the "localpostmaster" setting if it finds a ruleset. That would probably be better than the current situation. Try the attached (compresssed) script instead of /usr/sbin/processing_messages_alert. Remember to make it executable! ("chmod +x /usr/sbin/processing_messages_alert"). On 08/09/2009 15:06, Amelein@dantumadiel.eu wrote: > Just got another mail which it tried to send to filename@fqdn > > the contents of the message is: > -- > Archive: > Number of messages: 1 > Tries Message Last Tried > ===== ======= ========== > 6 5210725B3.AC562 Tue Sep 8 12:15:58 2009 > -- > MailScanner > -- > If I remember correctly this message triggered a crash loop > protection earlier because of a configuration error I hadn't > discovered till putting the server into the actual e-mail stream, I > had forgotten to update the language conf and it was looking for > something which wasn't in there. > - > Arjan Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. No go on that, same mails .. so I just hardcoded the e-mail addresses in the file to be done with it. That just leaves the question on when it will stop reporting that problem mail :-) - Arjan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/09a10412/attachment.html From mark at msapiro.net Tue Sep 8 16:14:34 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 8 16:14:54 2009 Subject: Suggested change to http://www.mailscanner.info/files/4/KAM.cf.sh script In-Reply-To: Message-ID: Julian Field wrote! > >I basically like it. You've got 2 small problems >1) The "if [ reload ==1 ]; then" line should of course read "if [ >"$reload" = "1" ]; then" >(i.e. you mean "=" for comparing strings (though == does appear to work, >it's not documented in test(1)), and you missed the "$" off the front of >$reload which is rather more critical! :-) Ouch! Obviously a case of sloppy coding plus inadequate testing (only testing the case where it was intended not to reload. >2) What happens if the downloaded file is bad and you haven't already >got a backup of it? >I have solved that one by deleting the downloaded file in that case. Again, this is clearly more robust than mine, but what about the case where wget fails and there is no backup? Consider @@ -51,7 +51,14 @@ fi else echo It failed to complete properly - cp -f KAM.cf.backup KAM.cf + if [ -r KAM.cf.backup ]; then + cp -f KAM.cf.backup KAM.cf + else + # No backup file present, so delete file if any + echo ERROR: wget of KAM.cf failed and no backup + rm -f KAM.cf + reload=0 + fi fi # Reload MailScanner only if we need to. (patched file attached) -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: KAM.cf.sh.zip Type: application/x-zip-compressed Size: 914 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/9fb269b2/KAM.cf.sh.bin From theodrake.mailscanner at gmail.com Tue Sep 8 16:14:44 2009 From: theodrake.mailscanner at gmail.com (Ed Bruce) Date: Tue Sep 8 16:15:05 2009 Subject: Betr.: Re: Notice to ruleset not being read - MS 4.78.15-1 In-Reply-To: <4AA68A700200008E00010E19@10.1.0.206> References: <4AA65DD80200008E00010DD3@10.1.0.206> <4AA6565C.2060509@gmail.com> <4AA6592D.5010408@ecs.soton.ac.uk> <4AA67C4D0200008E00010DFE@10.1.0.206> <4AA6811C0200008E00010E0C@10.1.0.206> <4AA66903.4000600@ecs.soton.ac.uk> <4AA68A700200008E00010E19@10.1.0.206> Message-ID: <4AA674E4.7030201@gmail.com> Amelein@dantumadiel.eu wrote: > >>> Op 8-9-2009 om 16:24 is door Julian Field > geschreven: > That is not from MailScanner itself, but from the hourly cron job which > calls /usr/sbin/processing_messages_alert. You are quite correct that > this script is incapable of handling rulesets. > I'm not overly convinced that is worth fixing as it's quite a lot of > work for a tiny gain. > The easy thing would be to just default to the "localpostmaster" setting > if it finds a ruleset. That would probably be better than the current > situation. > > Try the attached (compresssed) script instead of > /usr/sbin/processing_messages_alert. > Remember to make it executable! ("chmod +x > /usr/sbin/processing_messages_alert"). > > On 08/09/2009 15:06, Amelein@dantumadiel.eu wrote: > > Just got another mail which it tried to send to filename@fqdn > > > > the contents of the message is: > > -- > > Archive: > > Number of messages: 1 > > Tries Message Last Tried > > ===== ======= ========== > > 6 5210725B3.AC562 Tue Sep 8 12:15:58 2009 > > -- > > MailScanner > > -- > > If I remember correctly this message triggered a crash loop > > protection earlier because of a configuration error I hadn't > > discovered till putting the server into the actual e-mail stream, I > > had forgotten to update the language conf and it was looking for > > something which wasn't in there. > > - > > Arjan > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > No go on that, same mails .. so I just hardcoded the e-mail addresses > in the file to be done with it. > That just leaves the question on when it will stop reporting that > problem mail :-) > > - > Arjan It appears to have worked for me. I no longer get the bounced email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/861cb74e/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 8 16:42:42 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 8 16:43:05 2009 Subject: Suggested change to http://www.mailscanner.info/files/4/KAM.cf.sh script In-Reply-To: References: <4AA67B72.4050906@ecs.soton.ac.uk> Message-ID: On 08/09/2009 16:14, Mark Sapiro wrote: > Julian Field wrote! > >> I basically like it. You've got 2 small problems >> 1) The "if [ reload ==1 ]; then" line should of course read "if [ >> "$reload" = "1" ]; then" >> (i.e. you mean "=" for comparing strings (though == does appear to work, >> it's not documented in test(1)), and you missed the "$" off the front of >> $reload which is rather more critical! :-) >> > > Ouch! Obviously a case of sloppy coding plus inadequate testing (only > testing the case where it was intended not to reload. > > > >> 2) What happens if the downloaded file is bad and you haven't already >> got a backup of it? >> I have solved that one by deleting the downloaded file in that case. >> > > Again, this is clearly more robust than mine, but what about the case > where wget fails and there is no backup? Consider > > @@ -51,7 +51,14 @@ > fi > else > echo It failed to complete properly > - cp -f KAM.cf.backup KAM.cf > + if [ -r KAM.cf.backup ]; then > + cp -f KAM.cf.backup KAM.cf > + else > + # No backup file present, so delete file if any > + echo ERROR: wget of KAM.cf failed and no backup > + rm -f KAM.cf > + reload=0 > + fi > fi > > # Reload MailScanner only if we need to. > > (patched file attached) > I added another line of output to it in the case where the backup restore succeeds, but otherwise mine is now basically the same as yours. Thanks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Tue Sep 8 16:59:12 2009 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 8 16:59:25 2009 Subject: Suggested change to http://www.mailscanner.info/files/4/KAM.cf.sh script In-Reply-To: Message-ID: Julian Field wrote: >> >I added another line of output to it in the case where the backup >restore succeeds, but otherwise mine is now basically the same as yours. > >Thanks! It looks good to me. Thank you. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mrm at medicine.wisc.edu Tue Sep 8 21:14:23 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Sep 8 21:14:57 2009 Subject: Cannot disable RBL checks????? Message-ID: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> I'm trying to move RBL checks to the MTA level, but I can't seem to get MailScanner/spamassassin to stop checking RBL's. In MailScanner.conf I've removed the entries from "spam list = " In spam.assasssin.prefs.conf I've uncommented the "skip_rbl_checks 1" line I've restarted MailScanner and I'm still getting tons of email being tagged by either MailScanner or spamassassin with a bunch of BL_SPAMCOP_NET and all sorts of URIBL hits. The scores being assigned are different then anything in any MailScanner or Spamassassin config files that I can find. Here's a sample log line: Sep 8 15:06:34 mailgate1 MailScanner[2938]: Message n88JvaY4001810 from 189.65.225.20 (massimiliano.parri@accenture.com) to my.domain.com is spam, SpamAssassin (cached, score=34.134, required 5, autolearn=spam, BAYES_99 3.50, BOTNET 5.00, DCC_CHECK 2.17, HELO_EQ_JP 1.24, HOST_MISMATCH_COM 0.31, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_1 0.00, MIME_HTML_ONLY 1.46, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_SORBS_WEB 0.62, RCVD_IN_XBL 3.03, RDNS_DYNAMIC 0.10, SARE_HTML_A_BODY 0.74, SARE_HTML_IMG_ONLY 1.67, URIBL_AB_SURBL 1.86, URIBL_BLACK 1.96, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50, URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50) I've tried grepping the system for matches, but cannot find anything. Where else do I need to tell MailScanner or Spamassassin to stop doing RBL checks? From alex at rtpty.com Tue Sep 8 21:24:31 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Sep 8 21:24:44 2009 Subject: Cannot disable RBL checks????? In-Reply-To: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> References: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com> You didn't mention what method you used to have MailScanner restart in order to "pick up" the new settings. On Sep 8, 2009, at 3:14 PM, Michael Masse wrote: > I've tried grepping the system for matches, but cannot find > anything. Where else do I need to tell MailScanner or > Spamassassin to stop doing RBL checks? From mrm at medicine.wisc.edu Tue Sep 8 21:52:53 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Sep 8 21:53:22 2009 Subject: Cannot disable RBL checks????? In-Reply-To: <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com> References: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com> Message-ID: <4AA67DD6.7CBE.00FC.3@medicine.wisc.edu> service MailScanner restart >>> On 9/8/2009 at 3:24 PM, in message <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com>, Alex Neuman wrote: > You didn't mention what method you used to have MailScanner restart in > order to "pick up" the new settings. > > On Sep 8, 2009, at 3:14 PM, Michael Masse wrote: > >> I've tried grepping the system for matches, but cannot find >> anything. Where else do I need to tell MailScanner or >> Spamassassin to stop doing RBL checks? From alex at rtpty.com Tue Sep 8 22:00:43 2009 From: alex at rtpty.com (Alex Neuman) Date: Tue Sep 8 22:00:57 2009 Subject: Cannot disable RBL checks????? In-Reply-To: <4AA67DD6.7CBE.00FC.3@medicine.wisc.edu> References: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com> <4AA67DD6.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <519A4102-7112-473C-A91B-1E8B8CE559A6@rtpty.com> Good. At least we know you're doing it the right way! :D On Sep 8, 2009, at 3:52 PM, Michael Masse wrote: > service MailScanner restart > >>>> On 9/8/2009 at 3:24 PM, in message > <4966F5F9-35DB-4686-BCEA-1B43684EC796@rtpty.com>, Alex Neuman > > wrote: >> You didn't mention what method you used to have MailScanner restart >> in >> order to "pick up" the new settings. >> >> On Sep 8, 2009, at 3:14 PM, Michael Masse wrote: >> >>> I've tried grepping the system for matches, but cannot find >>> anything. Where else do I need to tell MailScanner or >>> Spamassassin to stop doing RBL checks? > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Sep 8 22:22:12 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 8 22:22:44 2009 Subject: Cannot disable RBL checks????? In-Reply-To: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> References: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> Message-ID: on 9-8-2009 1:14 PM Michael Masse spake the following: > I'm trying to move RBL checks to the MTA level, but I can't seem to get MailScanner/spamassassin to stop checking RBL's. > > In MailScanner.conf I've removed the entries from "spam list = " > > In spam.assasssin.prefs.conf I've uncommented the "skip_rbl_checks 1" line > > I've restarted MailScanner > > and I'm still getting tons of email being tagged by either MailScanner or spamassassin with a bunch of BL_SPAMCOP_NET and all sorts of URIBL hits. The scores being assigned are different then anything in any MailScanner or Spamassassin config files that I can find. > > Here's a sample log line: > > Sep 8 15:06:34 mailgate1 MailScanner[2938]: Message n88JvaY4001810 from 189.65.225.20 (massimiliano.parri@accenture.com) to my.domain.com is spam, SpamAssassin (cached, score=34.134, required 5, autolearn=spam, BAYES_99 3.50, BOTNET 5.00, DCC_CHECK 2.17, HELO_EQ_JP 1.24, HOST_MISMATCH_COM 0.31, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_1 0.00, MIME_HTML_ONLY 1.46, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_SORBS_WEB 0.62, RCVD_IN_XBL 3.03, RDNS_DYNAMIC 0.10, SARE_HTML_A_BODY 0.74, SARE_HTML_IMG_ONLY 1.67, URIBL_AB_SURBL 1.86, URIBL_BLACK 1.96, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50, URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50) > > I've tried grepping the system for matches, but cannot find anything. Where else do I need to tell MailScanner or Spamassassin to stop doing RBL checks? > In your spam.assassin.prefs.conf file, you add a score =0 line for the ones you don't want to check. Example; score RCVD_IN_BL_SPAMCOP_NET 0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/33b99e6e/signature.bin From lists at tippingmar.com Wed Sep 9 00:34:05 2009 From: lists at tippingmar.com (Mark Nienberg) Date: Wed Sep 9 00:34:25 2009 Subject: minor logging problem Message-ID: <4AA6E9ED.1000106@tippingmar.com> I think there is a little logging problem related to phishing fraud in v 4.76.25. I think the logger is misinterpreting a character in the URI as a newline or something. I wish I had the original message to show, but maybe it is obvious from the following entries: Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from http://70.85.141.146/banmanpro/ad.aspx?Task=Click&ZoneID=0&CampaignID= Sep 8 13:06:57 tesla MailScanner[6401]: 4995&AdvertiserID=432&BannerID=2629&SiteID=1&RandomNumber=1091273949&Keyword Sep 8 13:06:57 tesla MailScanner[6401]: s= claiming to be in n88K6TsG006372 Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from http://70.85.141.146/banmanpro/ad.aspx?Task=Click&ZoneID=0&CampaignID= Sep 8 13:06:57 tesla MailScanner[6401]: 4996&AdvertiserID=202&BannerID=2596&SiteID=1&RandomNumber=1452882870&Keyword Sep 8 13:06:57 tesla MailScanner[6401]: s= claiming to be in n88K6TsG006372 Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from http://through-the-interface.typepad.com/through_the_interface/2009/09/creating-and-overriding-autocad-dimension-styles-using-net.html claiming to be www.creatingandoverridingautocaddimensionstylesusing.net in n88K6TsG006372 Sep 8 13:06:57 tesla MailScanner[5222]: Content Checks: Detected and have disarmed phishing tags in HTML message in n88K6TsG006372 from bounce-tenlinksdaily2-62307@list.tenlinks.com Mark Nienberg From jvoorhees1 at gmail.com Wed Sep 9 03:07:31 2009 From: jvoorhees1 at gmail.com (Jose Perez) Date: Wed Sep 9 03:07:39 2009 Subject: Is this possible? Maybe feature request Message-ID: Hi all: I'm using MailScanner 4.77.10 with HTML signatures configured working fine with these directives: Sign Clean Messages = %rules-dir%/sign.clean.messages.rules Attach Image To Signature = yes Inline HTML Signature = %rules-dir%/sig.html.rules Signature Image Filename = %report-dir%/signature.jpg Signature Image Filename = signature.jpg My html signature contains some code as follow: Signature This works terrific! But I would like to insert more than an image in my html code. I tried to insert more directives but only the one that contains signature.jpg file is shown correctly. Is it possible to insert multiple image files and being recognized correctly by MailScanner? If not .. Could this be added as a future feature in MailScanner? Thanks, good bye -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090908/b14596f4/attachment.html From maxsec at gmail.com Wed Sep 9 08:25:08 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 9 08:25:17 2009 Subject: Cannot disable RBL checks????? In-Reply-To: References: <4AA674D0.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <72cf361e0909090025se04e9a8jc3e07b1aaecd261a@mail.gmail.com> 2009/9/8 Scott Silva > on 9-8-2009 1:14 PM Michael Masse spake the following: > > I'm trying to move RBL checks to the MTA level, but I can't seem to get > MailScanner/spamassassin to stop checking RBL's. > > > > In MailScanner.conf I've removed the entries from "spam list = " > > > > In spam.assasssin.prefs.conf I've uncommented the "skip_rbl_checks 1" > line > > > > I've restarted MailScanner > > > > and I'm still getting tons of email being tagged by either MailScanner or > spamassassin with a bunch of BL_SPAMCOP_NET and all sorts of URIBL hits. > The scores being assigned are different then anything in any MailScanner or > Spamassassin config files that I can find. > > > > Here's a sample log line: > > > > Sep 8 15:06:34 mailgate1 MailScanner[2938]: Message n88JvaY4001810 from > 189.65.225.20 (massimiliano.parri@accenture.com) to my.domain.com is > spam, SpamAssassin (cached, score=34.134, required 5, autolearn=spam, > BAYES_99 3.50, BOTNET 5.00, DCC_CHECK 2.17, HELO_EQ_JP 1.24, > HOST_MISMATCH_COM 0.31, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, > HTML_SHORT_LINK_IMG_1 0.00, MIME_HTML_ONLY 1.46, RCVD_IN_BL_SPAMCOP_NET > 1.96, RCVD_IN_SORBS_WEB 0.62, RCVD_IN_XBL 3.03, RDNS_DYNAMIC 0.10, > SARE_HTML_A_BODY 0.74, SARE_HTML_IMG_ONLY 1.67, URIBL_AB_SURBL 1.86, > URIBL_BLACK 1.96, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SBL 1.50, > URIBL_SC_SURBL 0.47, URIBL_WS_SURBL 1.50) > > > > I've tried grepping the system for matches, but cannot find anything. > Where else do I need to tell MailScanner or Spamassassin to stop doing RBL > checks? > > > In your spam.assassin.prefs.conf file, you add a score =0 line for the ones > you don't want to check. > > Example; > > score RCVD_IN_BL_SPAMCOP_NET 0 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > you'll see all these in the 20_dnsbl_tests.cf file in /var/lib/spamassassin//updates_spamassassin_org directory the URI RBL's test within the message body and are very useful at getting stuff that other tests don't trap like image links and redirects. I'd leave them in. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090909/2ea2c793/attachment.html From MailScanner at ecs.soton.ac.uk Wed Sep 9 09:07:15 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 9 09:07:35 2009 Subject: minor logging problem In-Reply-To: <4AA6E9ED.1000106@tippingmar.com> References: <4AA6E9ED.1000106@tippingmar.com> <4AA76233.6000503@ecs.soton.ac.uk> Message-ID: Sorry, cannot start trying to fix that one without the original message, or a message which produces the same symptoms. Jules. On 09/09/2009 00:34, Mark Nienberg wrote: > I think there is a little logging problem related to phishing fraud > in v 4.76.25. I think the logger is misinterpreting a character in > the URI as a newline or something. I wish I had the original message > to show, but maybe it is obvious from the following entries: > > Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from > http://70.85.141.146/banmanpro/ad.aspx?Task=Click&ZoneID=0&CampaignID= > > Sep 8 13:06:57 tesla MailScanner[6401]: > 4995&AdvertiserID=432&BannerID=2629&SiteID=1&RandomNumber=1091273949&Keyword > > > Sep 8 13:06:57 tesla MailScanner[6401]: s= claiming to be in > n88K6TsG006372 > > Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from > http://70.85.141.146/banmanpro/ad.aspx?Task=Click&ZoneID=0&CampaignID= > > Sep 8 13:06:57 tesla MailScanner[6401]: > 4996&AdvertiserID=202&BannerID=2596&SiteID=1&RandomNumber=1452882870&Keyword > > > Sep 8 13:06:57 tesla MailScanner[6401]: s= claiming to be in > n88K6TsG006372 > > Sep 8 13:06:57 tesla MailScanner[6401]: Found phishing fraud from > http://through-the-interface.typepad.com/through_the_interface/2009/09/creating-and-overriding-autocad-dimension-styles-using-net.html > claiming to be > www.creatingandoverridingautocaddimensionstylesusing.net in > n88K6TsG006372 > > Sep 8 13:06:57 tesla MailScanner[5222]: Content Checks: Detected and > have disarmed phishing tags in HTML message in n88K6TsG006372 from > bounce-tenlinksdaily2-62307@list.tenlinks.com > > > Mark Nienberg Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at tradoc.fr Wed Sep 9 09:42:39 2009 From: john at tradoc.fr (John Wilcock) Date: Wed Sep 9 09:42:50 2009 Subject: minor logging problem In-Reply-To: References: <4AA6E9ED.1000106@tippingmar.com> <4AA76233.6000503@ecs.soton.ac.uk> Message-ID: <4AA76A7F.9040009@tradoc.fr> Le 09/09/2009 10:07, Julian Field a ?crit : > Sorry, cannot start trying to fix that one without the original message, > or a message which produces the same symptoms. I've been seeing similar split log lines for several months (and several MS versions) but not had time to report it. It tends to occur in messages with lots of phishing URLs; most are logged properly but one or two otherwise identical URLs get split in logging, as follows: > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9UX0QGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VVkQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VV0QGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/ne! > Sep 8 08:57:09 ex0 MailScanner[2579]: wsletter > Sep 8 08:57:09 ex0 MailScanner[2579]: /lt.php?id=LkpUWwpRAw9VVEQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VVUQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 > Sep 8 08:57:09 ex0 MailScanner[2579]: Found ip-based phishing fraud from http://193.33.46.154/newsletter/lt.php?id=LkpUWwpRAw9VUkQGDAAKTwEJUFEEBg%%3D%%3D in 06BC3334032.A71F5 I've sent you a sample message off list, Jules, and can send others if needed. I suppose this could also be a syslog bug rather than MailScanner - I'm using syslog-ng 2.1.4 on gentoo, FWIW. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maurizio.salvadeo at ecostampa.it Wed Sep 9 10:03:21 2009 From: maurizio.salvadeo at ecostampa.it (Maurizio Salvadeo) Date: Wed Sep 9 10:03:29 2009 Subject: clamavmodule Message-ID: <4AA76F59.2010908@ecostampa.it> how can I remove clamavmodule? I need to scan my email with clamav. MailScanner does not scan any message and this is my config: Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 856 hostnames from the phishing whitelist Read 6695 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.78.14) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting =========================================================================== If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. -- Maurizio Salvadeo ICT Manager L'Eco della Stampa S.p.A. Via Compagnoni 28 20129 - Milano +39 02 748113 +39 348 5161936 skype: maurizio.salvadeo From MailScanner at ecs.soton.ac.uk Wed Sep 9 10:25:58 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 9 10:26:19 2009 Subject: clamavmodule In-Reply-To: <4AA76F59.2010908@ecostampa.it> References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> Message-ID: Search your system for "ClamAV.pm" with a command like "locate ClamAV.pm" and delete it. You will be far better off using clamd, which is available from rpmforge, this is *way* faster than using the clamav setting, as that runs the command-line scanner for each batch of messages. Using clamd avoids all the startup time associated with ClamAV. If you have installed ClamAV under /usr/local, then search your /usr/local directories for any mention of files or directories containing "clam" in their name, and delete them. Something like "find /usr/local -name '*[Cc]lam*' -print" should find them for you. Then you can install clamd and its dependencies from rpmforge and use that instead. On 09/09/2009 10:03, Maurizio Salvadeo wrote: > how can I remove clamavmodule? I need to scan my email with clamav. > MailScanner does not scan any message and this is my config: > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 856 hostnames from the phishing whitelist > Read 6695 hostnames from the phishing blacklists > > Checking version numbers... > Version number in MailScanner.conf (4.78.14) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 0 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamavmodule > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > =========================================================================== > > If any of your virus scanners (clamavmodule) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Wed Sep 9 10:43:55 2009 From: shuttlebox at gmail.com (Peter Bonivart) Date: Wed Sep 9 10:44:15 2009 Subject: clamavmodule In-Reply-To: <4AA76F59.2010908@ecostampa.it> References: <4AA76F59.2010908@ecostampa.it> Message-ID: <82DC5B3A-7EAF-476F-8214-F91821023D99@gmail.com> 9 sep 2009 kl. 11.03 skrev Maurizio Salvadeo : > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamavmodule The problem is that you have set it to clamav, you should leave it at auto. Sent from my iPhone From maurizio.salvadeo at ecostampa.it Wed Sep 9 11:15:02 2009 From: maurizio.salvadeo at ecostampa.it (Maurizio Salvadeo) Date: Wed Sep 9 11:15:11 2009 Subject: clamavmodule In-Reply-To: References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> Message-ID: <4AA78026.6030903@ecostampa.it> thanks. now clamav is my default virus scanner. the problem is that no email is scanned from MailScanner. the OS is a Fedora 10 and this is my ps command: 12427 ? Ss 0:00 /usr/local/bin/freshclam -d 12464 ? Ss 0:00 sendmail: accepting connections 12468 ? Ss 0:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue 12472 ? Ss 0:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue 12492 ? Ss 0:00 MailScanner: master waiting for children, sleeping 12493 ? S 0:01 MailScanner: waiting for messages 12497 ? S 0:01 MailScanner: waiting for messages 12548 ? S 0:01 MailScanner: waiting for messages 12551 ? S 0:01 MailScanner: waiting for messages 12553 ? S 0:01 MailScanner: waiting for messages Julian Field ha scritto: > Search your system for "ClamAV.pm" with a command like "locate > ClamAV.pm" and delete it. > > You will be far better off using clamd, which is available from > rpmforge, this is *way* faster than using the clamav setting, as that > runs the command-line scanner for each batch of messages. Using clamd > avoids all the startup time associated with ClamAV. > > If you have installed ClamAV under /usr/local, then search your > /usr/local directories for any mention of files or directories > containing "clam" in their name, and delete them. Something like "find > /usr/local -name '*[Cc]lam*' -print" should find them for you. > > Then you can install clamd and its dependencies from rpmforge and use > that instead. > > On 09/09/2009 10:03, Maurizio Salvadeo wrote: >> how can I remove clamavmodule? I need to scan my email with clamav. >> MailScanner does not scan any message and this is my config: >> >> Reading configuration file /etc/MailScanner/MailScanner.conf >> Reading configuration file /etc/MailScanner/conf.d/README >> Read 856 hostnames from the phishing whitelist >> Read 6695 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.78.14) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Connected to Processing Attempts Database >> Created Processing Attempts Database successfully >> There are 0 messages in the Processing Attempts Database >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamavmodule >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> =========================================================================== >> >> >> If any of your virus scanners (clamavmodule) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> > > Jules > -- Maurizio Salvadeo ICT Manager L'Eco della Stampa S.p.A. Via Compagnoni 28 20129 - Milano +39 02 748113 +39 348 5161936 skype: maurizio.salvadeo From MailScanner at ecs.soton.ac.uk Wed Sep 9 11:22:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 9 11:23:16 2009 Subject: clamavmodule In-Reply-To: <4AA78026.6030903@ecostampa.it> References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> <4AA78026.6030903@ecostampa.it> <4AA78201.4090302@ecs.soton.ac.uk> Message-ID: What does your maillog show? If freshclam is running, that may cause no mail to go through as the virus scanner autoupdate process locks out each scanner while it is being updated, to avoid race conditions. Is mail going through and not being scanner? Or is no mail getting through at all? On 09/09/2009 11:15, Maurizio Salvadeo wrote: > thanks. now clamav is my default virus scanner. the problem is that no > email is scanned from MailScanner. the OS is a Fedora 10 and this is my > ps command: > > 12427 ? Ss 0:00 /usr/local/bin/freshclam -d > 12464 ? Ss 0:00 sendmail: accepting > connections > > 12468 ? Ss 0:00 sendmail: Queue runner@00:15:00 for > /var/spool/clientmqueue > 12472 ? Ss 0:00 sendmail: Queue runner@00:15:00 for > /var/spool/mqueue > 12492 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 12493 ? S 0:01 MailScanner: waiting for > messages > 12497 ? S 0:01 MailScanner: waiting for > messages > 12548 ? S 0:01 MailScanner: waiting for > messages > 12551 ? S 0:01 MailScanner: waiting for > messages > 12553 ? S 0:01 MailScanner: waiting for messages > > Julian Field ha scritto: > >> Search your system for "ClamAV.pm" with a command like "locate >> ClamAV.pm" and delete it. >> >> You will be far better off using clamd, which is available from >> rpmforge, this is *way* faster than using the clamav setting, as that >> runs the command-line scanner for each batch of messages. Using clamd >> avoids all the startup time associated with ClamAV. >> >> If you have installed ClamAV under /usr/local, then search your >> /usr/local directories for any mention of files or directories >> containing "clam" in their name, and delete them. Something like "find >> /usr/local -name '*[Cc]lam*' -print" should find them for you. >> >> Then you can install clamd and its dependencies from rpmforge and use >> that instead. >> >> On 09/09/2009 10:03, Maurizio Salvadeo wrote: >> >>> how can I remove clamavmodule? I need to scan my email with clamav. >>> MailScanner does not scan any message and this is my config: >>> >>> Reading configuration file /etc/MailScanner/MailScanner.conf >>> Reading configuration file /etc/MailScanner/conf.d/README >>> Read 856 hostnames from the phishing whitelist >>> Read 6695 hostnames from the phishing blacklists >>> >>> Checking version numbers... >>> Version number in MailScanner.conf (4.78.14) is correct. >>> >>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>> >>> Checking for SpamAssassin errors (if you use it)... >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> SpamAssassin reported no errors. >>> Connected to Processing Attempts Database >>> Created Processing Attempts Database successfully >>> There are 0 messages in the Processing Attempts Database >>> Using locktype = posix >>> MailScanner.conf says "Virus Scanners = clamav" >>> Found these virus scanners installed: clamavmodule >>> =========================================================================== >>> >>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> =========================================================================== >>> >>> >>> If any of your virus scanners (clamavmodule) >>> are not listed there, you should check that they are installed correctly >>> and that MailScanner is finding them correctly via its >>> virus.scanners.conf. >>> >>> >>> >> Jules >> >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maurizio.salvadeo at ecostampa.it Wed Sep 9 11:41:16 2009 From: maurizio.salvadeo at ecostampa.it (Maurizio Salvadeo) Date: Wed Sep 9 11:41:48 2009 Subject: clamavmodule In-Reply-To: References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> <4AA78026.6030903@ecostampa.it> <4AA78201.4090302@ecs.soton.ac.uk> Message-ID: <4AA7864C.4010905@ecostampa.it> no message is scanned at all and the email is deliverd at the right account. spamassassin seems to work because in MailScanner.conf I redirect spam at spam@mydomain.com and that email is populated. this is my maillog when MailScanner starts. Sep 9 12:07:01 intranet MailScanner[12553]: MailScanner E-Mail Virus Scanner version 4.78.14 starting... Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file /etc/MailScanner/MailScanner.conf Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file /etc/MailScanner/conf.d/README Sep 9 12:07:01 intranet MailScanner[12553]: Read 856 hostnames from the phishing whitelist Sep 9 12:07:02 intranet MailScanner[12553]: Read 6713 hostnames from the phishing blacklists Sep 9 12:07:02 intranet MailScanner[12553]: Using SpamAssassin results cache Sep 9 12:07:02 intranet MailScanner[12553]: Connected to SpamAssassin cache database Sep 9 12:07:02 intranet MailScanner[12553]: Enabling SpamAssassin auto-whitelist functionality... Sep 9 12:07:03 intranet MailScanner[12553]: Connected to Processing Attempts Database Sep 9 12:07:03 intranet MailScanner[12553]: Found 0 messages in the Processing Attempts Database Sep 9 12:07:03 intranet MailScanner[12553]: Using locktype = posix Julian Field ha scritto: > What does your maillog show? > > If freshclam is running, that may cause no mail to go through as the > virus scanner autoupdate process locks out each scanner while it is > being updated, to avoid race conditions. > > Is mail going through and not being scanner? Or is no mail getting > through at all? > > On 09/09/2009 11:15, Maurizio Salvadeo wrote: >> thanks. now clamav is my default virus scanner. the problem is that no >> email is scanned from MailScanner. the OS is a Fedora 10 and this is my >> ps command: >> >> 12427 ? Ss 0:00 /usr/local/bin/freshclam -d >> 12464 ? Ss 0:00 sendmail: accepting >> connections >> >> 12468 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >> /var/spool/clientmqueue >> 12472 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >> /var/spool/mqueue >> 12492 ? Ss 0:00 MailScanner: master waiting for children, >> sleeping >> 12493 ? S 0:01 MailScanner: waiting for >> messages >> 12497 ? S 0:01 MailScanner: waiting for >> messages >> 12548 ? S 0:01 MailScanner: waiting for >> messages >> 12551 ? S 0:01 MailScanner: waiting for >> messages >> 12553 ? S 0:01 MailScanner: waiting for messages >> >> Julian Field ha scritto: >> >>> Search your system for "ClamAV.pm" with a command like "locate >>> ClamAV.pm" and delete it. >>> >>> You will be far better off using clamd, which is available from >>> rpmforge, this is *way* faster than using the clamav setting, as that >>> runs the command-line scanner for each batch of messages. Using clamd >>> avoids all the startup time associated with ClamAV. >>> >>> If you have installed ClamAV under /usr/local, then search your >>> /usr/local directories for any mention of files or directories >>> containing "clam" in their name, and delete them. Something like "find >>> /usr/local -name '*[Cc]lam*' -print" should find them for you. >>> >>> Then you can install clamd and its dependencies from rpmforge and use >>> that instead. >>> >>> On 09/09/2009 10:03, Maurizio Salvadeo wrote: >>> >>>> how can I remove clamavmodule? I need to scan my email with clamav. >>>> MailScanner does not scan any message and this is my config: >>>> >>>> Reading configuration file /etc/MailScanner/MailScanner.conf >>>> Reading configuration file /etc/MailScanner/conf.d/README >>>> Read 856 hostnames from the phishing whitelist >>>> Read 6695 hostnames from the phishing blacklists >>>> >>>> Checking version numbers... >>>> Version number in MailScanner.conf (4.78.14) is correct. >>>> >>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>> >>>> Checking for SpamAssassin errors (if you use it)... >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> SpamAssassin reported no errors. >>>> Connected to Processing Attempts Database >>>> Created Processing Attempts Database successfully >>>> There are 0 messages in the Processing Attempts Database >>>> Using locktype = posix >>>> MailScanner.conf says "Virus Scanners = clamav" >>>> Found these virus scanners installed: clamavmodule >>>> =========================================================================== >>>> >>>> >>>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>>> Other Checks: Found 1 problems >>>> Virus and Content Scanning: Starting >>>> =========================================================================== >>>> >>>> >>>> >>>> If any of your virus scanners (clamavmodule) >>>> are not listed there, you should check that they are installed >>>> correctly >>>> and that MailScanner is finding them correctly via its >>>> virus.scanners.conf. >>>> >>>> >>>> >>> Jules >>> >>> >> > > Jules > -- Maurizio Salvadeo ICT Manager L'Eco della Stampa S.p.A. Via Compagnoni 28 20129 - Milano +39 02 748113 +39 348 5161936 skype: maurizio.salvadeo From MailScanner at ecs.soton.ac.uk Wed Sep 9 11:49:46 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 9 11:50:24 2009 Subject: clamavmodule In-Reply-To: <4AA7864C.4010905@ecostampa.it> References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> <4AA78026.6030903@ecostampa.it> <4AA78201.4090302@ecs.soton.ac.uk> <4AA7864C.4010905@ecostampa.it> <4AA7884A.3050406@ecs.soton.ac.uk> Message-ID: Did you stop sendmail and stop it starting at boot, before you started MailScanner? service sendmail stop service MailScanner restart chkconfig sendmail off chkconfig MailScanner on On 09/09/2009 11:41, Maurizio Salvadeo wrote: > no message is scanned at all and the email is deliverd at the right > account. spamassassin seems to work because in MailScanner.conf I > redirect spam at spam@mydomain.com and that email is populated. > > this is my maillog when MailScanner starts. > Sep 9 12:07:01 intranet MailScanner[12553]: MailScanner E-Mail Virus > Scanner version 4.78.14 starting... > Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file > /etc/MailScanner/MailScanner.conf > Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file > /etc/MailScanner/conf.d/README > Sep 9 12:07:01 intranet MailScanner[12553]: Read 856 hostnames from the > phishing whitelist > Sep 9 12:07:02 intranet MailScanner[12553]: Read 6713 hostnames from > the phishing blacklists > Sep 9 12:07:02 intranet MailScanner[12553]: Using SpamAssassin results > cache > Sep 9 12:07:02 intranet MailScanner[12553]: Connected to SpamAssassin > cache database > Sep 9 12:07:02 intranet MailScanner[12553]: Enabling SpamAssassin > auto-whitelist functionality... > Sep 9 12:07:03 intranet MailScanner[12553]: Connected to Processing > Attempts Database > Sep 9 12:07:03 intranet MailScanner[12553]: Found 0 messages in the > Processing Attempts Database > Sep 9 12:07:03 intranet MailScanner[12553]: Using locktype = posix > > > Julian Field ha scritto: > >> What does your maillog show? >> >> If freshclam is running, that may cause no mail to go through as the >> virus scanner autoupdate process locks out each scanner while it is >> being updated, to avoid race conditions. >> >> Is mail going through and not being scanner? Or is no mail getting >> through at all? >> >> On 09/09/2009 11:15, Maurizio Salvadeo wrote: >> >>> thanks. now clamav is my default virus scanner. the problem is that no >>> email is scanned from MailScanner. the OS is a Fedora 10 and this is my >>> ps command: >>> >>> 12427 ? Ss 0:00 /usr/local/bin/freshclam -d >>> 12464 ? Ss 0:00 sendmail: accepting >>> connections >>> >>> 12468 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >>> /var/spool/clientmqueue >>> 12472 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >>> /var/spool/mqueue >>> 12492 ? Ss 0:00 MailScanner: master waiting for children, >>> sleeping >>> 12493 ? S 0:01 MailScanner: waiting for >>> messages >>> 12497 ? S 0:01 MailScanner: waiting for >>> messages >>> 12548 ? S 0:01 MailScanner: waiting for >>> messages >>> 12551 ? S 0:01 MailScanner: waiting for >>> messages >>> 12553 ? S 0:01 MailScanner: waiting for messages >>> >>> Julian Field ha scritto: >>> >>> >>>> Search your system for "ClamAV.pm" with a command like "locate >>>> ClamAV.pm" and delete it. >>>> >>>> You will be far better off using clamd, which is available from >>>> rpmforge, this is *way* faster than using the clamav setting, as that >>>> runs the command-line scanner for each batch of messages. Using clamd >>>> avoids all the startup time associated with ClamAV. >>>> >>>> If you have installed ClamAV under /usr/local, then search your >>>> /usr/local directories for any mention of files or directories >>>> containing "clam" in their name, and delete them. Something like "find >>>> /usr/local -name '*[Cc]lam*' -print" should find them for you. >>>> >>>> Then you can install clamd and its dependencies from rpmforge and use >>>> that instead. >>>> >>>> On 09/09/2009 10:03, Maurizio Salvadeo wrote: >>>> >>>> >>>>> how can I remove clamavmodule? I need to scan my email with clamav. >>>>> MailScanner does not scan any message and this is my config: >>>>> >>>>> Reading configuration file /etc/MailScanner/MailScanner.conf >>>>> Reading configuration file /etc/MailScanner/conf.d/README >>>>> Read 856 hostnames from the phishing whitelist >>>>> Read 6695 hostnames from the phishing blacklists >>>>> >>>>> Checking version numbers... >>>>> Version number in MailScanner.conf (4.78.14) is correct. >>>>> >>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>> >>>>> Checking for SpamAssassin errors (if you use it)... >>>>> Using SpamAssassin results cache >>>>> Connected to SpamAssassin cache database >>>>> SpamAssassin reported no errors. >>>>> Connected to Processing Attempts Database >>>>> Created Processing Attempts Database successfully >>>>> There are 0 messages in the Processing Attempts Database >>>>> Using locktype = posix >>>>> MailScanner.conf says "Virus Scanners = clamav" >>>>> Found these virus scanners installed: clamavmodule >>>>> =========================================================================== >>>>> >>>>> >>>>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>>>> Other Checks: Found 1 problems >>>>> Virus and Content Scanning: Starting >>>>> =========================================================================== >>>>> >>>>> >>>>> >>>>> If any of your virus scanners (clamavmodule) >>>>> are not listed there, you should check that they are installed >>>>> correctly >>>>> and that MailScanner is finding them correctly via its >>>>> virus.scanners.conf. >>>>> >>>>> >>>>> >>>>> >>>> Jules >>>> >>>> >>>> >>> >>> >> Jules >> >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maurizio.salvadeo at ecostampa.it Wed Sep 9 12:04:32 2009 From: maurizio.salvadeo at ecostampa.it (Maurizio Salvadeo) Date: Wed Sep 9 12:04:45 2009 Subject: clamavmodule In-Reply-To: References: <4AA76F59.2010908@ecostampa.it> <4AA774A6.2070801@ecs.soton.ac.uk> <4AA78026.6030903@ecostampa.it> <4AA78201.4090302@ecs.soton.ac.uk> <4AA7864C.4010905@ecostampa.it> <4AA7884A.3050406@ecs.soton.ac.uk> Message-ID: <4AA78BC0.2010303@ecostampa.it> yes of course. this is my 4th installation of MailScanner + sendmail + clamav and the others work correctly scanning messages and detecting virus. the only difference is the release of MailScanner. I also installed on a fedora 10 whith the older release of MailScanner. Julian Field ha scritto: > Did you stop sendmail and stop it starting at boot, before you started > MailScanner? > > service sendmail stop > service MailScanner restart > chkconfig sendmail off > chkconfig MailScanner on > > On 09/09/2009 11:41, Maurizio Salvadeo wrote: >> no message is scanned at all and the email is deliverd at the right >> account. spamassassin seems to work because in MailScanner.conf I >> redirect spam at spam@mydomain.com and that email is populated. >> >> this is my maillog when MailScanner starts. >> Sep 9 12:07:01 intranet MailScanner[12553]: MailScanner E-Mail Virus >> Scanner version 4.78.14 starting... >> Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file >> /etc/MailScanner/MailScanner.conf >> Sep 9 12:07:01 intranet MailScanner[12553]: Reading configuration file >> /etc/MailScanner/conf.d/README >> Sep 9 12:07:01 intranet MailScanner[12553]: Read 856 hostnames from the >> phishing whitelist >> Sep 9 12:07:02 intranet MailScanner[12553]: Read 6713 hostnames from >> the phishing blacklists >> Sep 9 12:07:02 intranet MailScanner[12553]: Using SpamAssassin results >> cache >> Sep 9 12:07:02 intranet MailScanner[12553]: Connected to SpamAssassin >> cache database >> Sep 9 12:07:02 intranet MailScanner[12553]: Enabling SpamAssassin >> auto-whitelist functionality... >> Sep 9 12:07:03 intranet MailScanner[12553]: Connected to Processing >> Attempts Database >> Sep 9 12:07:03 intranet MailScanner[12553]: Found 0 messages in the >> Processing Attempts Database >> Sep 9 12:07:03 intranet MailScanner[12553]: Using locktype = posix >> >> >> Julian Field ha scritto: >> >>> What does your maillog show? >>> >>> If freshclam is running, that may cause no mail to go through as the >>> virus scanner autoupdate process locks out each scanner while it is >>> being updated, to avoid race conditions. >>> >>> Is mail going through and not being scanner? Or is no mail getting >>> through at all? >>> >>> On 09/09/2009 11:15, Maurizio Salvadeo wrote: >>> >>>> thanks. now clamav is my default virus scanner. the problem is that no >>>> email is scanned from MailScanner. the OS is a Fedora 10 and this >>>> is my >>>> ps command: >>>> >>>> 12427 ? Ss 0:00 /usr/local/bin/freshclam -d >>>> 12464 ? Ss 0:00 sendmail: accepting >>>> connections >>>> >>>> 12468 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >>>> /var/spool/clientmqueue >>>> 12472 ? Ss 0:00 sendmail: Queue runner@00:15:00 for >>>> /var/spool/mqueue >>>> 12492 ? Ss 0:00 MailScanner: master waiting for children, >>>> sleeping >>>> 12493 ? S 0:01 MailScanner: waiting for >>>> messages >>>> 12497 ? S 0:01 MailScanner: waiting for >>>> messages >>>> 12548 ? S 0:01 MailScanner: waiting for >>>> messages >>>> 12551 ? S 0:01 MailScanner: waiting for >>>> messages >>>> 12553 ? S 0:01 MailScanner: waiting for messages >>>> >>>> Julian Field ha scritto: >>>> >>>> >>>>> Search your system for "ClamAV.pm" with a command like "locate >>>>> ClamAV.pm" and delete it. >>>>> >>>>> You will be far better off using clamd, which is available from >>>>> rpmforge, this is *way* faster than using the clamav setting, as that >>>>> runs the command-line scanner for each batch of messages. Using clamd >>>>> avoids all the startup time associated with ClamAV. >>>>> >>>>> If you have installed ClamAV under /usr/local, then search your >>>>> /usr/local directories for any mention of files or directories >>>>> containing "clam" in their name, and delete them. Something like >>>>> "find >>>>> /usr/local -name '*[Cc]lam*' -print" should find them for you. >>>>> >>>>> Then you can install clamd and its dependencies from rpmforge and use >>>>> that instead. >>>>> >>>>> On 09/09/2009 10:03, Maurizio Salvadeo wrote: >>>>> >>>>> >>>>>> how can I remove clamavmodule? I need to scan my email with clamav. >>>>>> MailScanner does not scan any message and this is my config: >>>>>> >>>>>> Reading configuration file /etc/MailScanner/MailScanner.conf >>>>>> Reading configuration file /etc/MailScanner/conf.d/README >>>>>> Read 856 hostnames from the phishing whitelist >>>>>> Read 6695 hostnames from the phishing blacklists >>>>>> >>>>>> Checking version numbers... >>>>>> Version number in MailScanner.conf (4.78.14) is correct. >>>>>> >>>>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >>>>>> >>>>>> Checking for SpamAssassin errors (if you use it)... >>>>>> Using SpamAssassin results cache >>>>>> Connected to SpamAssassin cache database >>>>>> SpamAssassin reported no errors. >>>>>> Connected to Processing Attempts Database >>>>>> Created Processing Attempts Database successfully >>>>>> There are 0 messages in the Processing Attempts Database >>>>>> Using locktype = posix >>>>>> MailScanner.conf says "Virus Scanners = clamav" >>>>>> Found these virus scanners installed: clamavmodule >>>>>> =========================================================================== >>>>>> >>>>>> >>>>>> >>>>>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>>>>> Other Checks: Found 1 problems >>>>>> Virus and Content Scanning: Starting >>>>>> =========================================================================== >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> If any of your virus scanners (clamavmodule) >>>>>> are not listed there, you should check that they are installed >>>>>> correctly >>>>>> and that MailScanner is finding them correctly via its >>>>>> virus.scanners.conf. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>>> >>>>> >>>> >>>> >>> Jules >>> >>> >> > > Jules > -- Maurizio Salvadeo ICT Manager L'Eco della Stampa S.p.A. Via Compagnoni 28 20129 - Milano +39 02 748113 +39 348 5161936 skype: maurizio.salvadeo From raubvogel at gmail.com Wed Sep 9 15:54:11 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Wed Sep 9 15:54:23 2009 Subject: The amazing case of the missing .spamassassin directory Message-ID: <4AA7C193.7020705@gmail.com> I was running sa-learn after moving spam that was classified as ham to the spam folders here in one of our mail servers (i.e. some housecleaning). But, when I did so, I got a lot of messages like these: Learned tokens from 0 message(s) (1 message(s) examined) bayes: locker: safe_lock: cannot create tmp lockfile /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.908 for /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.910 for /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory I understand it can't find the said lock file because the directory /var/spool/postfix/.spamassassin does not exist. But, who creates the said directory? I looked at MailScanner.conf and spam.assassin.prefs.conf. Right now I still do not know who is supposed to create the said directory (which is probably the first step in finding out why it is not being created, perhaps due to some permission issue thingie). From chris at navaho.co.uk Wed Sep 9 16:07:17 2009 From: chris at navaho.co.uk (Chris Audley) Date: Wed Sep 9 16:05:50 2009 Subject: Duplicate headers, Exim WriteHeader using Sendmail::CreateQf Message-ID: We have recently become aware of a problem with duplicate Subject headers being created in email passing through our MX servers running mailscanner-4.75.11-1 under CentOS 5.3. After a bit of digging I think I have tracked the problem down to WriteHeader in EximDiskStore calling Sendmail::CreateQf instead of Exim::CreateQf - the Exim and Sendmail transports seem to use different mechanisms for deleting headers, resulting in deleted headers being added multiple times in the exim queue files. Here's what I think is happening: Subject lines with trailing spaces are marked as unsafe by SweepContent. This results in ReplaceHeader being called (in DeliverModifiedBody et. al) to remove the old subject header and insert the new safed subject text. ReplaceHeader calls DeleteHeader which under Exim.pm sets a flag saying the header has been deleted - under Sendmail.pm this actually removes the header from the metadata array. When WriteHeader is called in EximDiskStore.pm, this calls Sendmail::CreateQf which simply joins the meta headers and creates a string of them all - even the ones marked as deleted. CreateQf in Exim.pm appears to check for the vanished flag and so would honour the deleted flag status. Exim CreateQf also does a lot more in terms of writing out exim specific file headers, so I'm confused as to how Sendmail CreateQf could be working with exim? We're going to setup a test server to try WriteHeader with Exim::CreateQf to check for potential issues, but thought I would ask on here first to see if what I've written above sounds right and see if there is there a good reason for WriteHeader in EximDiskStore calling Sendmail::CreateQf? Regards, -- Chris Audley, Technical Director Navaho Technologies Ltd. tel: +44 (0)2380 000010 (ext 110) http://www.navaho.co.uk/ mailto:chris@navaho.co.uk --- This message has been scanned by the Navaho Mail Service and is believed to be clean. --- From MailScanner at ecs.soton.ac.uk Wed Sep 9 16:09:58 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Sep 9 16:10:19 2009 Subject: The amazing case of the missing .spamassassin directory In-Reply-To: <4AA7C193.7020705@gmail.com> References: <4AA7C193.7020705@gmail.com> <4AA7C546.3020404@ecs.soton.ac.uk> Message-ID: MailScanner will run as the "Run As User" and "Run As Group" you have set in MailScanner.conf, which should be "postfix". So you need to ensure that its home directory (/var/spool/postfix in your case) is writeable by the postfix user, and you will need to do all the sa-learn commands as the postfix user as well. On 09/09/2009 15:54, Mauricio Tavares wrote: > I was running sa-learn after moving spam that was classified as > ham to > the spam folders here in one of our mail servers (i.e. some > housecleaning). But, when I did so, I got a lot of messages like these: > > Learned tokens from 0 message(s) (1 message(s) examined) > bayes: locker: safe_lock: cannot create tmp lockfile > /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.908 for > /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory > bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile > /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.910 for > /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory > > I understand it can't find the said lock file because the directory > /var/spool/postfix/.spamassassin does not exist. But, who creates the > said directory? I looked at MailScanner.conf and > spam.assassin.prefs.conf. Right now I still do not know who is supposed > to create the said directory (which is probably the first step in > finding out why it is not being created, perhaps due to some permission > issue thingie). > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Sep 9 16:14:53 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Sep 9 16:15:12 2009 Subject: Duplicate headers, Exim WriteHeader using Sendmail::CreateQf In-Reply-To: References: <4AA7C66D.9000201@ecs.soton.ac.uk> Message-ID: The key is that there is no "Exim::CreateQf" at all, all the MTAs are called "Sendmail" internally (as that's the first one I implemented). Depending on what "MTA =" setting you have in MailScanner.conf, it does a "require" of the correct Sendmail.pm or Exim.pm (and so on) and SMDiskStore.pm or EximDiskStore.pm (and so on). Remember that the package the function is in has nothing to do with the name of the file, but everything to do with the "package" statement at the top of the file. Take a look at Exim.pm and EximDiskStore.pm and you'll see what I mean. So depending on the MTA you choose, it just pulls in the correct file full of functions that all implement the same basic API, without any of the MTA-independent code needing to switch between the MTA-specific code at all. To the MTA-independent code, all MTA-specific code looks the same. There are just 4 implementations of each function, one for each MTA. On 09/09/2009 16:07, Chris Audley wrote: > We have recently become aware of a problem with duplicate Subject headers > being created in email passing through our MX servers running > mailscanner-4.75.11-1 under CentOS 5.3. > > After a bit of digging I think I have tracked the problem down to > WriteHeader in EximDiskStore calling Sendmail::CreateQf instead of > Exim::CreateQf - the Exim and Sendmail transports seem to use different > mechanisms for deleting headers, resulting in deleted headers being added > multiple times in the exim queue files. > > > Here's what I think is happening: > > Subject lines with trailing spaces are marked as unsafe by SweepContent. > This results in ReplaceHeader being called (in DeliverModifiedBody et. al) > to remove the old subject header and insert the new safed subject text. > > ReplaceHeader calls DeleteHeader which under Exim.pm sets a flag saying > the header has been deleted - under Sendmail.pm this actually removes the > header from the metadata array. > > When WriteHeader is called in EximDiskStore.pm, this calls > Sendmail::CreateQf which simply joins the meta headers and creates a > string of them all - even the ones marked as deleted. > > CreateQf in Exim.pm appears to check for the vanished flag and so would > honour the deleted flag status. Exim CreateQf also does a lot more in > terms of writing out exim specific file headers, so I'm confused as to how > Sendmail CreateQf could be working with exim? > > > We're going to setup a test server to try WriteHeader with Exim::CreateQf > to check for potential issues, but thought I would ask on here first to > see if what I've written above sounds right and see if there is there a > good reason for WriteHeader in EximDiskStore calling Sendmail::CreateQf? > > > Regards, > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Sep 9 16:24:05 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 9 16:24:13 2009 Subject: The amazing case of the missing .spamassassin directory In-Reply-To: References: <4AA7C546.3020404@ecs.soton.ac.uk> <4AA7C193.7020705@gmail.com> Message-ID: <223f97700909090824m3e1cc87fj270cb0ba40b67e7a@mail.gmail.com> 2009/9/9 Jules Field : > MailScanner will run as the "Run As User" and "Run As Group" you have set in > MailScanner.conf, which should be "postfix". So you need to ensure that its > home directory (/var/spool/postfix in your case) is writeable by the postfix > user, and you will need to do all the sa-learn commands as the postfix user > as well. > This is usually not the case. The home directory is usually a non-writable (to the postfix user) chroot-jail-type-o-thing. It shouldn't be touched, at least not that way;-). Instead you have two options: a) create the needed directories (like .spamassassin, .razor, .pyzor ...) by hand (as root, likely) and chmod/chown them to the postfix user (so that it can write to them, at least), or b) play around with the SA configuration so that it will use some other (writable) directory for these things. There are some useful info on this in the wiki, IIRC. Either way will get you there, pretty fast:-). Cheers -- -- Glenn > On 09/09/2009 15:54, Mauricio Tavares wrote: >> >> ? ?I was running sa-learn after moving spam that was classified as ham to >> the spam folders here in one of our mail servers (i.e. some >> housecleaning). But, when I did so, I got a lot of messages like these: >> >> Learned tokens from 0 message(s) (1 message(s) examined) >> bayes: locker: safe_lock: cannot create tmp lockfile >> /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.908 for >> /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory >> bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile >> /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.910 for >> /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory >> >> I understand it can't find the said lock file because the directory >> /var/spool/postfix/.spamassassin does not exist. But, who creates the >> said directory? I looked at MailScanner.conf and >> spam.assassin.prefs.conf. Right now I still do not know who is supposed >> to create the said directory (which is probably the first step in >> finding out why it is not being created, perhaps due to some permission >> issue thingie). >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From raubvogel at gmail.com Wed Sep 9 16:33:22 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Wed Sep 9 16:33:33 2009 Subject: The amazing case of the missing .spamassassin directory In-Reply-To: References: <4AA7C193.7020705@gmail.com> <4AA7C546.3020404@ecs.soton.ac.uk> Message-ID: <4AA7CAC2.1030603@gmail.com> Jules Field wrote: > MailScanner will run as the "Run As User" and "Run As Group" you have > set in MailScanner.conf, which should be "postfix". So you need to > ensure that its home directory (/var/spool/postfix in your case) is > writeable by the postfix user, and you will need to do all the sa-learn > commands as the postfix user as well. > I think you found the problem: root:/etc/MailScanner# ls -ld /var/spool/postfix drwxr-xr-x 19 root root 4096 2008-12-03 10:01 /var/spool/postfix root:/etc/MailScanner# What would be the best way to address this issue? Make postfix:postfix own the directory or have postfix be the group and then make it group writable? > On 09/09/2009 15:54, Mauricio Tavares wrote: >> I was running sa-learn after moving spam that was classified as >> ham to >> the spam folders here in one of our mail servers (i.e. some >> housecleaning). But, when I did so, I got a lot of messages like these: >> >> Learned tokens from 0 message(s) (1 message(s) examined) >> bayes: locker: safe_lock: cannot create tmp lockfile >> /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.908 for >> /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory >> bayes: expire_old_tokens: locker: safe_lock: cannot create tmp lockfile >> /var/spool/postfix/.spamassassin/bayes.lock.mail.domain.com.910 for >> /var/spool/postfix/.spamassassin/bayes.lock: No such file or directory >> >> I understand it can't find the said lock file because the directory >> /var/spool/postfix/.spamassassin does not exist. But, who creates the >> said directory? I looked at MailScanner.conf and >> spam.assassin.prefs.conf. Right now I still do not know who is supposed >> to create the said directory (which is probably the first step in >> finding out why it is not being created, perhaps due to some permission >> issue thingie). >> > > Jules > From chris at navaho.co.uk Wed Sep 9 17:33:53 2009 From: chris at navaho.co.uk (Chris Audley) Date: Wed Sep 9 17:32:25 2009 Subject: Duplicate headers, Exim WriteHeader using Sendmail::CreateQf In-Reply-To: References: <4AA7C66D.9000201@ecs.soton.ac.uk> Message-ID: <6289b6f0de1830f48431f0a30e70bac3.squirrel@webmail.navaho.co.uk> > The key is that there is no "Exim::CreateQf" at all, all the MTAs are > called "Sendmail" internally (as that's the first one I implemented). [snip] Thanks for the explanation, shows how poor my perl knowledge is! :) This is what is getting written to the queue if the subject has a trailing space: 023T To: chris@navaho.co.uk 015 Subject: test 018 MIME-Version: 1.0 092 X-navaho-Colo-Information: Please contact support@navaho.co.uk for more information 050 X-navaho-MailScanner-ID: 1MlPZ9-0007TR-C8 041 X-navaho-Colo: Found to be clean 140 X-navaho-Colo-SpamCheck: not spam, SpamAssassin (score=-2.18, required 1, ALL_TRUSTED -1.80, BAYES_00 -2.60, TVD_SPACE_RATIO 2.22) 042 X-navaho-colo-From: root@mx3.colo 023 Subject: test 026 X-Spam-Status: No There should be a * after 015 on the first Subject header to ask exim to delete the header. The problem appears to be this line in DeleteHeader in Exim.pm: $key = quotemeta($key) unless $usingregexp; This is escaping the colon on the end of header and preventing it from being matched in the header comparison loop and being marked for deletion. Commenting out the quotemeta makes MailScanner generate the correct exim spool file. I guess doing quotemeta on the headers in the header comparison loop is probably the best fix? Regards, -- Chris Audley, Technical Director Navaho Technologies Ltd. tel: +44 (0)2380 000010 (ext 110) http://www.navaho.co.uk/ mailto:chris@navaho.co.uk --- This message has been scanned by the Navaho Mail Service and is believed to be clean. --- From GSilver at rampuptech.com Wed Sep 9 19:35:29 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Wed Sep 9 19:37:23 2009 Subject: store messages Message-ID: using mailscanner as a mail relay I am unable to push individual messages manually through sa-learn is there a known method for storing all messages but for only a set period of time ( a few days perhaps? ) ---------------------------------- Gavin Silver -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090909/e5a848bf/attachment.html From raubvogel at gmail.com Wed Sep 9 20:06:22 2009 From: raubvogel at gmail.com (Mauricio Tavares) Date: Wed Sep 9 20:06:39 2009 Subject: store messages In-Reply-To: References: Message-ID: <4AA7FCAE.6070003@gmail.com> Gavin Silver wrote: > using mailscanner as a mail relay I am unable to push individual > messages manually through sa-learn > I am a bit confused about your question. Are you saying that running sa-learn --ham/spam /path/to/mail as the user mailscanner is running as is not working? > is there a known method for storing all messages but for only a set > period of time ( a few days perhaps? ) > What are you trying to accomplish? > > ---------------------------------- > Gavin Silver > From GSilver at rampuptech.com Wed Sep 9 20:23:39 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Wed Sep 9 20:25:32 2009 Subject: store messages In-Reply-To: <4AA7FCAE.6070003@gmail.com> References: , <4AA7FCAE.6070003@gmail.com> Message-ID: My mailscanner stores no mail currently. it only relays for multiple domains. ( no /path/to/mail) I would like to be able to push individual messages through sa-learn I am also using mailwatch which is nice because i can view the message list and drill down on a message in particular and then mark is as ham/spam. Right now i am not giving that option unless the message is a virus because those are the only type of messages i store. everything else gets delivered dismarmed(if spam) and the subject altered (with spamscore if spam) I guess i could just add "store" to the operations list in addition to the deliver disarm rewrite etc and then figure out how to tell postfix to flush messages older thanx days, but i fear i am over simplifying the process. ---------------------------------- Gavin Silver ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mauricio Tavares [raubvogel@gmail.com] Sent: Wednesday, September 09, 2009 3:06 PM To: MailScanner discussion Subject: Re: store messages Gavin Silver wrote: > using mailscanner as a mail relay I am unable to push individual > messages manually through sa-learn > I am a bit confused about your question. Are you saying that running sa-learn --ham/spam /path/to/mail as the user mailscanner is running as is not working? > is there a known method for storing all messages but for only a set > period of time ( a few days perhaps? ) > What are you trying to accomplish? > > ---------------------------------- > Gavin Silver > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Sep 9 20:53:43 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 9 20:54:00 2009 Subject: store messages In-Reply-To: References: , <4AA7FCAE.6070003@gmail.com> Message-ID: <4A09477D575C2C4B86497161427DD94C126BA5C3A4@city-exchange07> Gavin Silver wrote: > My mailscanner stores no mail currently. it only relays for multiple > domains. ( no /path/to/mail) > > I would like to be able to push individual messages through sa-learn > > I am also using mailwatch which is nice because i can view the > message list and drill down on a message in particular and then mark > is as ham/spam. Right now i am not giving that option unless the > message is a virus because those are the only type of messages i > store. everything else gets delivered dismarmed(if spam) and the > subject altered (with spamscore if spam) > > I guess i could just add "store" to the operations list in addition > to the deliver disarm rewrite etc and then figure out how to tell > postfix to flush messages older thanx days, but i fear i am over > simplifying the process. ---------------------------------- I run my MailScanner boxes as gateways as well, and store the mail for a couple weeks. I have a simple bash script that deletes anything older than X days in the quarantine directories. Your MTA doesn't have to be involved w/flushing them. They're just files on the hard drive. Regarding pushing individual messages through sa-learn, I use MailWatch for MailScanner. It is a nice web based interface for managing and reporting the mail. Easy to feed the messages to spamassassin. It keeps track of the messages in a mysql database, so if you adopt it, you'll need to set the database cleanup time to match the shell script. That is, if you delete mail older than 30 days, you'll want the database to also be cleaned of anything older than 30 days. There's a MailWatch discussion list similar to this group where you can get help installing and configuring it. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Wed Sep 9 22:09:49 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 9 22:09:57 2009 Subject: The amazing case of the missing .spamassassin directory In-Reply-To: <4AA7CAC2.1030603@gmail.com> References: <4AA7C193.7020705@gmail.com> <4AA7C546.3020404@ecs.soton.ac.uk> <4AA7CAC2.1030603@gmail.com> Message-ID: <223f97700909091409j6de11392q1f1a548b10cd6500@mail.gmail.com> 2009/9/9 Mauricio Tavares : > Jules Field wrote: >> >> MailScanner will run as the "Run As User" and "Run As Group" you have set >> in MailScanner.conf, which should be "postfix". So you need to ensure that >> its home directory (/var/spool/postfix in your case) is writeable by the >> postfix user, and you will need to do all the sa-learn commands as the >> postfix user as well. >> > ? ? ? ?I think you found the problem: > > root:/etc/MailScanner# ls -ld /var/spool/postfix > drwxr-xr-x 19 root root 4096 2008-12-03 10:01 /var/spool/postfix > root:/etc/MailScanner# > > What would be the best way to address this issue? Make postfix:postfix > own the directory or have postfix be the group and then make it group > writable? > As said ... neither... Or if you do make it writable to postfix, just do it "temporarily, that is to say: make it writable to postfix (via a chmod) start MailScanner so that it creates the directories SA wants stop MailScanner revert the chmod change, so that it isn't wratable to postfix. ... Or look into doing what I suggested in the other mail;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From logs at comp-wiz.com Wed Sep 9 23:19:45 2009 From: logs at comp-wiz.com (Logs) Date: Wed Sep 9 23:20:25 2009 Subject: {Spam?} RE: FuzzyOCR & CentOS 5.3, is it supported? Message-ID: <018701ca319b$a3b720a0$eb2561e0$@com> Didn?t here anything from anyone in regards to this and would really like to get FuzzyOCR working, Anyone have any ideas? Vern From: Logs [mailto:logs@comp-wiz.com] Sent: Monday, September 07, 2009 1:28 PM To: 'MailScanner discussion' Subject: RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? OK, I came up with a huge file and was sure if I could post the entire file to the list, but these are the problems that I could see: [12513] dbg: diag: module not installed: Net::Ident ('require' failed) [12513] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [12513] dbg: diag: module not installed: Mail::DKIM ('require' failed) [12513] dbg: diag: module not installed: Encode::Detect ('require' failed) I trued to install these on a CentOS 5.3 box and have had nothing but trouble trying to get them installed. Are they important? Should I continue my effort? I?m not even sure if you can as I think I have a newer version of OpenSSL that is not supported. [12513] dbg: pyzor: local tests only, disabling Pyzor Not sure why I?m getting this either. Not I have to enable something in order for Pyzor to work? [12513] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [12513] dbg: plugin: FuzzyOcr=HASH(0xa8cc560) implements 'parse_config', priority 0 [12513] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [12513] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [12513] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [12513] dbg: rules: __SEEK_FRAUD_F_PU0Q merged duplicates: __SEEK_F_PU0Q [12513] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE [12513] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [12513] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [12513] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [12513] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [12513] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [12513] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [12513] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [12513] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [12513] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [12513] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [12513] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [12513] dbg: rules: __SEEK_FRAUD_YM7Q1U merged duplicates: __SEEK_YM7Q1U [12513] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [12513] dbg: rules: __SEEK_FRAUD_KBGNWU merged duplicates: __SEEK_KBGNWU [12513] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI [12513] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B [12513] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING [12513] dbg: rules: FUZZY_OCR_CORRUPT_IMG merged duplicates: FUZZY_OCR_KNOWN_HASH FUZZY_OCR_WRONG_CTYPE [12513] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [12513] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [12513] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 This appears to be all the FuzzyOCR stuff. Not that I know what any of it means. I assume that it means it should be working, but what the heck do I know. [12513] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually [12513] dbg: dns: is DNS available? 0 [12513] dbg: rules: local tests only, ignoring RBL eval [12513] dbg: spf: spf_whitelist_from: could not find useable envelope sender Are any of these lines important? Thanks -- This message has been scanned for viruses and dangerous content by comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090909/6d9fb057/attachment.html From ms-list at alexb.ch Wed Sep 9 23:29:10 2009 From: ms-list at alexb.ch (Alex Broens) Date: Wed Sep 9 23:29:19 2009 Subject: {Spam?} RE: FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <018701ca319b$a3b720a0$eb2561e0$@com> References: <018701ca319b$a3b720a0$eb2561e0$@com> Message-ID: <4AA82C36.5090002@alexb.ch> On 9/10/2009 12:19 AM, Logs wrote: > Didn?t here anything from anyone in regards to this and would really like to get FuzzyOCR working, Anyone have any ideas? as none of these issues are directly relevant to MailScanner and its operation but pretty basic Spamassassin setup questions, your answer is in the SA documentation, the SA wiki and the SA mailing list. as so often, in cases like this, Google is your best friend. Alex > Vern > > > > From: Logs [mailto:logs@comp-wiz.com] > Sent: Monday, September 07, 2009 1:28 PM > To: 'MailScanner discussion' > Subject: RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? > > > > OK, I came up with a huge file and was sure if I could post the entire file to the list, but these are the problems that I could see: > > > > [12513] dbg: diag: module not installed: Net::Ident ('require' failed) > > [12513] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) > > [12513] dbg: diag: module not installed: Mail::DKIM ('require' failed) > > [12513] dbg: diag: module not installed: Encode::Detect ('require' failed) > > > > I trued to install these on a CentOS 5.3 box and have had nothing but trouble trying to get them installed. Are they important? Should I continue my effort? I?m not even sure if you can as I think I have a newer version of OpenSSL that is not supported. > > > > [12513] dbg: pyzor: local tests only, disabling Pyzor > > > > Not sure why I?m getting this either. Not I have to enable something in order for Pyzor to work? > > > > [12513] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm > > [12513] dbg: plugin: FuzzyOcr=HASH(0xa8cc560) implements 'parse_config', priority 0 > > [12513] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA > > [12513] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E > > [12513] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 > > [12513] dbg: rules: __SEEK_FRAUD_F_PU0Q merged duplicates: __SEEK_F_PU0Q > > [12513] dbg: rules: __JM_REACTOR_DATE merged duplicates: __RATWARE_0_TZ_DATE > > [12513] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 > > [12513] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA > > [12513] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE > > [12513] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI > > [12513] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A > > [12513] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 > > [12513] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 > > [12513] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 > > [12513] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 > > [12513] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 > > [12513] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E > > [12513] dbg: rules: __SEEK_FRAUD_YM7Q1U merged duplicates: __SEEK_YM7Q1U > > [12513] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 > > [12513] dbg: rules: __SEEK_FRAUD_KBGNWU merged duplicates: __SEEK_KBGNWU > > [12513] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI > > [12513] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B > > [12513] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING > > [12513] dbg: rules: FUZZY_OCR_CORRUPT_IMG merged duplicates: FUZZY_OCR_KNOWN_HASH FUZZY_OCR_WRONG_CTYPE > > [12513] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E > > [12513] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 > > [12513] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 > > > > This appears to be all the FuzzyOCR stuff. Not that I know what any of it means. I assume that it means it should be working, but what the heck do I know. > > > > [12513] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually > > [12513] dbg: dns: is DNS available? 0 > > [12513] dbg: rules: local tests only, ignoring RBL eval > > [12513] dbg: spf: spf_whitelist_from: could not find useable envelope sender > > > > Are any of these lines important? > > > > Thanks > > > From peter at farrows.org Thu Sep 10 08:07:42 2009 From: peter at farrows.org (Peter Farrow) Date: Thu Sep 10 08:08:06 2009 Subject: FuzzyOCR & CentOS 5.3, is it supported? In-Reply-To: <018701ca319b$a3b720a0$eb2561e0$@com> References: <018701ca319b$a3b720a0$eb2561e0$@com> Message-ID: <4AA8A5BE.2060608@farrows.org> > > > Didn?t here anything from anyone in regards to this and would really > like to get FuzzyOCR working, Anyone have any ideas? > > > > Vern > > > > *From:* Logs [mailto:logs@comp-wiz.com] > *Sent:* Monday, September 07, 2009 1:28 PM > *To:* 'MailScanner discussion' > *Subject:* RE: {Spam?} FuzzyOCR & CentOS 5.3, is it supported? > > > > *OK, I came up with a huge file and was sure if I could post the > entire file to the list, but these are the problems that I could see:* > > > > [12513] dbg: diag: module not installed: Net::Ident ('require' failed) > > [12513] dbg: diag: module not installed: Mail::DomainKeys ('require' > failed) > > [12513] dbg: diag: module not installed: Mail::DKIM ('require' failed) > > [12513] dbg: diag: module not installed: Encode::Detect ('require' failed) > > > > *I trued to install these on a CentOS 5.3 box and have had nothing but > trouble trying to get them installed. Are they important? Should I > continue my effort? I?m not even sure if you can as I think I have a > newer version of OpenSSL that is not supported.* > > > > [12513] dbg: pyzor: local tests only, disabling Pyzor > > > > *Not sure why I?m getting this either. Not I have to enable something > in order for Pyzor to work?* > > > > [12513] dbg: plugin: loading FuzzyOcr from > /etc/mail/spamassassin/FuzzyOcr.pm > > [12513] dbg: plugin: FuzzyOcr=HASH(0xa8cc560) implements > 'parse_config', priority 0 > > [12513] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA > > [12513] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E > > [12513] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E > __MO_OL_F3B05 > > [12513] dbg: rules: __SEEK_FRAUD_F_PU0Q merged duplicates: __SEEK_F_PU0Q > > [12513] dbg: rules: __JM_REACTOR_DATE merged duplicates: > __RATWARE_0_TZ_DATE > > [12513] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 > __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF > __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 > > [12513] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA > > [12513] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: > HS_SUBJ_NEW_SOFTWARE > > [12513] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI > > [12513] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A > > [12513] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 > __MO_OL_CF0C0 > > [12513] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 > KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 > > [12513] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C > __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 > __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 > > [12513] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 > __MO_OL_ADFF7 > > [12513] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 > > [12513] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB > __MO_OL_7533E > > [12513] dbg: rules: __SEEK_FRAUD_YM7Q1U merged duplicates: __SEEK_YM7Q1U > > [12513] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 > > [12513] dbg: rules: __SEEK_FRAUD_KBGNWU merged duplicates: __SEEK_KBGNWU > > [12513] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI > > [12513] dbg: rules: __XM_OL_C9068 merged duplicates: __XM_OL_EF20B > > [12513] dbg: rules: AXB_RCVD_ZOOBSEND merged duplicates: > BROKEN_RATWARE_BOM CTYPE_001C_A DEAR_HOMEOWNER DIV_CENTER_A_HREF > DRUG_RA_PRICE FM_DDDD_TIMES_2 FM_SEX_HOSTDDDD HG_HORMONE HS_PHARMA_1 > HS_UPLOADED_SOFTWARE OEBOUND RCVD_IN_DSBL STOX_RCVD_N_NN_N > URIBL_RHS_ABUSE URIBL_RHS_BOGUSMX URIBL_RHS_DSN URIBL_RHS_POST > URIBL_RHS_TLD_WHOIS URIBL_RHS_WHOIS URIBL_XS_SURBL URI_L_PHP > XMAILER_MIMEOLE_OL_5E7ED XMAILER_MIMEOLE_OL_C7C33 > XMAILER_MIMEOLE_OL_D03AB X_LIBRARY YOUR_CRD_RATING > > [12513] dbg: rules: FUZZY_OCR_CORRUPT_IMG merged duplicates: > FUZZY_OCR_KNOWN_HASH FUZZY_OCR_WRONG_CTYPE > > [12513] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E > > [12513] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 > > [12513] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 > > > > *This appears to be all the FuzzyOCR stuff. Not that I know what any > of it means. I assume that it means it should be working, but what the > heck do I know.* > > * * > > [12513] dbg: conf: trusted_networks are not configured; it is > recommended that you configure trusted_networks manually > > [12513] dbg: dns: is DNS available? 0 > > [12513] dbg: rules: local tests only, ignoring RBL eval > > [12513] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > > > > *Are any of these lines important?* > > > > Thanks > > > Dear Vern, This might be a useful link: http://fuzzyocr.own-hero.net/wiki/Installation-3.5.x It contains information on how to test FuzzyOCR and what spamassassin should log for testing spam. Contact me off list if you manage to get it working, as I am currently installing it on Centos 5.3 as well, Kind Regards Pete -- This message has been scanned for viruses and dangerous content by the Inexcom system Scanner, and is believed to be clean. Advanced heuristic mail scanning server [-]. http://www.inexcom.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090910/8b1bead7/attachment-0001.html From maxsec at gmail.com Thu Sep 10 08:20:59 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Sep 10 08:21:07 2009 Subject: store messages In-Reply-To: References: <4AA7FCAE.6070003@gmail.com> Message-ID: <72cf361e0909100020l6ae73f0pcfeaa7aaba75370@mail.gmail.com> 2009/9/9 Gavin Silver > My mailscanner stores no mail currently. it only relays for multiple > domains. ( no /path/to/mail) > > I would like to be able to push individual messages through sa-learn > > I am also using mailwatch which is nice because i can view the message list > and drill down on a message in particular and then mark is as ham/spam. > Right now i am not giving that option unless the message is a virus because > those are the only type of messages i store. everything else gets delivered > dismarmed(if spam) and the subject altered (with spamscore if spam) > > I guess i could just add "store" to the operations list in addition to the > deliver disarm rewrite etc and then figure out how to tell postfix to flush > messages older thanx days, but i fear i am over simplifying the process. > ---------------------------------- > Gavin Silver > > ________________________________________ > From: mailscanner-bounces@lists.mailscanner.info [ > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mauricio Tavares > [raubvogel@gmail.com] > Sent: Wednesday, September 09, 2009 3:06 PM > To: MailScanner discussion > Subject: Re: store messages > > Gavin Silver wrote: > > using mailscanner as a mail relay I am unable to push individual > > messages manually through sa-learn > > > I am a bit confused about your question. Are you saying that running > sa-learn --ham/spam /path/to/mail as the user mailscanner is running as > is not working? > > > is there a known method for storing all messages but for only a set > > period of time ( a few days perhaps? ) > > > > What are you trying to accomplish? > > > > > ---------------------------------- > > Gavin Silver > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Gavin in the Mailwatch ir there's a couple of scripts that can clear out the quarantine and also the mailwatch DB entries. these are what you need. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090910/b9c03f3c/attachment.html From Amelein at dantumadiel.eu Thu Sep 10 10:17:15 2009 From: Amelein at dantumadiel.eu (Amelein@dantumadiel.eu) Date: Thu Sep 10 10:17:34 2009 Subject: RCPT TO Header rewriting Message-ID: <4AA8E03B0200008E00010E99@10.1.0.206> Because of what looks to be a bug in GroupWise I need to rewrite part of the headers coming from our internal server but I am unsure of where and how to do this.. For some unknown reason the string ';1:1' gets added to the e-mail address for the DSN requests which causes our mail to bounce for a certain major isp, I started noticing this while running a tcpdump on our MS gateway. On the incomming connection from our GroupWise system the RCPT TO line is as follows: RCPT TO: NOTIFY=SUCCESS,FAILURE ORCPT=rfc822;groupwise-user@domain;1:1 When it is outbound to the internet it looks like: RCPT TO: ORCPT=rfc822;groupwise-user@domain;1:1 NOTIFY=SUCCESS,FAILURE Somewhere along the line I need to see if I can somehow remove the ;1:1 part on our gateway as a temp fix till I hear from Novell. Any ideas on how to do this with a MS + postfix setup ? - Arjan From maxsec at gmail.com Thu Sep 10 10:49:47 2009 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Sep 10 10:49:58 2009 Subject: RCPT TO Header rewriting In-Reply-To: <4AA8E03B0200008E00010E99@10.1.0.206> References: <4AA8E03B0200008E00010E99@10.1.0.206> Message-ID: <72cf361e0909100249q6ef4e942j8e3938187de752f8@mail.gmail.com> 2009/9/10 > Because of what looks to be a bug in GroupWise I need to rewrite part of > the headers coming from our internal server but I am unsure of where and how > to do this.. > For some unknown reason the string ';1:1' gets added to the e-mail address > for the DSN requests which causes our mail to bounce for a certain major > isp, I started noticing this while running a tcpdump on our MS gateway. > > On the incomming connection from our GroupWise system the RCPT TO line is > as follows: > RCPT TO: NOTIFY=SUCCESS,FAILURE > ORCPT=rfc822;groupwise-user@domain;1:1 > When it is outbound to the internet it looks like: > RCPT TO: ORCPT=rfc822;groupwise-user@domain;1:1 > NOTIFY=SUCCESS,FAILURE > > Somewhere along the line I need to see if I can somehow remove the ;1:1 > part on our gateway as a temp fix till I hear from Novell. > Any ideas on how to do this with a MS + postfix setup ? > > - > Arjan > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Not a direct answer, but check the org-name setting in MailScanner.conf as there are some restrictions on this when sending to certain MTAs (see the comments above the setting. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090910/bbe7e570/attachment.html From rlopezcnm at gmail.com Thu Sep 10 21:21:55 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Thu Sep 10 21:22:10 2009 Subject: multiple MailScanner gateways and single MailWatch? Message-ID: I did not want to hijack another thread. I just read this in another thread : ---begin quote--- I run my MailScanner boxes as gateways as well, and store the mail for a couple weeks. I have a simple bash script that deletes anything older than X days in the quarantine directories. Your MTA doesn't have to be involved w/flushing them. They're just files on the hard drive. Regarding pushing individual messages through sa-learn, I use MailWatch for MailScanner. It is a nice web based interface for managing and reporting the mail. Easy to feed the messages to spamassassin. It keeps track of the messages in a mysql database, so if you adopt it, you'll need to set the database cleanup time to match the shell script. That is, if you delete mail older than 30 days, you'll want the database to also be cleaned of anything older than 30 days. There's a MailWatch discussion list similar to this group where you can get help installing and configuring it. ...Kevin ---end quote--- I have been wondering at looking at MailWatch after I get MailScanner all tuned the way the community needs it. I have two questions about using it. I have three mail gateway systems running MailScanner, is it practical to run a single instance of MailWatch on a different server already running as a web server? I have seen some documentation that suggests MailWatch expects MailScanner+Exim. Is anyone successfully using MailWatch with MailScanner+Postfix? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From ms-list at alexb.ch Thu Sep 10 21:45:25 2009 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 10 21:45:34 2009 Subject: multiple MailScanner gateways and single MailWatch? In-Reply-To: References: Message-ID: <4AA96565.4070908@alexb.ch> On 9/10/2009 10:21 PM, Robert Lopez wrote: >Is anyone successfully using MailWatch with > MailScanner+Postfix? VERY much yes. quite a number of boxes. I'm not using the built in stats stuff which doesn't scale well. Other than Mailwatch's own limitations, no problems with it. There's also a few hacks available to do nice stuff. Alex From glenn.steen at gmail.com Fri Sep 11 08:11:32 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 11 08:11:41 2009 Subject: multiple MailScanner gateways and single MailWatch? In-Reply-To: References: Message-ID: <223f97700909110011m3b7df04do580153f037be6851@mail.gmail.com> 2009/9/10 Robert Lopez : (snip) > > I have been wondering at looking at MailWatch after I get MailScanner > all tuned the way the community needs it. > I have two questions about using it. > > I have three mail gateway systems running MailScanner, is it practical > to run a single instance of MailWatch on a different server already > running as a web server? > Yes, very likely very OK. The instructions is in a textfile in the MW tarball (Remote_DB.txt, IIRC)... for a basic thing. Others do more complex stuff, but the basics are usually fine enough. If you have three GWs, you might have a very large daily troughput, in which case you might need cut back on how many days you keep in the DB, or plan for a separate database server, but ... those things will become more obvious when you get going:-). > I have seen some documentation that suggests MailWatch expects > MailScanner+Exim. Is anyone successfully using MailWatch with > MailScanner+Postfix? > Oh yes. As usual with PF, correct permissions is everything... and here you need make sure the apache user (or rather group) has access to things like bayes database(s) and the respective quarantine directories... but other than that (and getting Gareths nice PF queue monitor hack/script) ... you should be fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From richard at fastnet.co.uk Fri Sep 11 13:16:19 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Fri Sep 11 13:15:54 2009 Subject: Whitelisting. Message-ID: Hello everyone, I have had some strangeness happening on our whitelists per domain. A few weeks ago I turned this on (from a global list) and it's been working great. Unfortunately I've just seen this - Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: from=, size=92755, class=0, nrcpts=2, msgid=<200909100815.n8A8FpvA014176@mailfilter7.**>, proto=ESMTP, daemon=IPv4, relay=adsl-** [**] (may be forged) Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: to=, delay=00:00:01, mailer=esmtp, pri=152755, stat=queued Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: to=, delay=00:00:01, mailer=esmtp, pri=152755, stat=queued Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176 from ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam, SpamAssassin (not cached, score=6.561, required 3.5, autolearn=disabled, DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_12 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL 0.84, MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10) Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message n8A8FpvA014176 actions are spam@example1.co.uk,forward Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176: to=, delay=00:00:06, xdelay=00:00:00, mailer=esmtp, pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent (n8A8FvcY083874 Message accepted for delivery) My whitelist - grep example1 /**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk *@example1.co.uk (I've replaced some things but you get the point..) Basically, most of the time this works great, some of the time I see stuff getting through, not being whitelisted etc. When I grep for whitelist in the maillog it shows as stopping and starting all the time. For example here is the period that mailscanner should have found the whitelist entry - Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain spam whitelist Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain spam whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736 from 15***** (craig.**@**.com) is whitelisted Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for 1165 domains Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572 from *** (havant@**.co.uk) is whitelisted Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076 from *** (yourmessages@**.co.uk) is whitelisted I've been searching and this whitelist works usually for my entry, I can see other email addresses being white listed fine from the same domain. This leaves me to believe it's something to do with the stopping and starting of the by-domain spam white list.? Does anyone else see this in their logs? Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090911/6d2133bf/attachment.html From munteanu.alexandru at yahoo.com Fri Sep 11 15:40:44 2009 From: munteanu.alexandru at yahoo.com (Munteanu Alexandru) Date: Fri Sep 11 15:40:53 2009 Subject: New here first problem :) Message-ID: <917596.79855.qm@web37105.mail.mud.yahoo.com> Hi there, ?I have just subscribe to this list and i hope you can help me with a problem with mailwatch, my mailscanner database its ok it has all tables and in table maillog every mail send and received by server. ?In mailwatch web interface i cannot see those mails. I don't know if its about connection with data base couse some pages contain information. Please help me an tell me what to do where to look I have post pictures on www.furnizorlemn.ro please take a look -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090911/2e8843d1/attachment.html From glenn.steen at gmail.com Fri Sep 11 16:57:06 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 11 16:57:16 2009 Subject: New here first problem :) In-Reply-To: <917596.79855.qm@web37105.mail.mud.yahoo.com> References: <917596.79855.qm@web37105.mail.mud.yahoo.com> Message-ID: <223f97700909110857w47469132leea108c72cc61b5c@mail.gmail.com> 2009/9/11 Munteanu Alexandru > > Hi there, > > ?I have just subscribe to this list and i hope you can help me with a problem with mailwatch, my mailscanner database its ok it has all tables and in table maillog every mail send and received by server. > > ?In mailwatch web interface i cannot see those mails. I don't know if its about connection with data base couse some pages contain information. > > Please help me an tell me what to do where to look > > I have post pictures on www.furnizorlemn.ro please take a look > MailWatch has its own list, where you should subscribe and ask about it... ... But... If the db get filled, you should either look at turning error reporting in, in your php.ini (at least temporarily), and also have a look at both the "hidden comments" on the problem page (view source...) and the apache logs (most specufucally the error log). Anything useful there? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Sep 11 17:04:17 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 11 17:04:26 2009 Subject: Whitelisting. In-Reply-To: References: Message-ID: <223f97700909110904m5885ddf6ref4fc8de4f340f2@mail.gmail.com> 2009/9/11 Richard Mealing : > Hello everyone, > > > > I have had some strangeness happening on our whitelists per domain. A few > weeks ago I turned this on (from a global list) and it?s been working great. > Unfortunately I?ve just seen this ? > > > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > from=, size=92755, class=0, nrcpts=2, > msgid=<200909100815.n8A8FpvA014176@mailfilter7.**>, proto=ESMTP, > daemon=IPv4, relay=adsl-** [**] (may be forged) > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176 from > ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam, > SpamAssassin (not cached, score=6.561, required 3.5, autolearn=disabled, > DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_12 > 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL 0.84, > MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10) > > Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message > n8A8FpvA014176 actions are spam@example1.co.uk,forward > > Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176: > to=, delay=00:00:06, xdelay=00:00:00, mailer=esmtp, > pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent > (n8A8FvcY083874 Message accepted for delivery) > > > > > > My whitelist ? > > > > grep example1 /**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk > > *@example1.co.uk > > > > (I?ve replaced some things but you get the point..) > > > > Basically, most of the time this works great, some of the time I see stuff > getting through, not being whitelisted etc. When I grep for whitelist in the > maillog it shows as stopping and starting all the time. For example here is > the period that mailscanner should have found the whitelist entry ? > > > > Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain spam > whitelist > > Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain spam > whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist > > Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736 from > 15***** (craig.**@**.com) is whitelisted > > Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for 1165 > domains > > Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572 from > *** (havant@**.co.uk) is whitelisted > > Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076 from > *** (yourmessages@**.co.uk) is whitelisted > > > > I?ve been searching and this whitelist works usually for my entry, I can see > other email addresses being white listed fine from the same domain. This > leaves me to believe it?s something to do with the stopping and starting of > the by-domain spam white list.? > > Does anyone else see this in their logs? > > > > > > > > Rich > IIUC what you are doing, this is actually expected;-). Both the envelope from and From: message header (which are _not_ the same thing) are easily forged. There simply are no good ways of validating them in plain (E-)SMTP, so therefore you cannot under any circumstances rely on that information for whitelisting. At least not that info alone. What you need do is use something that cannot be forged so easily, like the sending servers IP address, or using some TLS measure, and whitelist on that. Just using the domain... will only give you grief. Regardless where you whitelist (MTA, MS or SA). The only place where a small whitelist bonus (negative score) would make some sense is likely in SA, and even there it is best to rely on sending server, or similar. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shprahi at gmail.com Fri Sep 11 19:52:39 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Fri Sep 11 19:58:15 2009 Subject: attachment rule with multiple attachment Message-ID: Hi All, I have Postix+MailScanner+spma ssassin+clamAv on Centos 5.3 and also i have rule set file for attachment limitation with respect to users. now i am facing some strange problem which i would like to share Ex : user abc has From 2 MB and To as 3 MB attachment set. 1. If user send one file as greater than 2 MB recipient is getting warning message saying attachment restriction 2. If same user is attaching multiple files of 1.5 MB (3 files) are reaching to recipient. How to restrict multiple attachment, since user may attach one or more file. If it is one file then Mailscanner is checking against the rule set file but same if multiple files attached then mailscanner not checking against the rule set file or may be considering individual file as within the limit and sending even though cumulative size of attachment is exceeding the allowed size. Please share if any one has come across the same.. Thanks a lot in advance...... Regards, shprahi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090912/c42a18e8/attachment.html From rlopezcnm at gmail.com Fri Sep 11 21:04:59 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Sep 11 21:05:08 2009 Subject: Need to allow blackberry EPT.DAT files Message-ID: Some offices of the college are being affected by some blocked data files. They are .dat files and we do not want to unblock .dat files. I am told in this case the data files are part of syncing blackberry applications to desktop applications. I considered allowing EPT.DAT, but that seems like too much of an opportunity for the wrong persons. Here are some of the facts: Report: MailScanner: No programs allowed (ETP.DAT) Received: from mailrouter1104.na.blackberry.net (mailrouter1104.na.blackberry.net [204.187.87.55]) by xxxx.cnm.edu (Postfix) with SMTP id 625296604E2 for ; Fri, 11 Sep 2009 06:56:02 -0600 (MDT) Received: from ETP1107.etp.prod.on.blackberry (etp1107.etp.prod.on.blackberry [172.23.40.50]) by mailrouter1104.na.blackberry.net (Postfix) with ESMTP id 65EBA2E257F for ; Fri, 11 Sep 2009 12:55:46 +0000 (UTC) Would it take a custom modification to 'allow EPT.DAT files only from *.na.blackberry.net' or could a file rule accomplish it? The filename.rules.conf seems to not be able to deal with the domain restriction. Looking at CustomConfig.pm it seems there could be a /etc/MailScanner/spam.bydomain/whitelist/blackberry file if everything from na.blackberry.net and from prod.on.blackberry was wanted to be allowed. As I have no idea what mail could come from those it does not seem wise to just open for everything from them. [I have not found a way to ask blackberry/rim any questions.] -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Fri Sep 11 22:07:00 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 11 22:07:09 2009 Subject: Need to allow blackberry EPT.DAT files In-Reply-To: References: Message-ID: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> 2009/9/11 Robert Lopez : > Some offices of the college are being affected by some blocked data > files. They are .dat files and we do not want to unblock .dat files. > I am told in this case the data files are part of syncing blackberry > applications to desktop applications. > I considered allowing EPT.DAT, but that seems like too much of an > opportunity for the wrong persons. > > Here are some of the facts: > > Report: MailScanner: No programs allowed (ETP.DAT) > > Received: from mailrouter1104.na.blackberry.net > (mailrouter1104.na.blackberry.net [204.187.87.55]) > ? ? ? ?by xxxx.cnm.edu (Postfix) with SMTP id 625296604E2 > ? ? ? ?for ; Fri, 11 Sep 2009 06:56:02 -0600 (MDT) > ?Received: from ETP1107.etp.prod.on.blackberry > (etp1107.etp.prod.on.blackberry [172.23.40.50]) > ? ? ? ?by mailrouter1104.na.blackberry.net (Postfix) with ESMTP id 65EBA2E257F > ? ? ? ?for ; Fri, 11 Sep 2009 12:55:46 +0000 (UTC) > > Would it take a custom modification to 'allow EPT.DAT files only from > *.na.blackberry.net' or could a file rule accomplish it? > > The filename.rules.conf seems to not be able to deal with the domain > restriction. > > Looking at CustomConfig.pm it seems there could be a > /etc/MailScanner/spam.bydomain/whitelist/blackberry file if everything > from na.blackberry.net and from prod.on.blackberry was wanted to be > allowed. As I have no idea what mail could come from > those it does not seem wise to just open for everything from them. [I > have not found a way to ask blackberry/rim any questions.] Not really a custom thing, but unpalatable any which way you look at it. The problem isn't the filename, which is trivially handled via a normal ruleset (multiple filename.rules.conf, where you can allow the relevant filename for the blaberry domain (bevare the subdomains... aieee!!! Yes, I truly hate RIM/blackberry for this lunacy), but the fact that they send a BINARY file without ascii armor. Oh they send that too, but that is entirely beside the point, since they rely on the binary attachment getting through. The problem is that the "encrypted stuff" in that file can (and will, as you have noticed)trigger ANY filetype line. So one need use a "filetypewhitelist" for the blackberry domain (they, of course, have too many sending servers to be able to keep up with using only IPs, so you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA. It is either this, or stop using blackberries... Try selling that to the CEOs:-). BTW, the file is for BB activations, not synchronization. Cheers (yeah, Am slightly drunk, so ... letting some pent-up stem loose here:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlopezcnm at gmail.com Fri Sep 11 22:34:01 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Sep 11 22:34:11 2009 Subject: Need to allow blackberry EPT.DAT files In-Reply-To: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> References: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> Message-ID: On Fri, Sep 11, 2009 at 3:07 PM, Glenn Steen wrote: > 2009/9/11 Robert Lopez : >> Some offices of the college are being affected by some blocked data >> files. They are .dat files and we do not want to unblock .dat files. >> I am told in this case the data files are part of syncing blackberry >> applications to desktop applications. >> I considered allowing EPT.DAT, but that seems like too much of an >> opportunity for the wrong persons. >> >> Here are some of the facts: >> >> Report: MailScanner: No programs allowed (ETP.DAT) >> >> Received: from mailrouter1104.na.blackberry.net >> (mailrouter1104.na.blackberry.net [204.187.87.55]) >> ? ? ? ?by xxxx.cnm.edu (Postfix) with SMTP id 625296604E2 >> ? ? ? ?for ; Fri, 11 Sep 2009 06:56:02 -0600 (MDT) >> ?Received: from ETP1107.etp.prod.on.blackberry >> (etp1107.etp.prod.on.blackberry [172.23.40.50]) >> ? ? ? ?by mailrouter1104.na.blackberry.net (Postfix) with ESMTP id 65EBA2E257F >> ? ? ? ?for ; Fri, 11 Sep 2009 12:55:46 +0000 (UTC) >> >> Would it take a custom modification to 'allow EPT.DAT files only from >> *.na.blackberry.net' or could a file rule accomplish it? >> >> The filename.rules.conf seems to not be able to deal with the domain >> restriction. >> >> Looking at CustomConfig.pm it seems there could be a >> /etc/MailScanner/spam.bydomain/whitelist/blackberry file if everything >> from na.blackberry.net and from prod.on.blackberry was wanted to be >> allowed. As I have no idea what mail could come from >> those it does not seem wise to just open for everything from them. [I >> have not found a way to ask blackberry/rim any questions.] > > Not really a custom thing, but unpalatable any which way you look at it. > The problem isn't the filename, which is trivially handled via a > normal ruleset (multiple filename.rules.conf, where you can allow the > relevant filename for the blaberry domain (bevare the subdomains... > aieee!!! Yes, I truly hate RIM/blackberry for this lunacy), but the > fact that they send a BINARY file without ascii armor. Oh they send > that too, but that is entirely beside the point, since they rely on > the binary attachment getting through. > The problem is that the "encrypted stuff" in that file can (and will, > as you have noticed)trigger ANY filetype line. So one need use a > "filetypewhitelist" for the blackberry domain (they, of course, have > too many sending servers to be able to keep up with using only IPs, so > you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA. > It is either this, or stop using blackberries... Try selling that to > the CEOs:-). > BTW, the file is for BB activations, not synchronization. > > Cheers (yeah, Am slightly drunk, so ... letting some pent-up stem loose here:-) > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > You have been so helpful to me and others I believe you are entitled to some steam. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From shprahi at gmail.com Sat Sep 12 11:49:17 2009 From: shprahi at gmail.com (shprahi shprahi) Date: Sat Sep 12 11:49:26 2009 Subject: attachment rule with multiple attachment In-Reply-To: References: Message-ID: I am not sure whether My posted messages are reaching to the list. Regards, Shprahi On Sat, Sep 12, 2009 at 12:22 AM, shprahi shprahi wrote: > Hi All, > > I have Postix+MailScanner+spma ssassin+clamAv on Centos 5.3 and also i have > rule set file for attachment limitation with respect to users. > > now i am facing some strange problem which i would like to share > > Ex : user abc has From 2 MB and To as 3 MB attachment set. > > 1. If user send one file as greater than 2 MB recipient is getting warning > message saying attachment restriction > 2. If same user is attaching multiple files of 1.5 MB (3 files) are > reaching to recipient. > > How to restrict multiple attachment, since user may attach one or more > file. If it is one file then Mailscanner is checking against the rule set > file but same if multiple files attached then mailscanner not checking > against the rule set file or may be considering individual file as within > the limit and sending even though cumulative size of attachment is exceeding > the allowed size. > > Please share if any one has come across the same.. > > > > Thanks a lot in advance...... > > Regards, > shprahi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090912/0afa853d/attachment.html From peter at farrows.org Sun Sep 13 11:10:13 2009 From: peter at farrows.org (Peter Farrow) Date: Sun Sep 13 11:10:35 2009 Subject: Need to allow blackberry EPT.DAT files In-Reply-To: References: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> Message-ID: <4AACC505.6050201@farrows.org> Robert Lopez wrote: > On Fri, Sep 11, 2009 at 3:07 PM, Glenn Steen wrote: > >> 2009/9/11 Robert Lopez : >> >>> Some offices of the college are being affected by some blocked data >>> files. They are .dat files and we do not want to unblock .dat files. >>> I am told in this case the data files are part of syncing blackberry >>> applications to desktop applications. >>> I considered allowing EPT.DAT, but that seems like too much of an >>> opportunity for the wrong persons. >>> >>> Here are some of the facts: >>> >>> Report: MailScanner: No programs allowed (ETP.DAT) >>> >>> Received: from mailrouter1104.na.blackberry.net >>> (mailrouter1104.na.blackberry.net [204.187.87.55]) >>> by xxxx.cnm.edu (Postfix) with SMTP id 625296604E2 >>> for ; Fri, 11 Sep 2009 06:56:02 -0600 (MDT) >>> Received: from ETP1107.etp.prod.on.blackberry >>> (etp1107.etp.prod.on.blackberry [172.23.40.50]) >>> by mailrouter1104.na.blackberry.net (Postfix) with ESMTP id 65EBA2E257F >>> for ; Fri, 11 Sep 2009 12:55:46 +0000 (UTC) >>> >>> Would it take a custom modification to 'allow EPT.DAT files only from >>> *.na.blackberry.net' or could a file rule accomplish it? >>> >>> The filename.rules.conf seems to not be able to deal with the domain >>> restriction. >>> >>> Looking at CustomConfig.pm it seems there could be a >>> /etc/MailScanner/spam.bydomain/whitelist/blackberry file if everything >>> from na.blackberry.net and from prod.on.blackberry was wanted to be >>> allowed. As I have no idea what mail could come from >>> those it does not seem wise to just open for everything from them. [I >>> have not found a way to ask blackberry/rim any questions.] >>> >> Not really a custom thing, but unpalatable any which way you look at it. >> The problem isn't the filename, which is trivially handled via a >> normal ruleset (multiple filename.rules.conf, where you can allow the >> relevant filename for the blaberry domain (bevare the subdomains... >> aieee!!! Yes, I truly hate RIM/blackberry for this lunacy), but the >> fact that they send a BINARY file without ascii armor. Oh they send >> that too, but that is entirely beside the point, since they rely on >> the binary attachment getting through. >> The problem is that the "encrypted stuff" in that file can (and will, >> as you have noticed)trigger ANY filetype line. So one need use a >> "filetypewhitelist" for the blackberry domain (they, of course, have >> too many sending servers to be able to keep up with using only IPs, so >> you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA. >> It is either this, or stop using blackberries... Try selling that to >> the CEOs:-). >> BTW, the file is for BB activations, not synchronization. >> >> Cheers (yeah, Am slightly drunk, so ... letting some pent-up stem loose here:-) >> -- >> -- Glenn >> email: glenn < dot > steen < at > gmail < dot > com >> work: glenn < dot > steen < at > ap1 < dot > se >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > You have been so helpful to me and others I believe you are entitled > to some steam. > > I have to say I have had this problem, and have resorted to LAN activation over wifi in the past. I have also sat there and whitelist IPs until you have enough to get it through on the first few tries. Blackberrys are a PITA, but as an IT consultant they are good revenue earners because they consume so much time. I have pointed this out to many of my clients, but CEOs as you say, just seem to be hooked on them. The whole Blackberry system, BES etc is all badly thought out and thrown together...and randomly stops working at times... -- This message has been scanned for viruses and dangerous content by the Inexcom system Scanner, and is believed to be clean. Advanced heuristic mail scanning server [-]. http://www.inexcom.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090913/5c24a013/attachment.html From pedro.arinto at gmail.com Mon Sep 14 15:32:28 2009 From: pedro.arinto at gmail.com (Pedro Arinto) Date: Mon Sep 14 15:33:02 2009 Subject: Filename enconding in auto-zip feature Message-ID: Hi, In my setup I'm using the auto-zip feature to zip attachments bigger than 1500k. When an attached file sent by a user contains international characters (like ?,?,?, etc), the filenames get messed up in the resulting ZIP file. Windows users are unable to uncompress this files. An example: Original filename: "Test ??? e ?? e ??.txt" Filename in ZIP compressed by MailScanner: "Teste =?iso-8859-1?Q?=E7=E7=E7_e_=E1=E1_e_=E9=E9=E9.txt?=" Can you help ? Thanks, Pedro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090914/12466758/attachment.html From c.granisso at dnshosting.it Mon Sep 14 16:03:29 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Mon Sep 14 16:03:36 2009 Subject: user settings Message-ID: <200909141503.n8EF3Sm8032403@safir.blacknight.ie> Hello, there's anyway to tell (for each user) what to do with spam? (tag/untag, deliver/delete messagges tagged as SPAM) Actually I can define this only in MailScanner.conf and not for each user but for the system. Thanks, Carlo P.S.: I've solved RBL problem described in a previous mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090914/bda56de0/attachment.html From ecasarero at gmail.com Mon Sep 14 16:56:54 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Mon Sep 14 16:57:24 2009 Subject: user settings In-Reply-To: <200909141503.n8EF3Sm8032403@safir.blacknight.ie> References: <200909141503.n8EF3Sm8032403@safir.blacknight.ie> Message-ID: <7d9b3cf20909140856l6ee38558q9d86c57ab2293e0@mail.gmail.com> 2009/9/14 Carlo Granisso > Hello, there's anyway to tell (for each user) what to do with spam? > (tag/untag, deliver/delete messagges tagged as SPAM) > > > Actually I can define this only in MailScanner.conf and not for each user > but for the system. > > Spam Actions = %rules-dir%/spam.actions.rules "cat spam.actions.rules" To:user1@domain.com deliver tag store FromOrTo: default store header "X-Spam-Status: Yes" check the rules file syntax, and tabs. > > Thanks, > > > Carlo > > > > P.S.: I've solved RBL problem described in a previous mail > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090914/8e738d75/attachment.html From mrm at medicine.wisc.edu Mon Sep 14 17:33:59 2009 From: mrm at medicine.wisc.edu (Michael Masse) Date: Mon Sep 14 17:34:27 2009 Subject: Need to allow blackberry EPT.DAT files In-Reply-To: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> References: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> Message-ID: <4AAE2A2C.7CBE.00FC.3@medicine.wisc.edu> >>> On 9/11/2009 at 4:07 PM, in message <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com>, Glenn Steen wrote: > The problem is that the "encrypted stuff" in that file can (and will, > as you have noticed)trigger ANY filetype line. So one need use a > "filetypewhitelist" for the blackberry domain (they, of course, have > too many sending servers to be able to keep up with using only IPs, so > you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA. Isn't this a prime candidate for using the new hostname lookup feature that Jules recently added? --Mike From glenn.steen at gmail.com Mon Sep 14 18:54:15 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 14 18:54:24 2009 Subject: Need to allow blackberry EPT.DAT files In-Reply-To: <4AAE2A2C.7CBE.00FC.3@medicine.wisc.edu> References: <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com> <4AAE2A2C.7CBE.00FC.3@medicine.wisc.edu> Message-ID: <223f97700909141054y3d679edco922ef7dff4c2f4f0@mail.gmail.com> 2009/9/14 Michael Masse : >>>> On 9/11/2009 at 4:07 PM, in message > <223f97700909111407w3d263408i7a9710d838884c20@mail.gmail.com>, Glenn Steen > wrote: > >> The problem is that the "encrypted stuff" in that file can (and will, >> as you have noticed)trigger ANY filetype line. So one need use a >> "filetypewhitelist" for the blackberry domain (they, of course, have >> too many sending servers to be able to keep up with using only IPs, so >> you need bare yourself to forgeries here... AAAARRRGH!). It is a PITA. > > > Isn't this a prime candidate for using the new hostname lookup feature that Jules recently added? > > --Mike > Haven't loked at it, might well be... Will try look at it tomorrow and let you know (unless someone beats me to it:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From c.granisso at dnshosting.it Tue Sep 15 14:12:32 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Tue Sep 15 14:12:45 2009 Subject: R: user settings In-Reply-To: <7d9b3cf20909140856l6ee38558q9d86c57ab2293e0@mail.gmail.com> Message-ID: <200909151312.n8FDCajp018413@safir.blacknight.ie> Hello, thanks for your help: do you think that it's possible to "export" this file into DB (such as white/black list management) to centralize it? _____ Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Eduardo Casarero Inviato: luned? 14 settembre 2009 17.57 A: MailScanner discussion Oggetto: Re: user settings 2009/9/14 Carlo Granisso Hello, there's anyway to tell (for each user) what to do with spam? (tag/untag, deliver/delete messagges tagged as SPAM) Actually I can define this only in MailScanner.conf and not for each user but for the system. Spam Actions = %rules-dir%/spam.actions.rules "cat spam.actions.rules" To:user1@domain.com deliver tag store FromOrTo: default store header "X-Spam-Status: Yes" check the rules file syntax, and tabs. Thanks, Carlo P.S.: I've solved RBL problem described in a previous mail -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.95/2368 - Release Date: 09/13/09 17:50:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/8a1f103e/attachment.html From ssilva at sgvwater.com Tue Sep 15 16:40:15 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 15 16:40:48 2009 Subject: R: user settings In-Reply-To: <200909151312.n8FDCajp018413@safir.blacknight.ie> References: <7d9b3cf20909140856l6ee38558q9d86c57ab2293e0@mail.gmail.com> <200909151312.n8FDCajp018413@safir.blacknight.ie> Message-ID: on 9-15-2009 6:12 AM Carlo Granisso spake the following: > Hello, thanks for your help: do you think that it's possible to "export" > this file into DB (such as white/black list management) to centralize it? > If you can write a custom function to do the lookup and return the proper info, it could be done. Or you could pay Jules to write it for you. I'm sure he is almost always up for paying sidework. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/e1fd12a7/signature.bin From ricardo at americasnet.com Tue Sep 15 18:38:44 2009 From: ricardo at americasnet.com (Ricardo Kleemann) Date: Tue Sep 15 18:39:04 2009 Subject: how to integrate dspam? Message-ID: <1253036324.4aafd12420b1b@web1.americasnet.com> Hi, I have spamassassin configured with mailscanner. I also wanted to give dspam a try, how would I go about adding that to mailscanner? Thanks Ricardo ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/b474f136/attachment.html From lhaig at haigmail.com Tue Sep 15 19:02:35 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Sep 15 19:04:43 2009 Subject: forward all mail from one domain to a specific user at another domain. Message-ID: <4AAFD6BB.5080303@haigmail.com> Hi, I am packing to move home so I have misplaced my MailScanner book and can't look this up. I would appreciate help. I have had a request from one of my users to have all the valid mail for one domain sent to a specific user at another domain. What would be the best way to achieve this. Regards Lance -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/32e391cf/signature.bin From steve at fsl.com Tue Sep 15 19:17:08 2009 From: steve at fsl.com (Stephen Swaney) Date: Tue Sep 15 19:17:17 2009 Subject: forward all mail from one domain to a specific user at another domain. In-Reply-To: <4AAFD6BB.5080303@haigmail.com> References: <4AAFD6BB.5080303@haigmail.com> Message-ID: <4AAFDA24.4020900@fsl.com> Lance Haig wrote: > Hi, > > I am packing to move home so I have misplaced my MailScanner book and > can't look this up. > > I would appreciate help. > > I have had a request from one of my users to have all the valid mail for > one domain sent to a specific user at another domain. > > What would be the best way to achieve this. > > Regards > > Lance > > Lance, Simple. In MailScanner.conf, setup a ruleset for "Non Spam Actions = " which contains: To: address@old_domain.com forward newaddress@new_domain.com ToOrFrom: default deliver The default action should actually be whatever is the current value of Non Spam Actions = " . And this solution assumes that you don't want to forward Spam or High Spam. Best regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available From lhaig at haigmail.com Tue Sep 15 19:26:28 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Sep 15 19:28:20 2009 Subject: forward all mail from one domain to a specific user at another domain. In-Reply-To: <4AAFDA24.4020900@fsl.com> References: <4AAFD6BB.5080303@haigmail.com> <4AAFDA24.4020900@fsl.com> Message-ID: <4AAFDC54.1000001@haigmail.com> Stephen Swaney wrote: > Lance Haig wrote: >> Hi, >> >> I am packing to move home so I have misplaced my MailScanner book and >> can't look this up. >> >> I would appreciate help. >> >> I have had a request from one of my users to have all the valid mail for >> one domain sent to a specific user at another domain. >> >> What would be the best way to achieve this. >> >> Regards >> >> Lance >> >> > Lance, > > Simple. In MailScanner.conf, setup a ruleset for "Non Spam Actions = " > which contains: > > To: address@old_domain.com forward > newaddress@new_domain.com > ToOrFrom: default deliver > > The default action should actually be whatever is the current value of > Non Spam Actions = " . > > And this solution assumes that you don't want to forward Spam or High Spam. > > > Best regards, > > Steve > Hi Steve, Thanks Lance -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/d526cac5/signature.bin From lhaig at haigmail.com Tue Sep 15 19:44:47 2009 From: lhaig at haigmail.com (Lance Haig) Date: Tue Sep 15 19:46:39 2009 Subject: Mailscanner --lint error. Message-ID: <4AAFE09F.2000601@haigmail.com> How best do I fault find this error ? Bareword found where operator expected at /etc/spamassassin/FuzzyOcr.pm line 131, near "my $msgid = $pms->get('Message" (Might be a runaway multi-line '' string starting on line 20) (Do you need to predeclare my?) plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad name after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket /var/run/mysqld/mysqld.sock config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_end_config rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: (Can't locate object method "dummy_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. ) rules: failed to run FUZZY_OCR test, skipping: (Can't locate object method "fuzzyocr_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. ) SpamAssassin reported an error. Thanks Lance -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 257 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/363b3b73/signature.bin From uxbod at splatnix.net Tue Sep 15 19:58:36 2009 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Sep 15 19:58:57 2009 Subject: Mailscanner --lint error. In-Reply-To: <4736507.31253041097296.JavaMail.root@office.splatnix.net> Message-ID: <28281285.51253041116551.JavaMail.root@office.splatnix.net> perl -e /etc/spamassassin/FuzzyOcr.pm and see what it borks I believe Best Regards, ----- "Lance Haig" wrote: | How best do I fault find this error ? | | Bareword found where operator expected at | /etc/spamassassin/FuzzyOcr.pm | line 131, near "my $msgid = $pms->get('Message" | (Might be a runaway multi-line '' string starting on line 20) | (Do you need to predeclare my?) | plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad | name | after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. | Compilation failed in require at | /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. | | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist | /etc/mail/spamassassin/FuzzyOcr.words | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, | convert, ppmtopgm, tesseract | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin | /usr/local/netpbm/bin:/usr/local/bin:/usr/bin | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file | /etc/mail/spamassassin/FuzzyOcr.preps | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file | /etc/mail/spamassassin/FuzzyOcr.scansets | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db | /etc/mail/spamassassin/FuzzyOcr.hashdb | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash | /etc/mail/spamassassin/FuzzyOcr.db | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe | /etc/mail/spamassassin/FuzzyOcr.safe.db | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket | /var/run/mysqld/mysqld.sock | config: failed to parse line, skipping, in | "/etc/spamassassin/FuzzyOcr.cf": focr_end_config | rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: | (Can't locate object method "dummy_check" via package | "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. | ) | rules: failed to run FUZZY_OCR test, skipping: | (Can't locate object method "fuzzyocr_check" via package | "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. | ) | SpamAssassin reported an error. | | | Thanks | | Lance | | | -- | MailScanner mailing list | mailscanner@lists.mailscanner.info | http://lists.mailscanner.info/mailman/listinfo/mailscanner | | Before posting, read http://wiki.mailscanner.info/posting | | Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration From GSilver at rampuptech.com Tue Sep 15 22:35:32 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Tue Sep 15 22:35:46 2009 Subject: spamtrap address Message-ID: I cant seem to find any documentation on creating a email address to act as a sa-learn spamtrap i.e. user forwards spam message not marked as spam to spamtrap@somedomainatmyrelay.com, sa-learn gets that orginal mesaage for bayes training as spam can someone point me in the right direction? ---------------------------------- Gavin Silver Ramp Up Technology gsilver@rampuptech.com ---------------------------------- Please remember to send all issues to: support@rampuptech.com. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/1f94e493/attachment.html From GSilver at rampuptech.com Tue Sep 15 22:48:15 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Tue Sep 15 22:48:26 2009 Subject: spamtrap address In-Reply-To: References: Message-ID: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> I think I have just answered my one question which is that I cant just have a straight forward go to a spam learn as it would probably learn that all forwarded messages are spam as well.. I am really just looking for a way for the users to make use of spam/ham training via their outlook clients as my mailscanner is a gateway for many domains On Sep 15, 2009, at 5:35 PM, Gavin Silver wrote: I cant seem to find any documentation on creating a email address to act as a sa-learn spamtrap i.e. user forwards spam message not marked as spam to spamtrap@somedomainatmyrelay.com, sa-learn gets that orginal mesaage for bayes training as spam can someone point me in the right direction? ---------------------------------- Gavin Silver Ramp Up Technology gsilver@rampuptech.com ---------------------------------- Please remember to send all issues to: support@rampuptech.com. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------------------------- Gavin Silver Ramp Up Technology gsilver@rampuptech.com ---------------------------------- Please remember to send all issues to: support@rampuptech.com. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090915/871b1941/attachment.html From jeff.mills at sydneytech.com.au Wed Sep 16 00:20:11 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Wed Sep 16 00:20:29 2009 Subject: spamtrap address In-Reply-To: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6052@stssvr01.Sts.local> >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gavin Silver >Sent: Wednesday, 16 September 2009 7:48 AM >To: MailScanner discussion >Subject: Re: spamtrap address > >I think I have just answered my one question which is that I cant just have a straight forward go to a spam learn as it would probably learn that all forwarded messages are spam as well.. > >I am really just looking for a way for the users to make use of spam/ham training via their outlook clients as my mailscanner is a gateway for many domains At my old job, I had a script that logged into a public folder on an exchange box and learned all mail in that public folder. Users would just drag and drop the mail into the spam folder. I also had a script that runs to clean out the folder. I can probably get hold of the script again if you think it would help you. From seven at seven.dorksville.net Wed Sep 16 01:38:34 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Wed Sep 16 01:38:52 2009 Subject: Releasing from quarantine with sendmail Message-ID: <29487.125.168.254.15.1253061514.squirrel@seven.dorksville.net> Follow the instructions from http://wiki.mailscanner.info/doku.php?id=maq:index#quarantine_management The document just gets quarantined again... I had a look at the document in question and it only appears to be a word 2007 file (.docx) but the reason for quarantining is "MailScanner: Message contained archive nested too deeply" Any help would be great. Thanks Anthony From mailadmin at midland-ics.ie Wed Sep 16 09:56:42 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Wed Sep 16 10:01:11 2009 Subject: spamtrap address In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6052@stssvr01.Sts.local> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> <556B68BE19272143ADE2500D9CC858BD3F6052@stssvr01.Sts.local> Message-ID: <7AF154895A006D46BA4FFB035ABC09936EC7@aragorn.midland-ics.local> Hi Jeff That Script would be handy here for some of my clients. Cheers if you can get hold of it Kevin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Mills Sent: 16 September 2009 00:20 To: MailScanner discussion Subject: RE: spamtrap address >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gavin Silver >Sent: Wednesday, 16 September 2009 7:48 AM >To: MailScanner discussion >Subject: Re: spamtrap address > >I think I have just answered my one question which is that I cant just have a straight forward go to a spam learn as it would probably learn that all forwarded messages are spam as well.. > >I am really just looking for a way for the users to make use of spam/ham training via their outlook clients as my mailscanner is a gateway for many domains At my old job, I had a script that logged into a public folder on an exchange box and learned all mail in that public folder. Users would just drag and drop the mail into the spam folder. I also had a script that runs to clean out the folder. I can probably get hold of the script again if you think it would help you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From garith at saao.ac.za Wed Sep 16 13:24:34 2009 From: garith at saao.ac.za (Garith Dugmore) Date: Wed Sep 16 13:24:54 2009 Subject: Whitelisting and clearing previous spam related headers Message-ID: <4AB0D902.7000602@saao.ac.za> Hi All, Is there a way to clear all spam related headers (specifically "X-Spam-Level") if an email is whitelisted? I'm running MailScanner 4.66.5 and mailwatch with sql whitelists. Also have the following set (if it helps): Is Definitely Not Spam = &SQLWhitelist Always Include SpamAssassin Report = yes Multiple Headers = replace The problem I have currently is the email is whitelisted but "X-Spam-Level" is left intact (from another spam assassin enabled remote mail server) which makes my server side filter (sieve) think its spam and not a normal mail. I've read Steve Freegard's email "Re: mailscanner whitelist (SQLWhitelist)" on the "05/05/2009 17:30" about the "Always Include SpamAssassin Report" setting but not sure this will solve my problem as I still want spam reports and also I don't know if this would actually clear the previous added "X-Spam-Level". Before I start making changes on a live system I thought I'd ask :) Any pointers? Garith Dugmore From steve.freegard at fsl.com Wed Sep 16 14:05:34 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 16 14:05:43 2009 Subject: Whitelisting and clearing previous spam related headers In-Reply-To: <4AB0D902.7000602@saao.ac.za> References: <4AB0D902.7000602@saao.ac.za> Message-ID: <4AB0E29E.1000803@fsl.com> Garith Dugmore wrote: > Hi All, > > Is there a way to clear all spam related headers (specifically > "X-Spam-Level") if an email is whitelisted? > > I'm running MailScanner 4.66.5 and mailwatch with sql whitelists. Also > have the following set (if it helps): > > Is Definitely Not Spam = &SQLWhitelist > Always Include SpamAssassin Report = yes > Multiple Headers = replace > > The problem I have currently is the email is whitelisted but > "X-Spam-Level" is left intact (from another spam assassin enabled remote > mail server) which makes my server side filter (sieve) think its spam > and not a normal mail. > > I've read Steve Freegard's email "Re: mailscanner whitelist > (SQLWhitelist)" on the "05/05/2009 17:30" about the "Always Include > SpamAssassin Report" setting but not sure this will solve my problem as > I still want spam reports and also I don't know if this would actually > clear the previous added "X-Spam-Level". Before I start making changes > on a live system I thought I'd ask :) > > Any pointers? See the 'Remove These Headers' option in MailScanner.conf. Regards, Steve. From mark at msapiro.net Wed Sep 16 15:28:28 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Sep 16 15:28:41 2009 Subject: spamtrap address In-Reply-To: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> Message-ID: <20090916142828.GA3300@msapiro> On Tue, Sep 15, 2009 at 05:48:15PM -0400, Gavin Silver wrote: > I think I have just answered my one question which is that I cant just have a straight forward go to a spam learn as it would probably learn that all forwarded messages are spam as well.. > I have an address which is aliased to a pipe as follows SpamReport: "|/usr/bin/spamc -u postfix -L spam || true" but I don't publicise it for exactly the above reason. One needs a MUA that can redirect/resend/bounce the message without change, and I don't trust my users to have that ability or to use it correctly if they do. I have thought about it some, and I think you need to archive all mail and then add a footer something like Help train the spam filter Report this as Spam Report this as Ham Where those 'reports' are links that will notify some process that this message's queue ID is spam or ham, and have that process call spamc or sa-learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From richard at fastnet.co.uk Wed Sep 16 15:39:03 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed Sep 16 15:38:36 2009 Subject: Whitelisting. In-Reply-To: <223f97700909110904m5885ddf6ref4fc8de4f340f2@mail.gmail.com> References: <223f97700909110904m5885ddf6ref4fc8de4f340f2@mail.gmail.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 11 September 2009 17:04 To: MailScanner discussion Subject: Re: Whitelisting. 2009/9/11 Richard Mealing : > Hello everyone, > > > > I have had some strangeness happening on our whitelists per domain. A few > weeks ago I turned this on (from a global list) and it's been working great. > Unfortunately I've just seen this - > > > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > from=, size=92755, class=0, nrcpts=2, > msgid=<200909100815.n8A8FpvA014176@mailfilter7.**>, proto=ESMTP, > daemon=IPv4, relay=adsl-** [**] (may be forged) > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176 from > ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam, > SpamAssassin (not cached, score=6.561, required 3.5, autolearn=disabled, > DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_12 > 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL 0.84, > MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10) > > Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message > n8A8FpvA014176 actions are spam@example1.co.uk,forward > > Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176: > to=, delay=00:00:06, xdelay=00:00:00, mailer=esmtp, > pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent > (n8A8FvcY083874 Message accepted for delivery) > > > > > > My whitelist - > > > > grep example1 /**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk > > *@example1.co.uk > > > > (I've replaced some things but you get the point..) > > > > Basically, most of the time this works great, some of the time I see stuff > getting through, not being whitelisted etc. When I grep for whitelist in the > maillog it shows as stopping and starting all the time. For example here is > the period that mailscanner should have found the whitelist entry - > > > > Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain spam > whitelist > > Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain spam > whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist > > Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736 from > 15***** (craig.**@**.com) is whitelisted > > Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for 1165 > domains > > Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572 from > *** (havant@**.co.uk) is whitelisted > > Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076 from > *** (yourmessages@**.co.uk) is whitelisted > > > > I've been searching and this whitelist works usually for my entry, I can see > other email addresses being white listed fine from the same domain. This > leaves me to believe it's something to do with the stopping and starting of > the by-domain spam white list.? > > Does anyone else see this in their logs? > > > > > > > > Rich > IIUC what you are doing, this is actually expected;-). Both the envelope from and From: message header (which are _not_ the same thing) are easily forged. There simply are no good ways of validating them in plain (E-)SMTP, so therefore you cannot under any circumstances rely on that information for whitelisting. At least not that info alone. What you need do is use something that cannot be forged so easily, like the sending servers IP address, or using some TLS measure, and whitelist on that. Just using the domain... will only give you grief. Regardless where you whitelist (MTA, MS or SA). The only place where a small whitelist bonus (negative score) would make some sense is likely in SA, and even there it is best to rely on sending server, or similar. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hi Glen, sorry to bother you again. I think I understand this, but I want to be able to white list a domain name even if they might get spoofed. I've tried white listing an IP address and still some get through. Most of the time it's fine but some creep through. I really don't understand why this is. Please see following - Sep 16 10:53:25 mailfilter6 MailScanner[41379]: Message n8G9rMKW091060 from *.*.34.19 (matt.blah@somedomain.com) to somedomain.com is spam, SpamAssassin (not cached, score=5.265, required 5, autolearn=disabled, DC_IMAGE_SPAM_HTML 0.00, DC_IMAGE_SPAM_TEXT 0.00, DC_PNG_UNO_LARGO 2.09, DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_28 1.52, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10) grep *.*.34.19 /**/customer_rulesets/spam.bydomain/whitelist/channel-c.com *.*.34.19 Note, the IP is a real IP address and not just ***.. It's their IP address. I was having no problems when we had just 1 whitelist for everyone, now I have changed it as a per/domain white list, for each domain, I'm seeing many issues with white listed mail getting tagged as spam. Is there something I need to look for in mailscanner to fix this? Many thanks, Rich From richard at fastnet.co.uk Wed Sep 16 16:13:45 2009 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed Sep 16 16:13:18 2009 Subject: Whitelisting. In-Reply-To: References: <223f97700909110904m5885ddf6ref4fc8de4f340f2@mail.gmail.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Mealing Sent: 16 September 2009 15:39 To: MailScanner discussion Subject: RE: Whitelisting. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 11 September 2009 17:04 To: MailScanner discussion Subject: Re: Whitelisting. 2009/9/11 Richard Mealing : > Hello everyone, > > > > I have had some strangeness happening on our whitelists per domain. A few > weeks ago I turned this on (from a global list) and it's been working great. > Unfortunately I've just seen this - > > > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > from=, size=92755, class=0, nrcpts=2, > msgid=<200909100815.n8A8FpvA014176@mailfilter7.**>, proto=ESMTP, > daemon=IPv4, relay=adsl-** [**] (may be forged) > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176: > to=, delay=00:00:01, mailer=esmtp, pri=152755, > stat=queued > > Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176 from > ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam, > SpamAssassin (not cached, score=6.561, required 3.5, autolearn=disabled, > DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_12 > 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL 0.84, > MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10) > > Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message > n8A8FpvA014176 actions are spam@example1.co.uk,forward > > Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176: > to=, delay=00:00:06, xdelay=00:00:00, mailer=esmtp, > pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent > (n8A8FvcY083874 Message accepted for delivery) > > > > > > My whitelist - > > > > grep example1 /**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk > > *@example1.co.uk > > > > (I've replaced some things but you get the point..) > > > > Basically, most of the time this works great, some of the time I see stuff > getting through, not being whitelisted etc. When I grep for whitelist in the > maillog it shows as stopping and starting all the time. For example here is > the period that mailscanner should have found the whitelist entry - > > > > Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain spam > whitelist > > Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain spam > whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist > > Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736 from > 15***** (craig.**@**.com) is whitelisted > > Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for 1165 > domains > > Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572 from > *** (havant@**.co.uk) is whitelisted > > Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076 from > *** (yourmessages@**.co.uk) is whitelisted > > > > I've been searching and this whitelist works usually for my entry, I can see > other email addresses being white listed fine from the same domain. This > leaves me to believe it's something to do with the stopping and starting of > the by-domain spam white list.? > > Does anyone else see this in their logs? > > > > > > > > Rich > IIUC what you are doing, this is actually expected;-). Both the envelope from and From: message header (which are _not_ the same thing) are easily forged. There simply are no good ways of validating them in plain (E-)SMTP, so therefore you cannot under any circumstances rely on that information for whitelisting. At least not that info alone. What you need do is use something that cannot be forged so easily, like the sending servers IP address, or using some TLS measure, and whitelist on that. Just using the domain... will only give you grief. Regardless where you whitelist (MTA, MS or SA). The only place where a small whitelist bonus (negative score) would make some sense is likely in SA, and even there it is best to rely on sending server, or similar. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hi Glen, sorry to bother you again. I think I understand this, but I want to be able to white list a domain name even if they might get spoofed. I've tried white listing an IP address and still some get through. Most of the time it's fine but some creep through. I really don't understand why this is. Please see following - Sep 16 10:53:25 mailfilter6 MailScanner[41379]: Message n8G9rMKW091060 from *.*.34.19 (matt.blah@somedomain.com) to somedomain.com is spam, SpamAssassin (not cached, score=5.265, required 5, autolearn=disabled, DC_IMAGE_SPAM_HTML 0.00, DC_IMAGE_SPAM_TEXT 0.00, DC_PNG_UNO_LARGO 2.09, DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_28 1.52, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10) grep *.*.34.19 /**/customer_rulesets/spam.bydomain/whitelist/channel-c.com *.*.34.19 Note, the IP is a real IP address and not just ***.. It's their IP address. I was having no problems when we had just 1 whitelist for everyone, now I have changed it as a per/domain white list, for each domain, I'm seeing many issues with white listed mail getting tagged as spam. Is there something I need to look for in mailscanner to fix this? Many thanks, Rich -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Hi Glenn, I think I've solved this now. In my CustomConfig.pm file the directories were not pointing correctly. I guess this is something that reverted when I upgraded mailscanner? Although one of the nodes is fine. How strange. Anyway, I will see if that works. Thanks, Rich From glenn.steen at gmail.com Wed Sep 16 18:47:20 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 16 18:47:28 2009 Subject: Releasing from quarantine with sendmail In-Reply-To: <29487.125.168.254.15.1253061514.squirrel@seven.dorksville.net> References: <29487.125.168.254.15.1253061514.squirrel@seven.dorksville.net> Message-ID: <223f97700909161047x3a249a0bq8cc21c5fc632a00e@mail.gmail.com> 2009/9/16 Anthony Giggins : > Follow the instructions from > > http://wiki.mailscanner.info/doku.php?id=maq:index#quarantine_management > > The document just gets quarantined again... > > I had a look at the document in question and it only appears to be a word > 2007 file (.docx) but the reason for quarantining is "MailScanner: Message > contained archive nested too deeply" > > Any help would be great. > > Thanks Anthony > The difference between a zip archive and a docx file is ... close to nothing. Sure, in the best of worlds, one could assume the docx to not contain harmful stuff.... but, as Voltaire alludes to in Candide, this isn't the best of all worlds, at least not that way:-). What you need do is look at how to "whitelist" locally submitted mails for that particular setting, that is: Read up on the Archive depth setting and then create a ruleset to allow arbitrary depth for 127.0.0.1 (or similar). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From GSilver at rampuptech.com Wed Sep 16 20:26:19 2009 From: GSilver at rampuptech.com (Gavin Silver) Date: Wed Sep 16 20:26:34 2009 Subject: spamtrap address In-Reply-To: <20090916142828.GA3300@msapiro> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com> <20090916142828.GA3300@msapiro> Message-ID: It seems like a slick way to do it but I know many of my users wont want that kind of footer floating in all their emails. Maybe it is possible to do something on the exchange side. Maybe (if possible), the following: 1. Public folder on exchange shared out to all users 2. Exchange bounces (without changing) the message to spamtrap address at my gateway 3. spamtrapaddress is aliased to pipe to sa-learn for spam training I only wish i didnt now need to go get help trying to figure out the resend/bounce/unaltered message from a public folder via exchange transport rules On Sep 16, 2009, at 10:28 AM, Mark Sapiro wrote: On Tue, Sep 15, 2009 at 05:48:15PM -0400, Gavin Silver wrote: I think I have just answered my one question which is that I cant just have a straight forward go to a spam learn as it would probably learn that all forwarded messages are spam as well.. I have an address which is aliased to a pipe as follows SpamReport: "|/usr/bin/spamc -u postfix -L spam || true" but I don't publicise it for exactly the above reason. One needs a MUA that can redirect/resend/bounce the message without change, and I don't trust my users to have that ability or to use it correctly if they do. I have thought about it some, and I think you need to archive all mail and then add a footer something like Help train the spam filter Report this as Spam Report this as Ham Where those 'reports' are links that will notify some process that this message's queue ID is spam or ham, and have that process call spamc or sa-learn. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------------------------- Gavin Silver Ramp Up Technology gsilver@rampuptech.com ---------------------------------- Please remember to send all issues to: support@rampuptech.com. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090916/39b616dc/attachment.html From rlopezcnm at gmail.com Wed Sep 16 20:48:01 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Wed Sep 16 20:48:10 2009 Subject: Outgoing message selected for spoofed domain Message-ID: I just saw the following message delivered by MailScanner to CNM Postmaster account. I sanitized it a bit: --begin message-- The following e-mails were found to have: Virus Detected Sender: xxxx@cnm.edu IP Address: [an internal IP CNM address for one instance of load balanced gateway into Exchange cluster] Recipient: yyyy@yahoo.com Subject: Resume' Worksheet MessageID: 0D5F6660235.8DF85 Quarantine: Report: Clamd: message was infected: Phishing.Heuristics.Email.SpoofedDomain Full headers are: Received: from .cnm.edu (.cnm.edu [same internal address for instance of gateway into Exchange]) by .cnm.edu (Postfix) with ESMTPS id 0D5F6660235 for ; Wed, 16 Sep 2009 12:47:28 -0600 (MDT) Received: from .cnm.edu ([address on one instance of load balanced Exchange cluster]) by .cnm.edu ([same internal address for instance of gateway into Exchange]) with mapi; Wed, 16 Sep 2009 12:47:28 -0600 --end message-- Email has been going out through three gateways running MailScanner for 3, 2, and 1 month(s) and this is the first instance of this I have seen. The gateways into the Exchange cluster and the Exchange cluster all have the same "area-name".cnm.edu. The gateways into the Exchange server cluster are load balanced. The Exchange servers are load balanced. What should I look for to see why it happened? I would like it to not happen again. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From jvoorhees1 at gmail.com Wed Sep 16 23:22:44 2009 From: jvoorhees1 at gmail.com (Jose Perez) Date: Wed Sep 16 23:22:53 2009 Subject: Is this possible? Maybe feature request In-Reply-To: References: Message-ID: Any idea of this? Would this be possible Julian? :( Thanks On Tue, Sep 8, 2009 at 9:07 PM, Jose Perez wrote: > Hi all: > > I'm using MailScanner 4.77.10 with HTML signatures configured working fine > with these directives: > > Sign Clean Messages = %rules-dir%/sign.clean.messages.rules > Attach Image To Signature = yes > Inline HTML Signature = %rules-dir%/sig.html.rules > Signature Image Filename = %report-dir%/signature.jpg > Signature Image Filename = signature.jpg > > My html signature contains some code as follow: > > Signature > > This works terrific! But I would like to insert more than an image in my > html code. I tried to insert more directives but only the one that > contains signature.jpg file is shown correctly. > > Is it possible to insert multiple image files and being recognized > correctly by MailScanner? If not .. Could this be added as a future feature > in MailScanner? > > Thanks, good bye > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090916/590ed386/attachment.html From lnhaig at gmail.com Thu Sep 17 00:08:57 2009 From: lnhaig at gmail.com (Lance Haig) Date: Thu Sep 17 00:10:44 2009 Subject: Error on MainScanner --lint Message-ID: <4AB17009.9040006@gmail.com> I have a problem where I am not getting any mail through my system and I see many messages about spamassassin cache hits for messages. but no valid mail is getting through. I ran a lint test and these are the results I am running the server on ubuntu 8.04 regards lance root@scan2:~# MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4278 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 4 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 1 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (33) MailScanner setting UID to (106) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database Bareword found where operator expected at /etc/spamassassin/FuzzyOcr.pm line 131, near "my $msgid = $pms->get('Message" (Might be a runaway multi-line '' string starting on line 20) (Do you need to predeclare my?) plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad name after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket /var/run/mysqld/mysqld.sock config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_end_config rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: (Can't locate object method "dummy_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. ) rules: failed to run FUZZY_OCR test, skipping: (Can't locate object method "fuzzyocr_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. ) SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ./1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Infected message 1.message came from Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist commit ineffective with AutoCommit enabled at /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. From lnhaig at gmail.com Thu Sep 17 00:09:13 2009 From: lnhaig at gmail.com (Lance Haig) Date: Thu Sep 17 00:10:54 2009 Subject: Error on MainScanner --lint Message-ID: <4AB17019.1000800@gmail.com> I have a problem where I am not getting any mail through my system and I see many messages about spamassassin cache hits for messages. but no valid mail is getting through. I ran a lint test and these are the results I am running the server on ubuntu 8.04 regards lance root@scan2:~# MailScanner --lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4278 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 4 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 1 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (33) MailScanner setting UID to (106) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database Bareword found where operator expected at /etc/spamassassin/FuzzyOcr.pm line 131, near "my $msgid = $pms->get('Message" (Might be a runaway multi-line '' string starting on line 20) (Do you need to predeclare my?) plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad name after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. Compilation failed in require at /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket /var/run/mysqld/mysqld.sock config: failed to parse line, skipping, in "/etc/spamassassin/FuzzyOcr.cf": focr_end_config rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: (Can't locate object method "dummy_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. ) rules: failed to run FUZZY_OCR test, skipping: (Can't locate object method "fuzzyocr_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. ) SpamAssassin reported an error. Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ./1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Infected message 1.message came from Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist commit ineffective with AutoCommit enabled at /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. From ssilva at sgvwater.com Thu Sep 17 00:39:33 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 17 00:40:12 2009 Subject: Error on MainScanner --lint In-Reply-To: <4AB17019.1000800@gmail.com> References: <4AB17019.1000800@gmail.com> Message-ID: Top posting on purpose First thing! Disable fuzzyocr and get mail working. Then you can see what perl module might have been borked. > I have a problem where I am not getting any mail through my system and I > see many messages about spamassassin cache hits for messages. but no > valid mail is getting through. > > I ran a lint test and these are the results > > I am running the server on ubuntu 8.04 > > regards > > lance > > > root@scan2:~# MailScanner --lint > Trying to setlogsock(unix) > Read 848 hostnames from the phishing whitelist > Read 4278 hostnames from the phishing blacklist > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 4 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 1 whitelist entries > Checking version numbers... > Version number in MailScanner.conf (4.74.16) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (33) > MailScanner setting UID to (106) > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > Bareword found where operator expected at /etc/spamassassin/FuzzyOcr.pm > line 131, near "my $msgid = $pms->get('Message" > (Might be a runaway multi-line '' string starting on line 20) > (Do you need to predeclare my?) > plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad name > after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. > Compilation failed in require at > /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. > > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist > /etc/mail/spamassassin/FuzzyOcr.words > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, > convert, ppmtopgm, tesseract > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin > /usr/local/netpbm/bin:/usr/local/bin:/usr/bin > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file > /etc/mail/spamassassin/FuzzyOcr.preps > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file > /etc/mail/spamassassin/FuzzyOcr.scansets > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db > /etc/mail/spamassassin/FuzzyOcr.hashdb > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash > /etc/mail/spamassassin/FuzzyOcr.db > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe > /etc/mail/spamassassin/FuzzyOcr.safe.db > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket > /var/run/mysqld/mysqld.sock > config: failed to parse line, skipping, in > "/etc/spamassassin/FuzzyOcr.cf": focr_end_config > rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: > (Can't locate object method "dummy_check" via package > "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. > ) > rules: failed to run FUZZY_OCR test, skipping: > (Can't locate object method "fuzzyocr_check" via package > "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. > ) > SpamAssassin reported an error. > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > ./1.message: Eicar-Test-Signature FOUND > > ./1/eicar.com: Eicar-Test-Signature FOUND > > Virus Scanning: ClamAV found 2 infections > Infected message 1 came from 10.1.1.1 > Infected message 1.message came from > Virus Scanning: Found 2 viruses > =========================================================================== > Virus Scanner test reports: > ClamAV said "eicar.com contains Eicar-Test-Signature" > > If any of your virus scanners (clamav) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > Config: calling custom end function SQLBlacklist > Closing down by-domain spam blacklist > Config: calling custom end function MailWatchLogging > Config: calling custom end function SQLWhitelist > Closing down by-domain spam whitelist > commit ineffective with AutoCommit enabled at > /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090916/1b5a599c/signature.bin From seven at seven.dorksville.net Thu Sep 17 03:30:23 2009 From: seven at seven.dorksville.net (Anthony Giggins) Date: Thu Sep 17 03:30:44 2009 Subject: Releasing from quarantine with sendmail In-Reply-To: <223f97700909161047x3a249a0bq8cc21c5fc632a00e@mail.gmail.com> References: <29487.125.168.254.15.1253061514.squirrel@seven.dorksville.net> <223f97700909161047x3a249a0bq8cc21c5fc632a00e@mail.gmail.com> Message-ID: <1404.125.168.254.15.1253154623.squirrel@seven.dorksville.net> >> > The difference between a zip archive and a docx file is ... close to > nothing. Sure, in the best of worlds, one could assume the docx to not > contain harmful stuff.... but, as Voltaire alludes to in Candide, this > isn't the best of all worlds, at least not that way:-). > What you need do is look at how to "whitelist" locally submitted mails > for that particular setting, that is: Read up on the Archive depth > setting and then create a ruleset to allow arbitrary depth for > 127.0.0.1 (or similar). > > Cheers > -- > -- Glenn Thanks for the pointer, I ended up changing Maximum Archive Depth = 3 No idea why a docx file would have 2 levels of archives though...... Cheers, Anthony From jase at sensis.com Thu Sep 17 03:39:07 2009 From: jase at sensis.com (Desai, Jason) Date: Thu Sep 17 03:40:45 2009 Subject: spamtrap address In-Reply-To: References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com><20090916142828.GA3300@msapiro> Message-ID: <1951DC816E1A9F469307B05FA183F43801BF58B3@corpatsmail1.corp.sensis.com> Or: 1. Public folders on exchange shared out to all users, and available via IMAP - one to train as spam, and one to train as ham. 2. Archive all messages 3. Write script to periodically check the shared folder via IMAP from the mailscanner box. 4. For each message found, pull parse out the message id and date. Use the message id / date to find the location to the original message in the archive, and send to sa-learn as needed. This way, users can dump messages into a public folder, but you don't have to worry about exchange (or forwarding / bouncing) making changes to the original email. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gavin Silver > Sent: Wednesday, September 16, 2009 3:26 PM > To: MailScanner discussion > Subject: Re: spamtrap address > > It seems like a slick way to do it but I know many of my users wont > want that kind of footer floating in all their emails. > > Maybe it is possible to do something on the exchange side. Maybe (if > possible), the following: > > 1. Public folder on exchange shared out to all users > 2. Exchange bounces (without changing) the message to spamtrap address > at my gateway > 3. spamtrapaddress is aliased to pipe to sa-learn for spam training > > I only wish i didnt now need to go get help trying to figure out the > resend/bounce/unaltered message from a public folder via exchange > transport rules > > > On Sep 16, 2009, at 10:28 AM, Mark Sapiro wrote: > > > On Tue, Sep 15, 2009 at 05:48:15PM -0400, Gavin Silver wrote: > > > I think I have just answered my one question which is that > I cant just have a straight forward go to a spam learn as it would > probably learn that all forwarded messages are spam as well.. > > > > > > I have an address which is aliased to a pipe as follows > > SpamReport: "|/usr/bin/spamc -u postfix -L spam || true" > > but I don't publicise it for exactly the above reason. One needs > a MUA > that can redirect/resend/bounce the message without change, and I > don't > trust my users to have that ability or to use it correctly if > they do. > > I have thought about it some, and I think you need to archive all > mail > and then add a footer something like > > Help train the spam filter > > Report this as Spam > > Report this as Ham > > Where those 'reports' are links that will notify some process > that > this message's queue ID is spam or ham, and have that process > call > spamc or sa-learn. > - This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. - From jeff.mills at sydneytech.com.au Thu Sep 17 05:41:30 2009 From: jeff.mills at sydneytech.com.au (Jeff Mills) Date: Thu Sep 17 05:41:42 2009 Subject: spamtrap address In-Reply-To: <7AF154895A006D46BA4FFB035ABC09936EC7@aragorn.midland-ics.local> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com><556B68BE19272143ADE2500D9CC858BD3F6052@stssvr01.Sts.local> <7AF154895A006D46BA4FFB035ABC09936EC7@aragorn.midland-ics.local> Message-ID: <556B68BE19272143ADE2500D9CC858BD3F6083@stssvr01.Sts.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: Wednesday, 16 September 2009 6:57 PM > To: MailScanner discussion > Subject: RE: spamtrap address > > Hi Jeff > > That Script would be handy here for some of my clients. > Cheers if you can get hold of it > > Kevin > Hi Kevin, http://www.winsto.net/piggie/sa-teach.zip is a zip file containing two Python scripts. One I would run regularly (hourly or daily) and the other (expunge) I would run once a week or so to clean out the folder. You may want to run these more/less often depending on how many spam you get. You could also just use the one expunge script if you are happy to have it delete the mail after each time it learns. I liked to see how much mail was being put in there, so I did not expunge every time. Scripts will need edited to suit your environment. Of course you will have to create a login for your exchange server that has access to the public folder. It's been a while since I used these scripts, so hopefully they run with newer Python versions. They are very simple, so probably wouldn't take much modifying to work anyway. Rgs, Jeff From neilw at dcdata.co.za Thu Sep 17 09:05:30 2009 From: neilw at dcdata.co.za (Neil Wilson) Date: Thu Sep 17 09:05:48 2009 Subject: Problem with user emails sent using postfix smtp authentication blocked as spam Message-ID: <4AB1EDCA.1030007@dcdata.co.za> Hi guys, I've got a problem with a user sending email from a dynamic IP to his server using SMTP authentication. His emails are being blocked as spam(score of 7) because of the dynamic IP and reverse dns entries. I can whitelist his address, but the problem with this is that there are a lot of faked sender address spam emails coming from the same address. I can reduce the points being allocated for each rule, but this will affect all emails so will reduce the spam filtering efficiency. Any suggestions will be greatly appreciated. Regards. Neil. From glenn.steen at gmail.com Thu Sep 17 09:58:56 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 17 09:59:06 2009 Subject: Releasing from quarantine with sendmail In-Reply-To: <1404.125.168.254.15.1253154623.squirrel@seven.dorksville.net> References: <29487.125.168.254.15.1253061514.squirrel@seven.dorksville.net> <223f97700909161047x3a249a0bq8cc21c5fc632a00e@mail.gmail.com> <1404.125.168.254.15.1253154623.squirrel@seven.dorksville.net> Message-ID: <223f97700909170158p4520dfb9ka2ab4b1e557150c7@mail.gmail.com> 2009/9/17 Anthony Giggins : > >>> >> The difference between a zip archive and a docx file is ... close to >> nothing. Sure, in the best of worlds, one could assume the docx to not >> contain harmful stuff.... but, as Voltaire alludes to in Candide, this >> isn't the best of all worlds, at least not that way:-). >> What you need do is look at how to "whitelist" locally submitted mails >> for that particular setting, that is: Read up on the Archive depth >> setting and then create a ruleset to allow arbitrary depth for >> 127.0.0.1 (or similar). >> >> Cheers >> -- >> -- Glenn > > Thanks for the pointer, I ended up changing > Maximum Archive Depth = 3 > > No idea why a docx file would have 2 levels of archives though...... > > Cheers, > > Anthony > "Binder" type o thing, perhaps... If you recall that abomination?:-)... Or some type of included document... As said, it is basically just a zip file, so you can put pretty much anything (including other zip files, docx, dotx etc etc) in there. Sigh. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Sep 17 10:04:32 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 17 10:04:41 2009 Subject: Problem with user emails sent using postfix smtp authentication blocked as spam In-Reply-To: <4AB1EDCA.1030007@dcdata.co.za> References: <4AB1EDCA.1030007@dcdata.co.za> Message-ID: <223f97700909170204l35c2e58ev7bed839d61387258@mail.gmail.com> 2009/9/17 Neil Wilson : > Hi guys, > > I've got a problem with a user sending email from a dynamic IP to his server > using SMTP authentication. > > His emails are being blocked as spam(score of 7) because of the dynamic IP > and reverse dns entries. > > I can whitelist his address, but the problem with this is that there are a > lot of faked sender address spam emails coming from the same address. > > I can reduce the points being allocated for each rule, but this will affect > all emails so will reduce the spam filtering efficiency. > > Any suggestions will be greatly appreciated. > > Regards. > > Neil. Either let the TLS authenticated sender (your user) bypass MS altogether (might be tricky getting that right:-), or use an SA rule to "counteract" the score penalty by way of some identifiable thing in the resulting headers. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From lnhaig at gmail.com Thu Sep 17 13:21:59 2009 From: lnhaig at gmail.com (Lance Haig) Date: Thu Sep 17 13:23:48 2009 Subject: Error on MainScanner --lint In-Reply-To: References: <4AB17019.1000800@gmail.com> Message-ID: <4AB229E7.7070200@gmail.com> Hi Scott, I am sorry I should have let the list know. I went through the fuzzyocr and the other settings and found that I needed to reboot the machine as the mailwatch was not logging to the database. I checked all the login details for the system and it now is working as it should. (about 1:30am my time :-) ) Thanks for the help. Lance Scott Silva wrote: > Top posting on purpose > First thing! Disable fuzzyocr and get mail working. Then you can see what perl > module might have been borked. > > >> I have a problem where I am not getting any mail through my system and I >> see many messages about spamassassin cache hits for messages. but no >> valid mail is getting through. >> >> I ran a lint test and these are the results >> >> I am running the server on ubuntu 8.04 >> >> regards >> >> lance >> >> >> root@scan2:~# MailScanner --lint >> Trying to setlogsock(unix) >> Read 848 hostnames from the phishing whitelist >> Read 4278 hostnames from the phishing blacklist >> Config: calling custom init function SQLBlacklist >> Starting up SQL Blacklist >> Read 4 blacklist entries >> Config: calling custom init function MailWatchLogging >> Started SQL Logging child >> Config: calling custom init function SQLWhitelist >> Starting up SQL Whitelist >> Read 1 whitelist entries >> Checking version numbers... >> Version number in MailScanner.conf (4.74.16) is correct. >> >> Your envelope_sender_header in spam.assassin.prefs.conf is correct. >> MailScanner setting GID to (33) >> MailScanner setting UID to (106) >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> Bareword found where operator expected at /etc/spamassassin/FuzzyOcr.pm >> line 131, near "my $msgid = $pms->get('Message" >> (Might be a runaway multi-line '' string starting on line 20) >> (Do you need to predeclare my?) >> plugin: failed to parse plugin /etc/spamassassin/FuzzyOcr.pm: Bad name >> after Id' at /etc/spamassassin/FuzzyOcr.pm line 131. >> Compilation failed in require at >> /usr/share/perl5/Mail/SpamAssassin/PluginHandler.pm line 107. >> >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_logfile /var/log/FuzzyOcr.log >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_global_wordlist >> /etc/mail/spamassassin/FuzzyOcr.words >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_bin_helper pnmnorm, pnminvert, >> convert, ppmtopgm, tesseract >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_path_bin >> /usr/local/netpbm/bin:/usr/local/bin:/usr/bin >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_preprocessor_file >> /etc/mail/spamassassin/FuzzyOcr.preps >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_scanset_file >> /etc/mail/spamassassin/FuzzyOcr.scansets >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_minimal_scanset 1 >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_autosort_scanset 1 >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_enable_image_hashing 3 >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_digest_db >> /etc/mail/spamassassin/FuzzyOcr.hashdb >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_db_hash >> /etc/mail/spamassassin/FuzzyOcr.db >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_db_safe >> /etc/mail/spamassassin/FuzzyOcr.safe.db >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_db FuzzyOcr >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_hash Hash >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_safe Safe >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_user fuzzyocr >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_pass cara9250 >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_host localhost >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_port 3306 >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_mysql_socket >> /var/run/mysqld/mysqld.sock >> config: failed to parse line, skipping, in >> "/etc/spamassassin/FuzzyOcr.cf": focr_end_config >> rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: >> (Can't locate object method "dummy_check" via package >> "Mail::SpamAssassin::PerMsgStatus" at (eval 742) line 594. >> ) >> rules: failed to run FUZZY_OCR test, skipping: >> (Can't locate object method "fuzzyocr_check" via package >> "Mail::SpamAssassin::PerMsgStatus" at (eval 806) line 19. >> ) >> SpamAssassin reported an error. >> Using locktype = posix >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> =========================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> ./1.message: Eicar-Test-Signature FOUND >> >> ./1/eicar.com: Eicar-Test-Signature FOUND >> >> Virus Scanning: ClamAV found 2 infections >> Infected message 1 came from 10.1.1.1 >> Infected message 1.message came from >> Virus Scanning: Found 2 viruses >> =========================================================================== >> Virus Scanner test reports: >> ClamAV said "eicar.com contains Eicar-Test-Signature" >> >> If any of your virus scanners (clamav) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its virus.scanners.conf. >> Config: calling custom end function SQLBlacklist >> Closing down by-domain spam blacklist >> Config: calling custom end function MailWatchLogging >> Config: calling custom end function SQLWhitelist >> Closing down by-domain spam whitelist >> commit ineffective with AutoCommit enabled at >> /etc/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090917/679be51a/attachment.html From rabellino at di.unito.it Thu Sep 17 13:34:57 2009 From: rabellino at di.unito.it (Sergio Rabellino) Date: Thu Sep 17 13:35:18 2009 Subject: Problem with user emails sent using postfix smtp authentication blocked as spam In-Reply-To: <223f97700909170204l35c2e58ev7bed839d61387258@mail.gmail.com> References: <4AB1EDCA.1030007@dcdata.co.za> <223f97700909170204l35c2e58ev7bed839d61387258@mail.gmail.com> Message-ID: <4AB22CF1.2030607@di.unito.it> I do the same as suggested, requiring TLS authentication when sending email from outside my lan, an extra header field is set into the last Received header: for sendmail users the rule follow, where the bold words must be identical. HReceived: $?{auth_authen}from $j ([${if_addr}]) $|$?sfrom $s $.$?_($?s$|from $.$_)$. $.by $j (SENDMAIL)$?r with $r$. id $i$?{tls_version} (version=${tls_version} cipher=${cipher} bits=${cipher_bits} verify=${verify}$?{cn_subject} userCertificateDN=${cn_subject}$.$?{auth_authen} *YOURTOKEN* $. )$.$?u for $u; $|; $.$b Then I set-up a sa rule as follow header AUTHENTICATEDUSER Received =~ /(.*)*YOURTOKEN*(.*)/ describe AUTHENTICATEDUSER Email Sender Authenticated by My Server score AUTHENTICATEDUSER -100.0 and all the emails sent through my SMTP authenticated session, will be automagically whitelisted. Hope this helps. Glenn Steen ha scritto: > 2009/9/17 Neil Wilson : > >> Hi guys, >> >> I've got a problem with a user sending email from a dynamic IP to his server >> using SMTP authentication. >> >> His emails are being blocked as spam(score of 7) because of the dynamic IP >> and reverse dns entries. >> >> I can whitelist his address, but the problem with this is that there are a >> lot of faked sender address spam emails coming from the same address. >> >> I can reduce the points being allocated for each rule, but this will affect >> all emails so will reduce the spam filtering efficiency. >> >> Any suggestions will be greatly appreciated. >> >> Regards. >> >> Neil. >> > > Either let the TLS authenticated sender (your user) bypass MS > altogether (might be tricky getting that right:-), or use an SA rule > to "counteract" the score penalty by way of some identifiable thing in > the resulting headers. > > Cheers > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From alex at rtpty.com Thu Sep 17 13:49:49 2009 From: alex at rtpty.com (Alex Neuman) Date: Thu Sep 17 13:50:01 2009 Subject: Problem with user emails sent using postfix smtp authentication blocked as spam In-Reply-To: <4AB22CF1.2030607@di.unito.it> References: <4AB1EDCA.1030007@dcdata.co.za> <223f97700909170204l35c2e58ev7bed839d61387258@mail.gmail.com> <4AB22CF1.2030607@di.unito.it> Message-ID: <9CA6D94E-41CC-4E86-B473-3393DA2967BB@rtpty.com> This is *SO* cool... It's one of those things you wish you had come up with yourself. Could you help a bit further by providing the same syntax for the m4 file that usually resides in RH-flavored distros in /usr/share/ sendmail-cf/m4/cfhead.m4? Mine is set up like this: define(`confRECEIVED_HEADER', `_REC_HDR_ _REC_FULL_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) _REC_BY_ _REC_TLS_ _REC_END_') ... where REC_FULL_AUTH_ is defined as: define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $? {auth_author}author=${auth_author} $.mech=${auth_type}') So, in theory, I could define it as: define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $? {auth_author}author=${auth_author} $.mech=${auth_type} - MYSERVERUNIQUETOKEN') And then use: > header AUTHENTICATEDUSER Received =~ /(.*)MYSERVERUNIQUETOKEN(.*)/ > describe AUTHENTICATEDUSER Email Sender Authenticated by My Server > score AUTHENTICATEDUSER -100.0 ... then apply by: make -C /etc/mail; service MailScanner restart I don't always use TLS but it would help my authenticated users, regardless of TLS, if they use it that way, right? On Sep 17, 2009, at 7:34 AM, Sergio Rabellino wrote: > I do the same as suggested, requiring TLS authentication when > sending email from outside my lan, an extra header field is set into > the last Received header: for sendmail users the rule follow, where > the bold words must be identical. > > HReceived: $?{auth_authen}from $j ([${if_addr}]) > $|$?sfrom $s $.$?_($?s$|from $.$_)$. > $.by $j (SENDMAIL)$?r with $r$. id $i$?{tls_version} > (version=${tls_version} cipher=${cipher} bits=$ > {cipher_bits} verify=${verify}$?{cn_subject} userCertificateDN=$ > {cn_subject}$.$?{auth_authen} YOURTOKEN $. )$.$?u > for $u; $|; > $.$b > > Then I set-up a sa rule as follow > > header AUTHENTICATEDUSER Received =~ /(.*)YOURTOKEN(.*)/ > describe AUTHENTICATEDUSER Email Sender Authenticated by My Server > score AUTHENTICATEDUSER -100.0 > > and all the emails sent through my SMTP authenticated session, will > be automagically whitelisted. From mailadmin at midland-ics.ie Thu Sep 17 16:46:56 2009 From: mailadmin at midland-ics.ie (MailAdmin) Date: Thu Sep 17 16:47:16 2009 Subject: spamtrap address In-Reply-To: <556B68BE19272143ADE2500D9CC858BD3F6083@stssvr01.Sts.local> References: <6B7B23D2-9694-4028-860A-2525B8465184@rampuptech.com><556B68BE19272143ADE2500D9CC858BD3F6052@stssvr01.Sts.local><7AF154895A006D46BA4FFB035ABC09936EC7@aragorn.midland-ics.local> <556B68BE19272143ADE2500D9CC858BD3F6083@stssvr01.Sts.local> Message-ID: <7AF154895A006D46BA4FFB035ABC09936ED5@aragorn.midland-ics.local> Thanks Jeff I will give it a try. Got that ZIP now. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Mills Sent: 17 September 2009 05:42 To: MailScanner discussion Subject: RE: spamtrap address > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of MailAdmin > Sent: Wednesday, 16 September 2009 6:57 PM > To: MailScanner discussion > Subject: RE: spamtrap address > > Hi Jeff > > That Script would be handy here for some of my clients. > Cheers if you can get hold of it > > Kevin > Hi Kevin, http://www.winsto.net/piggie/sa-teach.zip is a zip file containing two Python scripts. One I would run regularly (hourly or daily) and the other (expunge) I would run once a week or so to clean out the folder. You may want to run these more/less often depending on how many spam you get. You could also just use the one expunge script if you are happy to have it delete the mail after each time it learns. I liked to see how much mail was being put in there, so I did not expunge every time. Scripts will need edited to suit your environment. Of course you will have to create a login for your exchange server that has access to the public folder. It's been a while since I used these scripts, so hopefully they run with newer Python versions. They are very simple, so probably wouldn't take much modifying to work anyway. Rgs, Jeff -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This e-mail is intended solely for the addressee(s) and is strictly confidential. The unauthorised use, disclosure or copying of this e-mail, or any information it contains is prohibited. If you have received this e-mail in error, please notify us immediately and then permanently delete it. Although Midland Internet & Computer Solutions make every effort to keep our systems free from viruses you should check this e-mail and any attachments to it for viruses as we cannot accept any liability for viruses inadvertently transmitted by use. From rlopezcnm at gmail.com Fri Sep 18 18:43:08 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Sep 18 18:43:17 2009 Subject: Why is this a hidden filename extension? Message-ID: Report: MailScanner: Attempt to hide real filename extension (Motion %26 Order.doc) The above was a file name used by a college attorney and it the email was blocked. So it is a hot issue at the moment. The file command returns Microsoft Office Document Microsoft Word Document for the magic type so the content appears to match the extension. I only see two deny rules in filename.rules.conf that seem to be focused on filetype v extension: # Deny filenames containing CLSID's deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension and there is also the white space rule # Deny filenames with lots of contiguous white space in them. deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it but this filename does not match any of them to my understanding. What rule might have been matched? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From ssilva at sgvwater.com Fri Sep 18 18:51:47 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 18 18:52:21 2009 Subject: Why is this a hidden filename extension? In-Reply-To: References: Message-ID: on 9-18-2009 10:43 AM Robert Lopez spake the following: > Report: MailScanner: Attempt to hide real filename extension (Motion > %26 Order.doc) > > The above was a file name used by a college attorney and it the email > was blocked. > So it is a hot issue at the moment. > > The file command returns > > Microsoft Office Document Microsoft Word Document > > for the magic type so the content appears to match the extension. > > > I only see two deny rules in filename.rules.conf that seem to be > focused on filetype v extension: > > # Deny filenames containing CLSID's > deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type > Files containing CLSID's are trying to hide > their real type > > # Deny all other double file extensions. This catches any hidden filenames. > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible > filename hiding Attempt to hide real filename > extension > > and there is also the white space rule > > # Deny filenames with lots of contiguous white space in them. > deny \s{10,} Filename contains lots of white space > A long gap in a name is often used to > hide part of it > > but this filename does not match any of them to my understanding. > > What rule might have been matched? > The report has sanitized filenames. That might not be the full filename. You need to look at the original message. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090918/25f7d9ca/signature.bin From rlopezcnm at gmail.com Fri Sep 18 21:43:12 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Fri Sep 18 21:43:21 2009 Subject: Why is this a hidden filename extension? In-Reply-To: References: Message-ID: On Fri, Sep 18, 2009 at 11:51 AM, Scott Silva wrote: > on 9-18-2009 10:43 AM Robert Lopez spake the following: >> Report: MailScanner: Attempt to hide real filename extension (Motion >> %26 Order.doc) >> >> The above was a file name used by a college attorney and it the email >> was blocked. >> So it is a hot issue at the moment. >> >> The file command returns >> >> Microsoft Office Document Microsoft Word Document >> >> for the magic type so the content appears to match the extension. >> >> >> I only see two deny rules in filename.rules.conf that seem to be >> focused on filetype v extension: >> >> # Deny filenames containing CLSID's >> deny ? ?\{[a-hA-H0-9-]{25,}\} ? Filename trying to hide its real type >> ? ? ? ? ? ? ? ? ? ? ? ? ?Files containing ?CLSID's are trying to hide >> their real type >> >> # Deny all other double file extensions. This catches any hidden filenames. >> deny ? ?\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ ? Found possible >> filename hiding ? ? ? ? ? ? ? ? ? ? ? ? ?Attempt to hide real filename >> extension >> >> and there is also the white space rule >> >> # Deny filenames with lots of contiguous white space in them. >> deny ? ?\s{10,} ? ? ? ? Filename contains lots of white space >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?A long gap in a name is often used to >> hide part of it >> >> but this filename does not match any of them to my understanding. >> >> What rule might have been matched? >> > The report has sanitized filenames. That might not be the full filename. You > need to look at the original message. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > In this case the report and the quarantine file use exactly the same filename. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From ssilva at sgvwater.com Fri Sep 18 21:52:30 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Sep 18 21:53:01 2009 Subject: Why is this a hidden filename extension? In-Reply-To: References: Message-ID: >>> >> The report has sanitized filenames. That might not be the full filename. You >> need to look at the original message. >> >> > > In this case the report and the quarantine file use exactly the same filename. > The report should say what rule it hit. And should also be in the logs. If not you should turn up reporting some. Bigger logs yes, but a lot more info to help with these things. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090918/4ddece11/signature.bin From mark at msapiro.net Sat Sep 19 17:05:54 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sat Sep 19 17:06:03 2009 Subject: Why is this a hidden filename extension? In-Reply-To: References: Message-ID: <20090919160554.GA1328@msapiro> On Fri, Sep 18, 2009 at 11:43:08AM -0600, Robert Lopez wrote: > Report: MailScanner: Attempt to hide real filename extension (Motion > %26 Order.doc) > I just did some tests, and it appears if the original filename is Motion & Order.doc .doc with at least one space between the two '.doc's, it will (correctly) match the "Attempt to hide real filename extension" rule, but MailScanner will drop the spaces and the second .doc from the name. This definitely has to do with the presence of the & in the name. Here are a few test results: Actual name Reported name Motion & Order.doc .doc Motion %26 Order.doc Motion&Order.doc .doc Motion%26Order.d.doc Motion - Order.doc .doc Motion - Order.doc .doc So it appears that in your case, there actually was a double extension, and that in the process of 'html escaping' the name, the second extension was dropped. If the entire message is in the quarantine (Quarantine Whole Message = yes), you can see the original file name there. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sun Sep 20 17:30:10 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Sep 20 17:30:22 2009 Subject: Why is this a hidden filename extension? In-Reply-To: <20090919160554.GA1328@msapiro> References: <20090919160554.GA1328@msapiro> Message-ID: <20090920163010.GA2444@msapiro> On Sat, Sep 19, 2009 at 09:05:54AM -0700, Mark Sapiro wrote: > > So it appears that in your case, there actually was a double extension, > and that in the process of 'html escaping' the name, the second extension > was dropped. If the entire message is in the quarantine (Quarantine Whole > Message = yes), you can see the original file name there. Also, the original name should be in a MailScanner "Filename Checks" log message. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sun Sep 20 21:44:25 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Sep 20 21:44:46 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: Firstly, I'm still here, don't worry :-) Just my day job is really busy at the moment, as we're now in the run-up to the start of the new academic year, and I have taken on a load of extra work to ease the strain on the guys who work for me. I'm still intending to do a stable release of MailScanner on 1st October. So if there's anything important I need to know about the current version, please tell me in a reply to this message (to the list is fine, just I can then just check 1 thread). However, the point of this message is to tell you I have updated http://www.jules.fm/Logbook/files/anti-phishing-v2.html as the location of the original Google-hosted data file has moved to SourceForge, and so the address of it has changed. If you don't update the script to the new version, it won't be doing anything at all for you right now. Best regards, Jules. -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at mlrw.com Mon Sep 21 04:21:20 2009 From: mike at mlrw.com (Mike Wallace) Date: Mon Sep 21 04:21:31 2009 Subject: MailScanner --lint Question Message-ID: I have an existing MailScanner box running 4.77.10 and when I run MailScanner --lint is get the following for virus checking: MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd = = = ======================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses = = = ======================================================================== On a new box running 4.78.15 I get the following: MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd = = = ======================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses = = = ======================================================================== Both boxes are identical hardware running CentOS 5.3 with clam installed from rpmforge. Which one is correct? Or are both correct and don't worry about the difference? Thanks. Mike From steve.freegard at fsl.com Mon Sep 21 08:03:39 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Sep 21 08:03:52 2009 Subject: MailScanner --lint Question In-Reply-To: References: Message-ID: <4AB7254B.9020701@fsl.com> Mike Wallace wrote: > I have an existing MailScanner box running 4.77.10 and when I run > MailScanner --lint is get the following for virus checking: > > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > On a new box running 4.78.15 I get the following: > > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > =========================================================================== > > > Both boxes are identical hardware running CentOS 5.3 with clam installed > from rpmforge. > > Which one is correct? Or are both correct and don't worry about the > difference? > Technically - both are correct. I suspect that you have different settings for: ClamAV Full Message Scan = yes Between the two systems which accounts for the difference. Personally I would enable this option on the new box. Regards, Steve. From garith at saao.ac.za Mon Sep 21 08:38:28 2009 From: garith at saao.ac.za (Garith Dugmore) Date: Mon Sep 21 08:41:10 2009 Subject: Whitelisting and clearing previous spam related headers In-Reply-To: <4AB0E29E.1000803@fsl.com> References: <4AB0D902.7000602@saao.ac.za> <4AB0E29E.1000803@fsl.com> Message-ID: <4AB72D74.1010909@saao.ac.za> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/c3d66bc5/attachment.html From steve.freegard at fsl.com Mon Sep 21 09:28:35 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Sep 21 09:28:45 2009 Subject: Whitelisting and clearing previous spam related headers In-Reply-To: <4AB72D74.1010909@saao.ac.za> References: <4AB0D902.7000602@saao.ac.za> <4AB0E29E.1000803@fsl.com> <4AB72D74.1010909@saao.ac.za> Message-ID: <4AB73933.6020604@fsl.com> Garith Dugmore wrote: >>> >>> Any pointers? >>> >> >> See the 'Remove These Headers' option in MailScanner.conf. >> >> Regards, >> Steve. >> > Hi Steve, > > Thanks for your reply. > Does that setting remove those headers before it starts its normal spam > scan? If it removes X-Spam-Level completely this will break my server > side (sieve) filters. Looks like it probably does as it appears to remove the headers *after* it's done all the work. You'll have to ask Jules nicely if he could move it to the beginning of the message processing so it removes the headers prior to doing MCP/Spam/Virus checks. Regards, Steve. From MailScanner at ecs.soton.ac.uk Mon Sep 21 12:14:52 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 21 12:15:15 2009 Subject: Duplicate headers, Exim WriteHeader using Sendmail::CreateQf In-Reply-To: <6289b6f0de1830f48431f0a30e70bac3.squirrel@webmail.navaho.co.uk> References: <4AA7C66D.9000201@ecs.soton.ac.uk> <6289b6f0de1830f48431f0a30e70bac3.squirrel@webmail.navaho.co.uk> <4AB7602C.5030102@ecs.soton.ac.uk> Message-ID: Fixed. I have added a "quotemeta" round the string I'm comparing with lc $key in the header comparison loop, as you suggested. Cheers! Jules. On 09/09/2009 17:33, Chris Audley wrote: > >> The key is that there is no "Exim::CreateQf" at all, all the MTAs are >> called "Sendmail" internally (as that's the first one I implemented). >> > [snip] > > Thanks for the explanation, shows how poor my perl knowledge is! :) > > This is what is getting written to the queue if the subject has a trailing > space: > > 023T To: chris@navaho.co.uk > 015 Subject: test > 018 MIME-Version: 1.0 > 092 X-navaho-Colo-Information: Please contact support@navaho.co.uk for > more information > 050 X-navaho-MailScanner-ID: 1MlPZ9-0007TR-C8 > 041 X-navaho-Colo: Found to be clean > 140 X-navaho-Colo-SpamCheck: not spam, SpamAssassin (score=-2.18, > required 1, > ALL_TRUSTED -1.80, BAYES_00 -2.60, TVD_SPACE_RATIO 2.22) > 042 X-navaho-colo-From: root@mx3.colo > 023 Subject: test > 026 X-Spam-Status: No > > There should be a * after 015 on the first Subject header to ask exim to > delete the header. > > The problem appears to be this line in DeleteHeader in Exim.pm: > > $key = quotemeta($key) unless $usingregexp; > > This is escaping the colon on the end of header and preventing it from > being matched in the header comparison loop and being marked for deletion. > Commenting out the quotemeta makes MailScanner generate the correct exim > spool file. > > I guess doing quotemeta on the headers in the header comparison loop is > probably the best fix? > > Regards, > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 21 12:21:27 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 21 12:21:46 2009 Subject: Is this possible? Maybe feature request In-Reply-To: References: <4AB761B7.9000405@ecs.soton.ac.uk> Message-ID: It's not currently possible to auto-insert more than 1 image, sorry. I haven't got the time to write it for you at the moment, you are the only person who has ever needed to insert multiple images, so you're not very high priority, sorry. Jules. On 16/09/2009 23:22, Jose Perez wrote: > Any idea of this? Would this be possible Julian? > > :( Thanks > > On Tue, Sep 8, 2009 at 9:07 PM, Jose Perez > wrote: > > Hi all: > > I'm using MailScanner 4.77.10 with HTML signatures configured > working fine with these directives: > > Sign Clean Messages = %rules-dir%/sign.clean.messages.rules > Attach Image To Signature = yes > Inline HTML Signature = %rules-dir%/sig.html.rules > Signature Image Filename = %report-dir%/signature.jpg > Signature Image Filename = signature.jpg > > My html signature contains some code as follow: > > Signature > > This works terrific! But I would like to insert more than an image > in my html code. I tried to insert more directives but only > the one that contains signature.jpg file is shown correctly. > > Is it possible to insert multiple image files and being recognized > correctly by MailScanner? If not .. Could this be added as a > future feature in MailScanner? > > Thanks, good bye > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Sep 21 12:28:34 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 21 12:29:01 2009 Subject: Whitelisting and clearing previous spam related headers In-Reply-To: <4AB73933.6020604@fsl.com> References: <4AB0D902.7000602@saao.ac.za> <4AB0E29E.1000803@fsl.com> <4AB72D74.1010909@saao.ac.za> <4AB73933.6020604@fsl.com> <4AB76362.6010609@ecs.soton.ac.uk> Message-ID: On 21/09/2009 09:28, Steve Freegard wrote: > Garith Dugmore wrote: > >>>> Any pointers? >>>> >>>> >>> See the 'Remove These Headers' option in MailScanner.conf. >>> >>> Regards, >>> Steve. >>> >>> >> Hi Steve, >> >> Thanks for your reply. >> Does that setting remove those headers before it starts its normal spam >> scan? If it removes X-Spam-Level completely this will break my server >> side (sieve) filters. >> > Looks like it probably does as it appears to remove the headers *after* > it's done all the work. > > You'll have to ask Jules nicely if he could move it to the beginning of > the message processing so it removes the headers prior to doing > MCP/Spam/Virus checks. > It is currently done just before message delivery. It's awkward to move to much earlier on as the data structures won't exist then :-( However, it is done right near the start of the process of building the output message. Have you actually tried asking it to remove the X-Spam-Level header and see what headers you get in the resulting message? I see no evidence you have actually tried it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve at fsl.com Mon Sep 21 13:30:12 2009 From: steve at fsl.com (Stephen Swaney) Date: Mon Sep 21 13:30:26 2009 Subject: Is this possible? Maybe feature request In-Reply-To: References: <4AB761B7.9000405@ecs.soton.ac.uk> Message-ID: <4AB771D4.2060707@fsl.com> Julian Field wrote: > It's not currently possible to auto-insert more than 1 image, sorry. > I haven't got the time to write it for you at the moment, you are the > only person who has ever needed to insert multiple images, so you're > not very high priority, sorry. > > Jules. > > On 16/09/2009 23:22, Jose Perez wrote: >> Any idea of this? Would this be possible Julian? >> >> :( Thanks >> >> On Tue, Sep 8, 2009 at 9:07 PM, Jose Perez > > wrote: >> >> Hi all: >> >> I'm using MailScanner 4.77.10 with HTML signatures configured >> working fine with these directives: >> >> Sign Clean Messages = %rules-dir%/sign.clean.messages.rules >> Attach Image To Signature = yes >> Inline HTML Signature = %rules-dir%/sig.html.rules >> Signature Image Filename = %report-dir%/signature.jpg >> Signature Image Filename = signature.jpg >> >> My html signature contains some code as follow: >> >> Signature >> >> This works terrific! But I would like to insert more than an image >> in my html code. I tried to insert more directives but only >> the one that contains signature.jpg file is shown correctly. >> >> Is it possible to insert multiple image files and being recognized >> correctly by MailScanner? If not .. Could this be added as a >> future feature in MailScanner? >> >> Thanks, good bye >> >> > > Jules > Silly thought but couldn't one simply create one Image from the two, plus text if desired, and insert that? Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available From ecasarero at gmail.com Mon Sep 21 14:08:20 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Mon Sep 21 14:08:52 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: <7d9b3cf20909210608o235d4119ga6bc3df2585e8477@mail.gmail.com> Julian, i've 2 questions, -how often does this SA rules change? its ok to update once a day? -it posible (not now, but in the future) that you can code some custom functions with some special features for MS(paid work, of course)? Thanks! 2009/9/20 Jules Field > Firstly, I'm still here, don't worry :-) > Just my day job is really busy at the moment, as we're now in the run-up to > the start of the new academic year, and I have taken on a load of extra work > to ease the strain on the guys who work for me. > > I'm still intending to do a stable release of MailScanner on 1st October. > So if there's anything important I need to know about the current version, > please tell me in a reply to this message (to the list is fine, just I can > then just check 1 thread). > > However, the point of this message is to tell you I have updated > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > as the location of the original Google-hosted data file has moved to > SourceForge, and so the address of it has changed. > > If you don't update the script to the new version, it won't be doing > anything at all for you right now. > > Best regards, > Jules. > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/9a10abd7/attachment.html From MailScanner at ecs.soton.ac.uk Mon Sep 21 14:19:41 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 21 14:20:03 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: <7d9b3cf20909210608o235d4119ga6bc3df2585e8477@mail.gmail.com> References: <4AB69429.2060200@ecs.soton.ac.uk> <7d9b3cf20909210608o235d4119ga6bc3df2585e8477@mail.gmail.com> <4AB77D6D.4030502@ecs.soton.ac.uk> Message-ID: On 21/09/2009 14:08, Eduardo Casarero wrote: > Julian, i've 2 questions, > > -how often does this SA rules change? its ok to update once a day? Once a day should do. > > -it posible (not now, but in the future) that you can code some custom > functions with some special features for MS(paid work, of course)? Sure, no problem. Just rather busy for the next few weeks while we get another 500 students bedded down into our department! Jules. > > Thanks! > > 2009/9/20 Jules Field > > > Firstly, I'm still here, don't worry :-) > Just my day job is really busy at the moment, as we're now in the > run-up to the start of the new academic year, and I have taken on > a load of extra work to ease the strain on the guys who work for me. > > I'm still intending to do a stable release of MailScanner on 1st > October. So if there's anything important I need to know about the > current version, please tell me in a reply to this message (to the > list is fine, just I can then just check 1 thread). > > However, the point of this message is to tell you I have updated > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > as the location of the original Google-hosted data file has moved > to SourceForge, and so the address of it has changed. > > If you don't update the script to the new version, it won't be > doing anything at all for you right now. > > Best regards, > Jules. > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and > twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Mon Sep 21 14:57:00 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 21 14:57:12 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> <7d9b3cf20909210608o235d4119ga6bc3df2585e8477@mail.gmail.com> <4AB77D6D.4030502@ecs.soton.ac.uk> Message-ID: If bedding one student is difficult... Not to mention frowned upon by some societies... I wouldn't dare imagine going for 500! ... what? Oh! Sorry, my bad. English is not my first language. It sounded like... Never mind... ;-) On Sep 21, 2009, at 8:19 AM, Julian Field wrote: > Sure, no problem. Just rather busy for the next few weeks while we > get another 500 students bedded down into our department! From jdustin at usm.maine.edu Mon Sep 21 15:14:51 2009 From: jdustin at usm.maine.edu (Jon Dustin) Date: Mon Sep 21 15:15:05 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update Message-ID: <4AB7521B0200008D0002568D@uct5.uct.usm.maine.edu> >>> On 9/20/2009 at 4:44 PM, in message <4AB75D08.E69 : 207 : 20073>, Jules Field wrote: > Firstly, I'm still here, don't worry :-) > Just my day job is really busy at the moment, as we're now in the run-up > to the start of the new academic year, and I have taken on a load of > extra work to ease the strain on the guys who work for me. > > I'm still intending to do a stable release of MailScanner on 1st > October. So if there's anything important I need to know about the > current version, please tell me in a reply to this message (to the list > is fine, just I can then just check 1 thread). > > However, the point of this message is to tell you I have updated > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > as the location of the original Google-hosted data file has moved to > SourceForge, and so the address of it has changed. Jules - I installed a new MS box last week, and have been using v4.78.15-1 ever since. All seems to be well with this version. Because I had WRITE access to the Googlecode project, I was notified of the new update location, and I updated your script with the sourceforge URL. The script is working properly with the new URL. Thanks for all your hard work with MailScanner. -- Jon Dustin - Network Specialist University of Southern Maine Portland, ME 207-780-4152 From easontho at stu.armstrong.edu Mon Sep 21 15:24:31 2009 From: easontho at stu.armstrong.edu (Thomas Eason) Date: Mon Sep 21 15:24:41 2009 Subject: Running two instances of mailscanner on the same machine Message-ID: <4a5812c60909210724x1d99dedcm6830c92ba0864c94@mail.gmail.com> I want to resubmit some messages back into the queue to be scanned by mailscanner with some different options (allowed filetypes). If I just change the pid file and the working directory is that enough to make it work? I have such a system running, but I was wondering if I might encounter issues with the two separate mailscanner instances fighting. Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/a0e71f46/attachment.html From pedro.arinto at gmail.com Mon Sep 21 15:49:02 2009 From: pedro.arinto at gmail.com (Pedro Arinto) Date: Mon Sep 21 15:49:30 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: Message-ID: Hi, Can anyone help me on this problem ? I've posted it here before but got no answer. In my setup I'm using the auto-zip feature to zip attachments bigger than 1500k. When an attached file sent by a user contains international characters (like ?,?,?, etc), the filenames get messed up in the resulting ZIP file. Windows users are unable to uncompress this files. An example: Original filename: "Test ??? e ?? e ??.txt" Filename in ZIP compressed by MailScanner: "Test =?iso-8859-1?Q?=E7=E7=E7_e_=E1=E1_e_=E9=E9=E9.txt?=" Thanks, Pedro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/7d609744/attachment.html From mike at mlrw.com Mon Sep 21 15:52:44 2009 From: mike at mlrw.com (Mike Wallace) Date: Mon Sep 21 15:52:55 2009 Subject: MailScanner --lint Question In-Reply-To: <4AB7254B.9020701@fsl.com> References: <4AB7254B.9020701@fsl.com> Message-ID: No, both are set at yes. On Sep 21, 2009, at 3:03 AM, Steve Freegard wrote: > Mike Wallace wrote: >> I have an existing MailScanner box running 4.77.10 and when I run >> MailScanner --lint is get the following for virus checking: >> >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamd >> = >> = >> = >> = >> = >> = >> ===================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> = >> = >> = >> = >> = >> = >> ===================================================================== >> >> On a new box running 4.78.15 I get the following: >> >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamd >> = >> = >> = >> = >> = >> = >> ===================================================================== >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> = >> = >> = >> = >> = >> = >> ===================================================================== >> >> >> Both boxes are identical hardware running CentOS 5.3 with clam >> installed >> from rpmforge. >> >> Which one is correct? Or are both correct and don't worry about the >> difference? >> > > Technically - both are correct. I suspect that you have different > settings for: > > ClamAV Full Message Scan = yes > > Between the two systems which accounts for the difference. > Personally I > would enable this option on the new box. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From alex at rtpty.com Mon Sep 21 16:07:28 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 21 16:07:46 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: Message-ID: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> I don't know how to fix it, but here's a couple of thoughts: 1. Can you avoid using filenames with non-english characters? It's less likely users will have problems that way - specially when going cross-platform. 2. Are you sure the filenames are messed up? Do all platforms (linux, mac, unix) find the same, apparently corrupted filenames? How about all unzip programs for Windows? Could be that the unzipping program is not UTF aware or something like that. 3. (and this is a question for Jules & the Gang) - what does MailScanner use for ZIPping? is it some Archive::Zip module call? Can it be changed (although it may impose a further performance penalty) to an external "zip" program? Something like the internal vs. external TNEF issue? On Sep 21, 2009, at 9:49 AM, Pedro Arinto wrote: > the filenames get messed up in the resulting ZIP file. Windows users > are unable to uncompress this files From mark at msapiro.net Mon Sep 21 16:18:57 2009 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 21 16:19:10 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: <20090921151857.GA3720@msapiro> On Sun, Sep 20, 2009 at 09:44:25PM +0100, Jules Field wrote: > > I'm still intending to do a stable release of MailScanner on 1st > October. So if there's anything important I need to know about the > current version, please tell me in a reply to this message (to the list > is fine, just I can then just check 1 thread). There may be an issue with reporting of 'sanitized' file names with multiple extensions. See the message at http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Mon Sep 21 16:49:03 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 21 16:49:23 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: <20090921151857.GA3720@msapiro> References: <4AB69429.2060200@ecs.soton.ac.uk> <20090921151857.GA3720@msapiro> <4AB7A06F.5060105@ecs.soton.ac.uk> Message-ID: On 21/09/2009 16:18, Mark Sapiro wrote: > On Sun, Sep 20, 2009 at 09:44:25PM +0100, Jules Field wrote: > >> I'm still intending to do a stable release of MailScanner on 1st >> October. So if there's anything important I need to know about the >> current version, please tell me in a reply to this message (to the list >> is fine, just I can then just check 1 thread). >> > > There may be an issue with reporting of 'sanitized' file names with > multiple extensions. See the message at > http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html > > That doesn't match up with what I just tried as a test case using the "MakeNameSafe" code. It worked exactly as I intended. Note that it will vary its behaviour if you do 3 attachments in 1 message called similar names, as the resulting filenames have to be unique in the "unpacking" directory. But the raw code produced the results I would expect when not caring about unique filenames. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Mon Sep 21 17:54:37 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Mon Sep 21 17:54:56 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database Message-ID: Is it possible to set MailScanner to query a database instead of flat files for the spam.blacklist.rules and spam.whitelist.rules lists? My Black/Whitelist for MailScanner is getting a bit overboard on a couple of servers that I maintain. If I could enter them all into a database I could track which users requested they be added and be able to maintain a bit easier. Any options for that? Thanks! Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Mon Sep 21 18:01:51 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 21 18:02:03 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database In-Reply-To: References: Message-ID: <24F7CE03-72FA-4499-AD4A-9BE83AADD00B@rtpty.com> Yes. Look for the word SQL in the conf file. On Sep 21, 2009, at 11:54 AM, Christopher Fisk wrote: > Is it possible to set MailScanner to query a database instead of > flat files for the spam.blacklist.rules and spam.whitelist.rules > lists? > > My Black/Whitelist for MailScanner is getting a bit overboard on a > couple of servers that I maintain. If I could enter them all into a > database I could track which users requested they be added and be > able to maintain a bit easier. > > > Any options for that? > > > Thanks! > > > Christopher Fisk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From roy at kaldung.com Mon Sep 21 18:09:24 2009 From: roy at kaldung.com (Roy Kaldung) Date: Mon Sep 21 18:09:40 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database In-Reply-To: References: Message-ID: <4AB7B344.5090706@kaldung.com> Christopher Fisk wrote: > Is it possible to set MailScanner to query a database instead of flat files for the spam.blacklist.rules and spam.whitelist.rules lists? > > My Black/Whitelist for MailScanner is getting a bit overboard on a couple of servers that I maintain. If I could enter them all into a database I could track which users requested they be added and be able to maintain a bit easier. Hi Christopher, I suggest to keep flat files for performance reasons. I generate them periodically via cron from the databases I use. Regards, Roy -- Roy Kaldung From cfisk at qwicnet.com Mon Sep 21 18:22:21 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Mon Sep 21 18:22:53 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database In-Reply-To: <24F7CE03-72FA-4499-AD4A-9BE83AADD00B@rtpty.com> Message-ID: > Yes. Look for the word SQL in the conf file. >From what I've seen in the conf file SQL is mentioned for logging. I am downloading the latest beta to see if there is more mention there. Thanks! Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Mon Sep 21 18:24:11 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Mon Sep 21 18:24:34 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database In-Reply-To: <4AB7B344.5090706@kaldung.com> Message-ID: > Christopher Fisk wrote: > > Is it possible to set MailScanner to query a database > instead of flat files for the spam.blacklist.rules and > spam.whitelist.rules lists? > > > > My Black/Whitelist for MailScanner is getting a bit > overboard on a couple of servers that I maintain. If I > could enter them all into a database I could track which > users requested they be added and be able to maintain a > bit easier. > Hi Christopher, > I suggest to keep flat files for performance reasons. I > generate them > periodically via cron from the databases I use. > Regards, Roy This is actually an idea I didn't even think of. Store our information in the database and just convert! Sometimes the simple solution is the best. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Mon Sep 21 18:42:50 2009 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 21 18:43:09 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: Message-ID: Julian Field wrote: > >On 21/09/2009 16:18, Mark Sapiro wrote: >> On Sun, Sep 20, 2009 at 09:44:25PM +0100, Jules Field wrote: >> >>> I'm still intending to do a stable release of MailScanner on 1st >>> October. So if there's anything important I need to know about the >>> current version, please tell me in a reply to this message (to the list >>> is fine, just I can then just check 1 thread). >>> >> >> There may be an issue with reporting of 'sanitized' file names with >> multiple extensions. See the message at >> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html >> >> >That doesn't match up with what I just tried as a test case using the >"MakeNameSafe" code. >It worked exactly as I intended. I don't think the issue is with MakeNameSafe, at least if I im doing the right thing. It appears that MakeNameSafe will take a name like "Motion & Order.doc .doc" (with the leading file type character) and make it into "MotionOrder.doc.doc" which is not what I'm seeing. Here are a couple of log messages: Sep 19 08:13:09 sbh16 MailScanner[18931]: Filename Checks: Found possible filename hiding (5FCE86900C4.AD9A6 Motion & Order.doc .doc) Sep 19 08:13:09 sbh16 MailScanner[18931]: Saved entire message to /var/spool/MailScanner/quarantine/20090919/5FCE86900C4.AD9A6 Sep 19 08:13:09 sbh16 MailScanner[18931]: Saved infected "Motion %%26 Order.doc" to /var/spool/MailScanner/quarantine/20090919/5FCE86900C4.AD9A6 Here, the original attachment name was "Motion & Order.doc .doc" and the name saved in the quarantine and reported in the cleaned message was "Motion %26 Order.doc" (the doubling of the % seems to have occurred in syslog). Something is changing '&' to '%26' and I am guessing that that is also what drops the second ".doc" >Note that it will vary its behaviour if you do 3 attachments in 1 >message called similar names, as the resulting filenames have to be >unique in the "unpacking" directory. That was not an issue in my tests. There was only one attachment. Just as an experiment, I'm also attaching a file named "Motion & Order.doc .doc" to this message to see what happens (It's not a real MS word document. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: Motion & Order.doc .doc Type: application/msword Size: 29 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/1516f4f8/MotionOrder.doc.doc From brentb at beanfield.com Mon Sep 21 18:53:15 2009 From: brentb at beanfield.com (Brent Bloxam) Date: Mon Sep 21 18:54:13 2009 Subject: Converting spam.blacklist.rules and spam.whitelist.rules into database In-Reply-To: References: Message-ID: <4AB7BD8B.3070808@beanfield.com> Christopher Fisk wrote: >> Christopher Fisk wrote: >> > Is it possible to set MailScanner to query a database >> instead of flat files for the spam.blacklist.rules and >> spam.whitelist.rules lists? >> > >> > My Black/Whitelist for MailScanner is getting a bit >> overboard on a couple of servers that I maintain. If I >> could enter them all into a database I could track which >> users requested they be added and be able to maintain a >> bit easier. > >> Hi Christopher, > >> I suggest to keep flat files for performance reasons. I >> generate them >> periodically via cron from the databases I use. > >> Regards, Roy > > > This is actually an idea I didn't even think of. Store our information in the database and just convert! > > Sometimes the simple solution is the best. One of the issues I ran into with this is that the child reads the flat-file when it starts, and then holds onto that for its running duration. So if you're updating the blacklist/whitelist files often, you'll find them not taking effect until the children die off and are replaced. To combat this, I've written a custom function that reads the file per-scan and handles per-user filtering. The check takes 0.003 seconds on our system, so it's not really adding a whole lot of load or processing time. If anyone is interested in the source, I can provide a copy to the list. -- | .-> brent bloxam ~-. brentb @ beanfield.com | ( ) beanfield metroconnect | `~- wgxolq +uajq <-' 416.532.1555 ext. 2004 -- From mark at msapiro.net Mon Sep 21 19:00:20 2009 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 21 19:00:39 2009 Subject: {Filename?} Re: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: Message-ID: Mark Sapiro wrote: > >Just as an experiment, I'm also attaching a file named "Motion & >Order.doc .doc" to this message to see what happens (It's not a real >MS word document. Well, that didn't work. Apparently posts to this list aren't scanned. However, the post from the list was scanned at my end resulting in >This is a message from the MailScanner E-Mail Virus Protection Service >---------------------------------------------------------------------- >The original e-mail attachment "Motion %26 Order.doc" >is on the list of unacceptable attachments for this site and has been >replaced by this warning message. > >If you wish to receive a copy of the original attachment, please >e-mail postmaster@sbh16.songbird.com and include the whole of this message >in your request. > >At Mon Sep 21 10:47:50 2009 the virus scanner said: > MailScanner: Attempt to hide real filename extension (Motion %26 Order.doc) > >Note to Postmaster: Look on the GPC MailScanner in /var/spool/MailScanner/quarantine/20090921 (message CBD376900CB.A3108). -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From rlopezcnm at gmail.com Mon Sep 21 19:01:16 2009 From: rlopezcnm at gmail.com (Robert Lopez) Date: Mon Sep 21 19:01:31 2009 Subject: Why is this a hidden filename extension? In-Reply-To: <20090920163010.GA2444@msapiro> References: <20090919160554.GA1328@msapiro> <20090920163010.GA2444@msapiro> Message-ID: On Sun, Sep 20, 2009 at 10:30 AM, Mark Sapiro wrote: > On Sat, Sep 19, 2009 at 09:05:54AM -0700, Mark Sapiro wrote: >> >> So it appears that in your case, there actually was a double extension, >> and that in the process of 'html escaping' the name, the second extension >> was dropped. If the entire message is in the quarantine (Quarantine Whole >> Message = yes), you can see the original file name there. > > > Also, the original name should be in a MailScanner "Filename Checks" > log message. > > -- > Mark Sapiro mark at msapiro net ? ? ? The highway is for gamblers, > San Francisco Bay Area, California ? ?better use your sense - B. Dylan > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > >From the maillog: Sep 18 10:50:09 xxxxx MailScanner[16724]: Filename Checks: Found possible filename hiding (5290B11B8.C17DE Motion & Order to consolidate.word.doc) In the quarantine directory: root@xxxxx:~# ls /var/spool/MailScanner/quarantine/20090918/5290B11B8.C17DE Motion %26 Order.doc What is in the quarantine dir is not the email message but the file only. But you were correct the Filename Checks line has the double extension of .word.doc. Thank you for all the time you put into this and teaching me to carefully examine the "Filename Checks" line. -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 From glenn.steen at gmail.com Mon Sep 21 19:39:45 2009 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 21 19:39:54 2009 Subject: Running two instances of mailscanner on the same machine In-Reply-To: <4a5812c60909210724x1d99dedcm6830c92ba0864c94@mail.gmail.com> References: <4a5812c60909210724x1d99dedcm6830c92ba0864c94@mail.gmail.com> Message-ID: <223f97700909211139y59082236u69c4e6258efbbfa3@mail.gmail.com> 2009/9/21 Thomas Eason : > I want to resubmit some messages back into the queue to be scanned by > mailscanner with some different options > (allowed filetypes).? If I just change the pid file and the working > directory is that enough to make it work? > > I have such a system running, but I was wondering if I might encounter > issues with the two separate > mailscanner instances fighting. > > Thanks, > Andrew > Why would you need it? I imagine most of the rest of us get by with a simple ruleset, using a different set of files for filename/filetype rules for the loopback address (127.0.0.1)... Might be usable for you too? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Sep 21 20:17:16 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 21 20:17:51 2009 Subject: OT: Re: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: on 9-20-2009 1:44 PM Jules Field spake the following: > Firstly, I'm still here, don't worry :-) > Just my day job is really busy at the moment, as we're now in the run-up > to the start of the new academic year, and I have taken on a load of > extra work to ease the strain on the guys who work for me. > How's your health holding up with the extra load? I'm hoping your still feeling at least somewhat alright. End of the off topic hijack. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/7274c75c/signature.bin From MailScanner at ecs.soton.ac.uk Mon Sep 21 20:42:08 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Mon Sep 21 20:42:33 2009 Subject: OT: Re: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> <4AB7D710.8070209@ecs.soton.ac.uk> Message-ID: On 21/09/2009 20:17, Scott Silva wrote: > on 9-20-2009 1:44 PM Jules Field spake the following: > >> Firstly, I'm still here, don't worry :-) >> Just my day job is really busy at the moment, as we're now in the run-up >> to the start of the new academic year, and I have taken on a load of >> extra work to ease the strain on the guys who work for me. >> >> > How's your health holding up with the extra load? I'm hoping your still > feeling at least somewhat alright. > Thanks! I'm handling it okay so far, and still managing to get other stuff done too (we have a new lovely big vSphere VMware system that I'm migrating physical machines to), and I've got 20 student laptops to receive, configure and dole out tomorrow. With any luck someone won't turn up so I get a spare out of it, which would be nice! :-) But I am carefully making time each afternoon for a rest so that I can keep up. I'm still hoping to take Wednesday afternoon out of the office as I normally do, but that may not happen this week. My colleagues are all working late trying to get stuff finished before the students return, we have some major new innovations this summer which will look fantastic for the students when they all return to us. Me thinks I might have to buy my guys a present for working so hard this summer. Make them feel appreciated :-) And not departmental mugs either! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Sep 21 20:58:17 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Sep 21 20:59:01 2009 Subject: OT: Re: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> <4AB7D710.8070209@ecs.soton.ac.uk> Message-ID: on 9-21-2009 12:42 PM Jules Field spake the following: > > > On 21/09/2009 20:17, Scott Silva wrote: >> on 9-20-2009 1:44 PM Jules Field spake the following: >> >>> Firstly, I'm still here, don't worry :-) >>> Just my day job is really busy at the moment, as we're now in the run-up >>> to the start of the new academic year, and I have taken on a load of >>> extra work to ease the strain on the guys who work for me. >>> >>> >> How's your health holding up with the extra load? I'm hoping your still >> feeling at least somewhat alright. >> > Thanks! I'm handling it okay so far, and still managing to get other > stuff done too (we have a new lovely big vSphere VMware system that I'm > migrating physical machines to), and I've got 20 student laptops to > receive, configure and dole out tomorrow. With any luck someone won't > turn up so I get a spare out of it, which would be nice! :-) > > But I am carefully making time each afternoon for a rest so that I can > keep up. I'm still hoping to take Wednesday afternoon out of the office > as I normally do, but that may not happen this week. My colleagues are > all working late trying to get stuff finished before the students > return, we have some major new innovations this summer which will look > fantastic for the students when they all return to us. > > Me thinks I might have to buy my guys a present for working so hard this > summer. Make them feel appreciated :-) And not departmental mugs either! > > Jules > Glad to hear that it isn't tearing you down as bad as the last few years had done. Stay healthy and out of the hospital! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090921/230d39d5/signature.bin From alex at rtpty.com Mon Sep 21 21:36:24 2009 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 21 21:36:37 2009 Subject: OT: Re: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> <4AB7D710.8070209@ecs.soton.ac.uk> Message-ID: <23F1F2DB-44D8-4DCC-89C6-160B77E0674F@rtpty.com> All the more reason for us to take a peek at his Amazon wishlist and get him a DVD or two. That way we can try and keep him at home for a couple of hours at a time, instead of coding! :D http://www.amazon.co.uk/gp/registry/1W99HT2WWW5PB On Sep 21, 2009, at 2:58 PM, Scott Silva wrote: > Glad to hear that it isn't tearing you down as bad as the last few > years had > done. Stay healthy and out of the hospital! From c.granisso at dnshosting.it Tue Sep 22 09:18:33 2009 From: c.granisso at dnshosting.it (Carlo Granisso) Date: Tue Sep 22 09:18:32 2009 Subject: spam score Message-ID: <200909220818.n8M8IORW028823@safir.blacknight.ie> Hello, I've found difference from MailScanner.conf and DB entry for spam score: in conf file spam value is float, into DB is an integer. Why this difference? If I create user I can't use float number (e.g. 4.50)? Thanks for your help. Carlo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090922/3d43f2d5/attachment.html From Phil.Udel at SalemCorp.com Tue Sep 22 14:15:16 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Sep 22 14:15:43 2009 Subject: Whitelist Issue Message-ID: Hi. I am running Sendmail with MailScanner 4.65.3. I use the spam.whitelist.rules table to store my entries. Every once and awhile I will get a Mail that has a high SA score and should be blocked but it is white listed instead. There are no entries for the IP or the domain in the table that would allow this email to be whitelisted but it gets white listed anyway. Any ideas Why? Thanks Phillip Udel Senior Systems Administrator Admin@SalemCorp.com (800) 877-2536 Ext 212 |^^^^^^^^^^^^^^^^^^^^^| | www.Salemcorp.com | ||'|"\,__ |_..._...__________====||_|__|..; "(@)'(@)"""""""""""|(@) (@)***(@) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090922/cef51928/attachment.html From ssilva at sgvwater.com Tue Sep 22 17:24:42 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 22 17:25:08 2009 Subject: spam score In-Reply-To: <200909220818.n8M8IORW028823@safir.blacknight.ie> References: <200909220818.n8M8IORW028823@safir.blacknight.ie> Message-ID: on 9-22-2009 1:18 AM Carlo Granisso spake the following: > Hello, I've found difference from MailScanner.conf and DB entry for spam > score: in conf file spam value is float, into DB is an integer. > > Why this difference? If I create user I can't use float number (e.g. 4.50)? > > > Thanks for your help. > > > > Carlo > Which DB entry are you referring to. The only DB's that MailScanner uses are for caching spam messages and item's that don't process on the first try. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090922/b49fcb89/signature.bin From ssilva at sgvwater.com Tue Sep 22 17:26:17 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 22 17:30:14 2009 Subject: Whitelist Issue In-Reply-To: References: Message-ID: on 9-22-2009 6:15 AM Phil Udel spake the following: > Hi. I am running Sendmail with MailScanner 4.65.3. I use the > spam.whitelist.rules table to store my entries. > Every once and awhile I will get a Mail that has a high SA score and > should be blocked but it is white listed instead. > There are no entries for the IP or the domain in the table that would > allow this email to be whitelisted but it gets white listed anyway. > Any ideas Why? > > Show a complete set of log entries for one of these and we will try to explain it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090922/41c6fffe/signature.bin From Phil.Udel at SalemCorp.com Tue Sep 22 18:06:37 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Sep 22 18:07:22 2009 Subject: Whitelist Issue In-Reply-To: References: Message-ID: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, September 22, 2009 12:26 PM To: mailscanner@lists.mailscanner.info Subject: Re: Whitelist Issue on 9-22-2009 6:15 AM Phil Udel spake the following: > Hi. I am running Sendmail with MailScanner 4.65.3. I use the > spam.whitelist.rules table to store my entries. > Every once and awhile I will get a Mail that has a high SA score and > should be blocked but it is white listed instead. > There are no entries for the IP or the domain in the table that would > allow this email to be whitelisted but it gets white listed anyway. > Any ideas Why? > > >Show a complete set of log entries for one of these and we will try to explain it. Here is the Maillog Sep 21 10:06:35 mail MailScanner[30006]: Message n8LE6QRn025223 from 200.159.85. 82 (soliditytj4@researchtalk.com) to salemcorp.com is not spam (whitelisted), Sp amAssassin (not cached, score=34.648, required 2, autolearn=spam, BAYES_99 3.50, FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, HTML_MESSAGE 0.50, RAZOR2_C F_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_ BL_SPAMCOP_NET 5.00, RCVD_IN_SORBS_WEB 2.00, RCVD_IN_XBL 3.03, RDNS_DYNAMIC 2.00 , TVD_RCVD_IP 1.93, URIBL_BLACK 5.00, URIBL_JP_SURBL 1.50, URIBL_PH_SURBL 1.79, URIBL_WS_SURBL 1.50) Sep 21 10:06:35 mail MailScanner[30006]: Virus and Content Scanning: Starting Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: to=XXXXXXXXXX@Salemcorp.com, delay=00:00:55, xdelay=00:00:01, mailer=local, pri=122627, dsn=2.0.0, stat=Sent Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: to=XXXXXXX@att.blackberr y.net, delay=00:00:55, xdelay=00:00:00, mailer=esmtp, pri=122627, relay=mx04.bis .na.blackberry.com. [216.9.248.35], dsn=2.0.0, stat=Sent (ok: Message 118378703 accepted) Neather the IP 200.159.85.82 or Domain name researchtalk.com are in the whitelist table. From MailScanner at ecs.soton.ac.uk Tue Sep 22 20:02:59 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Tue Sep 22 20:03:23 2009 Subject: Whitelist Issue In-Reply-To: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> <4AB91F63.1020904@ecs.soton.ac.uk> Message-ID: Looks like it is exceeding the "High SpamAssassin Score" and therefore getting handled by the "High-Scoring Spam Actions" instead of the "Spam Actions". There are by default 3 states a message can get into: normal, spam and "high-spam". Check the path through your config actions for high-scoring spam messages. On 22/09/2009 18:06, Phil Udel wrote: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Tuesday, September 22, 2009 12:26 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelist Issue > > on 9-22-2009 6:15 AM Phil Udel spake the following: > >> Hi. I am running Sendmail with MailScanner 4.65.3. I use the >> spam.whitelist.rules table to store my entries. >> Every once and awhile I will get a Mail that has a high SA score and >> should be blocked but it is white listed instead. >> There are no entries for the IP or the domain in the table that would >> allow this email to be whitelisted but it gets white listed anyway. >> Any ideas Why? >> >> >> Show a complete set of log entries for one of these and we will try to >> > explain it. > > Here is the Maillog > Sep 21 10:06:35 mail MailScanner[30006]: Message n8LE6QRn025223 from > 200.159.85. > 82 (soliditytj4@researchtalk.com) to salemcorp.com is not spam > (whitelisted), Sp > amAssassin (not cached, score=34.648, required 2, autolearn=spam, BAYES_99 > 3.50, > FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, HTML_MESSAGE 0.50, > RAZOR2_C > F_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_ > BL_SPAMCOP_NET 5.00, RCVD_IN_SORBS_WEB 2.00, RCVD_IN_XBL 3.03, RDNS_DYNAMIC > 2.00 > , TVD_RCVD_IP 1.93, URIBL_BLACK 5.00, URIBL_JP_SURBL 1.50, URIBL_PH_SURBL > 1.79, > URIBL_WS_SURBL 1.50) > Sep 21 10:06:35 mail MailScanner[30006]: Virus and Content Scanning: > Starting > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXXXXX@Salemcorp.com, > delay=00:00:55, xdelay=00:00:01, mailer=local, pri=122627, dsn=2.0.0, > stat=Sent > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXX@att.blackberr > y.net, delay=00:00:55, xdelay=00:00:00, mailer=esmtp, pri=122627, > relay=mx04.bis > .na.blackberry.com. [216.9.248.35], dsn=2.0.0, stat=Sent (ok: Message > 118378703 > accepted) > > Neather the IP 200.159.85.82 or Domain name researchtalk.com are in the > whitelist table. > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Phil.Udel at SalemCorp.com Tue Sep 22 20:20:42 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Sep 22 20:21:49 2009 Subject: Whitelist Issue In-Reply-To: References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> Message-ID: Well... That's my point. It should have been handled by the "High-Scoring Spam Actions" but is was not, it was whitelisted instead. If I can get the downtime ,I think I will get current this weekend, and see if that fixs the problem. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Tuesday, September 22, 2009 3:03 PM To: MailScanner discussion Subject: Re: Whitelist Issue Looks like it is exceeding the "High SpamAssassin Score" and therefore getting handled by the "High-Scoring Spam Actions" instead of the "Spam Actions". There are by default 3 states a message can get into: normal, spam and "high-spam". Check the path through your config actions for high-scoring spam messages. On 22/09/2009 18:06, Phil Udel wrote: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott > Silva > Sent: Tuesday, September 22, 2009 12:26 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelist Issue > > on 9-22-2009 6:15 AM Phil Udel spake the following: > >> Hi. I am running Sendmail with MailScanner 4.65.3. I use the >> spam.whitelist.rules table to store my entries. >> Every once and awhile I will get a Mail that has a high SA score and >> should be blocked but it is white listed instead. >> There are no entries for the IP or the domain in the table that would >> allow this email to be whitelisted but it gets white listed anyway. >> Any ideas Why? >> >> >> Show a complete set of log entries for one of these and we will try >> to >> > explain it. > > Here is the Maillog > Sep 21 10:06:35 mail MailScanner[30006]: Message n8LE6QRn025223 from > 200.159.85. > 82 (soliditytj4@researchtalk.com) to salemcorp.com is not spam > (whitelisted), Sp amAssassin (not cached, score=34.648, required 2, > autolearn=spam, BAYES_99 3.50, > FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, HTML_MESSAGE > 0.50, RAZOR2_C F_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_ BL_SPAMCOP_NET 5.00, RCVD_IN_SORBS_WEB > 2.00, RCVD_IN_XBL 3.03, RDNS_DYNAMIC 2.00 , TVD_RCVD_IP 1.93, > URIBL_BLACK 5.00, URIBL_JP_SURBL 1.50, URIBL_PH_SURBL 1.79, > URIBL_WS_SURBL 1.50) Sep 21 10:06:35 mail MailScanner[30006]: Virus > and Content Scanning: > Starting > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXXXXX@Salemcorp.com, > delay=00:00:55, xdelay=00:00:01, mailer=local, pri=122627, > dsn=2.0.0, stat=Sent Sep 21 10:07:23 mail sendmail[25485]: > n8LE6QRn025223: > to=XXXXXXX@att.blackberr > y.net, delay=00:00:55, xdelay=00:00:00, mailer=esmtp, pri=122627, > relay=mx04.bis .na.blackberry.com. [216.9.248.35], dsn=2.0.0, > stat=Sent (ok: Message > 118378703 > accepted) > > Neather the IP 200.159.85.82 or Domain name researchtalk.com are in > the whitelist table. > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Tue Sep 22 21:52:02 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 22 21:52:13 2009 Subject: Whitelist Issue In-Reply-To: References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> Message-ID: <4AB938F2.9030601@fsl.com> Phil Udel wrote: > Well... That's my point. It should have been handled by the "High-Scoring > Spam Actions" but is was not, it was whitelisted instead. My bet would be you have put something like this in the whitelist: FromOrTo: att.blackberry.net OK or FromOrTo: xxxx@salemcorp.net OK Remember - if you have multiple recipients in a message and one of them whitelists; then MailScanner will whitelist for all. That, and you need to be very specific with white/black entries - FromOrTo: for a recipient address or domain should be considered dangerous.... Regards, Steve. From ssilva at sgvwater.com Tue Sep 22 21:54:44 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 22 21:55:34 2009 Subject: Whitelist Issue In-Reply-To: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> Message-ID: on 9-22-2009 10:06 AM Phil Udel spake the following: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva > Sent: Tuesday, September 22, 2009 12:26 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelist Issue > > on 9-22-2009 6:15 AM Phil Udel spake the following: >> Hi. I am running Sendmail with MailScanner 4.65.3. I use the >> spam.whitelist.rules table to store my entries. >> Every once and awhile I will get a Mail that has a high SA score and >> should be blocked but it is white listed instead. >> There are no entries for the IP or the domain in the table that would >> allow this email to be whitelisted but it gets white listed anyway. >> Any ideas Why? >> >> >> Show a complete set of log entries for one of these and we will try to > explain it. > > Here is the Maillog > Sep 21 10:06:35 mail MailScanner[30006]: Message n8LE6QRn025223 from > 200.159.85. > 82 (soliditytj4@researchtalk.com) to salemcorp.com is not spam > (whitelisted), Sp > amAssassin (not cached, score=34.648, required 2, autolearn=spam, BAYES_99 > 3.50, > FH_HELO_EQ_D_D_D_D 0.00, HELO_DYNAMIC_IPADDR2 4.39, HTML_MESSAGE 0.50, > RAZOR2_C > F_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, > RCVD_IN_ > BL_SPAMCOP_NET 5.00, RCVD_IN_SORBS_WEB 2.00, RCVD_IN_XBL 3.03, RDNS_DYNAMIC > 2.00 > , TVD_RCVD_IP 1.93, URIBL_BLACK 5.00, URIBL_JP_SURBL 1.50, URIBL_PH_SURBL > 1.79, > URIBL_WS_SURBL 1.50) > Sep 21 10:06:35 mail MailScanner[30006]: Virus and Content Scanning: > Starting > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXXXXX@Salemcorp.com, > delay=00:00:55, xdelay=00:00:01, mailer=local, pri=122627, dsn=2.0.0, > stat=Sent > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXX@att.blackberr > y.net, delay=00:00:55, xdelay=00:00:00, mailer=esmtp, pri=122627, > relay=mx04.bis > .na.blackberry.com. [216.9.248.35], dsn=2.0.0, stat=Sent (ok: Message > 118378703 > accepted) > > Neather the IP 200.159.85.82 or Domain name researchtalk.com are in the > whitelist table. > > > Do you have the spamassassin auto whitelist on? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090922/126dc08b/signature.bin From DawsonA at chesterfield.ac.uk Wed Sep 23 09:45:43 2009 From: DawsonA at chesterfield.ac.uk (Dawson, Alan) Date: Wed Sep 23 09:46:55 2009 Subject: Make changes to message body Message-ID: hi.. Is it possible to make changes to the message body using MailScanner ? For instance something like s/" Banned Word or Phrase "/" [Content removed] "/g in the message body for example Thanks in advance -- Alan Dawson -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and spam by MailScanner -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090923/5bf792a2/attachment.html From Phil.Udel at SalemCorp.com Wed Sep 23 14:14:18 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 23 14:14:56 2009 Subject: Whitelist Issue In-Reply-To: <4AB938F2.9030601@fsl.com> References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> <4AB938F2.9030601@fsl.com> Message-ID: <5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> Phil Udel wrote: > Well... That's my point. It should have been handled by the > "High-Scoring Spam Actions" but is was not, it was whitelisted instead. >My bet would be you have put something like this in the whitelist: >FromOrTo: att.blackberry.net OK >or >FromOrTo: xxxx@salemcorp.net OK >Remember - if you have multiple recipients in a message and one of them whitelists; then MailScanner will whitelist >for all. That, and you need to be very specific with white/black entries - FromOrTo: for a recipient address or >>>domain should be considered dangerous.... Ya. I thought the same thing. I have no FromOrTo Only From's. I checked again today and found another. BTW I XXX out the Names Return-Path: < g> Received: from 200-49-7-146.static.impsat.net.ar (200-49-7-146.static.impsat.net.ar [200.49.7.146] (may be forged)) by mail.salemcorp.com (8.13.8/8.13.8) with ESMTP id n8MKV2Ci006602 for ; Tue, 22 Sep 2009 16:31:03 -0400 Received: from 200.49.7.146 by ASPMX.L.GOOGLE.com; Tue, 22 Sep 2009 17:29:09 -0300 Message-ID: <000d01ca3bc3$56fa0d90$6400a8c0@caviledb> From: "Roxie Yang" To: Subject: Cheap designer watches have appeared on the market. Date: Tue, 22 Sep 2009 17:29:09 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01CA3BC3.56FA0D90" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Spam: N Action(s): deliver, header, "X-SalemCorp-Spam-Status:, No" High Scoring Spam: N SpamAssassin Spam: N Listed in RBL: N Spam Whitelisted: Y Spam Blacklisted: N SpamAssassin Autolearn: Y (spam) SpamAssassin Score: 22.86 Neither the Domain or the IP are in the Whitelist. I should say that this happens maybe once out of every 500 correct whitelisting's and it seems to be the same Domains but different IP's. I can make my WL Available but not on a Open List. And it From Phil.Udel at SalemCorp.com Wed Sep 23 14:18:51 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 23 14:19:58 2009 Subject: Whitelist Issue In-Reply-To: References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com> Message-ID: <403EF7B994B64048A9AFC47C2428316A@salemcorp.com> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>Scott Silva >Sent: Tuesday, September 22, 2009 4:55 PM >To: mailscanner@lists.mailscanner.info >Subject: Re: Whitelist Issue > >on 9-22-2009 10:06 AM Phil Udel spake the following: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott > Silva > Sent: Tuesday, September 22, 2009 12:26 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelist Issue > > on 9-22-2009 6:15 AM Phil Udel spake the following: >> Hi. I am running Sendmail with MailScanner 4.65.3. I use the >> spam.whitelist.rules table to store my entries. >> Every once and awhile I will get a Mail that has a high SA score and >> should be blocked but it is white listed instead. >> There are no entries for the IP or the domain in the table that would >> allow this email to be whitelisted but it gets white listed anyway. >> Any ideas Why? >> >> >> Show a complete set of log entries for one of these and we will try >> to > explain it. > > Here is the Maillog > Sep 21 10:06:35 mail MailScanner[30006]: Message n8LE6QRn025223 from > 200.159.85. > 82 (soliditytj4@researchtalk.com) to salemcorp.com is not spam > (whitelisted), Sp amAssassin (not cached, score=34.648, required 2, > autolearn=spam, BAYES_99 3.50, FH_HELO_EQ_D_D_D_D 0.00, > HELO_DYNAMIC_IPADDR2 4.39, HTML_MESSAGE 0.50, RAZOR2_C F_RANGE_51_100 > 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_ > BL_SPAMCOP_NET 5.00, RCVD_IN_SORBS_WEB 2.00, RCVD_IN_XBL 3.03, > RDNS_DYNAMIC 2.00 , TVD_RCVD_IP 1.93, URIBL_BLACK 5.00, URIBL_JP_SURBL > 1.50, URIBL_PH_SURBL 1.79, URIBL_WS_SURBL 1.50) Sep 21 10:06:35 mail > MailScanner[30006]: Virus and Content Scanning: > Starting > Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXXXXX@Salemcorp.com, > delay=00:00:55, xdelay=00:00:01, mailer=local, pri=122627, dsn=2.0.0, > stat=Sent Sep 21 10:07:23 mail sendmail[25485]: n8LE6QRn025223: > to=XXXXXXX@att.blackberr > y.net, delay=00:00:55, xdelay=00:00:00, mailer=esmtp, pri=122627, > relay=mx04.bis .na.blackberry.com. [216.9.248.35], dsn=2.0.0, > stat=Sent (ok: Message > 118378703 > accepted) > > Neather the IP 200.159.85.82 or Domain name researchtalk.com are in > the whitelist table. > > > >Do you have the spamassassin auto whitelist on? Yes From mark at msapiro.net Wed Sep 23 16:09:55 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Sep 23 16:10:06 2009 Subject: Whitelist Issue In-Reply-To: <5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> Message-ID: Phil Udel wrote: > >Ya. I thought the same thing. I have no FromOrTo Only From's. I checked >again today and found another. >BTW I XXX out the Names > >Return-Path: < g> >Received: from 200-49-7-146.static.impsat.net.ar >(200-49-7-146.static.impsat.net.ar [200.49.7.146] (may be forged)) > by mail.salemcorp.com (8.13.8/8.13.8) with ESMTP id n8MKV2Ci006602 > for ; Tue, 22 Sep 2009 16:31:03 -0400 >Received: from 200.49.7.146 by ASPMX.L.GOOGLE.com; Tue, 22 Sep 2009 17:29:09 >-0300 >Message-ID: <000d01ca3bc3$56fa0d90$6400a8c0@caviledb> >From: "Roxie Yang" >To: >Subject: Cheap designer watches have appeared on the market. >Date: Tue, 22 Sep 2009 17:29:09 -0300 >MIME-Version: 1.0 >Content-Type: multipart/alternative; > boundary="----=_NextPart_000_0007_01CA3BC3.56FA0D90" >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2900.2180 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > >Spam: N Action(s): deliver, header, "X-SalemCorp-Spam-Status:, No" >High Scoring Spam: N >SpamAssassin Spam: N >Listed in RBL: N >Spam Whitelisted: Y >Spam Blacklisted: N >SpamAssassin Autolearn: Y (spam) >SpamAssassin Score: 22.86 > >Neither the Domain or the IP are in the Whitelist. What domain? MailScanner is looking at the envelope from which appears to be " g" according to the Return-Path: header in the above. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From steve.freegard at fsl.com Wed Sep 23 19:07:33 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 23 19:07:43 2009 Subject: Whitelist Issue In-Reply-To: <5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> <4AB938F2.9030601@fsl.com> <5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> Message-ID: <4ABA63E5.4080105@fsl.com> Phil Udel wrote: > > Neither the Domain or the IP are in the Whitelist. I should say that this > happens maybe once out of every 500 correct whitelisting's and it seems to > be the same Domains but different IP's. I can make my WL Available but not > on a Open List. As you are running MailWatch; what does it show under the 'From Address' section and send me your whitelist off-list and I'll take a quick peek at it to see if I can see anything obvious. Regards, Steve. From easontho at stu.armstrong.edu Wed Sep 23 19:52:47 2009 From: easontho at stu.armstrong.edu (Thomas Eason) Date: Wed Sep 23 19:52:58 2009 Subject: Running two instances of mailscanner on the same machine In-Reply-To: <223f97700909211139y59082236u69c4e6258efbbfa3@mail.gmail.com> References: <4a5812c60909210724x1d99dedcm6830c92ba0864c94@mail.gmail.com> <223f97700909211139y59082236u69c4e6258efbbfa3@mail.gmail.com> Message-ID: <4a5812c60909231152m40d0c55ek24e4d1d5af2a3675@mail.gmail.com> Glen, thank you. I hadn't thought about resubmitting it on the loopback address. That way I don't have to keep two config files for mailscanner. Right now I am storing the quarantine as an exim spool file. Does it seem reasonable to just set up a minimal exim config file to resubmit the quarantine file on localhost or is there a better way of doing that too? On Mon, Sep 21, 2009 at 2:39 PM, Glenn Steen wrote: > 2009/9/21 Thomas Eason : > > I want to resubmit some messages back into the queue to be scanned by > > mailscanner with some different options > > (allowed filetypes). If I just change the pid file and the working > > directory is that enough to make it work? > > > > I have such a system running, but I was wondering if I might encounter > > issues with the two separate > > mailscanner instances fighting. > > > > Thanks, > > Andrew > > > Why would you need it? I imagine most of the rest of us get by with a > simple ruleset, using a different set of files for filename/filetype > rules for the loopback address (127.0.0.1)... Might be usable for you > too? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090923/db59e60f/attachment.html From micoots at yahoo.com Thu Sep 24 09:08:50 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Sep 24 09:09:00 2009 Subject: Examples of SpamAssassin Rule Actions Message-ID: <373427.16968.qm@web33301.mail.mud.yahoo.com> Hi, I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam. I have looked at the "SpamAssassin Rule Actions" setting and there's examples of: " # You can also trigger actions on the spam score of the message. You can # compare the spam score with a number and cause this to trigger an action. # For example, instead of a SA_RULENAME you can specify # SpamScore>number or SpamScore>=number or SpamScore==number or # SpamScore25=>delete # This would cause all messages with a total spam score of more than 25 to be # deleted. You can use this to implement multiple levels of spam actions in # addition to the normal spam actions and the high-scoring spam actions. # # Combining this with a ruleset makes it even more powerful, as different # recipients and/or senders can have different sets of rules applied to them. " But no example of how to actually say: "if SpamScore>9=>quarantine for To address of blah@blah.com" Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above? Thanks. Michael. __________________________________________________________________________________ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/ From MailScanner at ecs.soton.ac.uk Thu Sep 24 09:23:09 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 24 09:23:32 2009 Subject: Examples of SpamAssassin Rule Actions In-Reply-To: <373427.16968.qm@web33301.mail.mud.yahoo.com> References: <373427.16968.qm@web33301.mail.mud.yahoo.com> <4ABB2C6D.3040309@ecs.soton.ac.uk> Message-ID: On 24/09/2009 09:08, Michael Mansour wrote: > Hi, > > I have a requirement to consider spam which scores under the high scoring spam threshold for an individual, to be consider that message high scoring spam. > > I have looked at the "SpamAssassin Rule Actions" setting and there's examples of: > > " > # You can also trigger actions on the spam score of the message. You can > # compare the spam score with a number and cause this to trigger an action. > # For example, instead of a SA_RULENAME you can specify > # SpamScore>number or SpamScore>=number or SpamScore==number or > # SpamScore # where "number" is the threshold value you are comparing it against. > # So you could have a rule/action pair that looks like > # SpamScore>25=>delete > # This would cause all messages with a total spam score of more than 25 to be > # deleted. You can use this to implement multiple levels of spam actions in > # addition to the normal spam actions and the high-scoring spam actions. > # > # Combining this with a ruleset makes it even more powerful, as different > # recipients and/or senders can have different sets of rules applied to them. > " > > But no example of how to actually say: > > "if SpamScore>9=>quarantine for To address of blah@blah.com" > > Is there more details I can find anywhere on the wiki or anywhere else on how I can setup the above? > You first need a ruleset to apply the action to just blah@blah.com. So set SpamAssassin Rule Actions = %rules-dir%/spam.rule.actions.rules Then in /etc/MailScanner/rules/spam.rule.actions.rules put this To: blah@blah.com SpamScore>9=>store,not-deliver FromOrTo: default deliver That should do the trick. Do you understand it? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From micoots at yahoo.com Thu Sep 24 09:55:14 2009 From: micoots at yahoo.com (Michael Mansour) Date: Thu Sep 24 09:55:24 2009 Subject: Examples of SpamAssassin Rule Actions Message-ID: <190307.70549.qm@web33308.mail.mud.yahoo.com> Hi Julian, --- On Thu, 24/9/09, Julian Field wrote: > From: Julian Field > Subject: Re: Examples of SpamAssassin Rule Actions > To: "MailScanner discussion" > Received: Thursday, 24 September, 2009, 6:23 PM > > > On 24/09/2009 09:08, Michael Mansour wrote: > > Hi, > > > > I have a requirement to consider spam which scores > under the high scoring spam threshold for an individual, to > be consider that message high scoring spam. > > > > I have looked at the "SpamAssassin Rule Actions" > setting and there's examples of: > > > > " > > # You can also trigger actions on the spam score of > the message. You can > > # compare the spam score with a number and cause this > to trigger an action. > > # For example, instead of a SA_RULENAME you can > specify > > # SpamScore>number or SpamScore>=number or > SpamScore==number or > > # SpamScore > # where "number" is the threshold value you are > comparing it against. > > # So you could have a rule/action pair that looks > like > > #? ? ? ? ? ? ? > ? ? SpamScore>25=>delete > > # This would cause all messages with a total spam > score of more than 25 to be > > # deleted. You can use this to implement multiple > levels of spam actions in > > # addition to the normal spam actions and the > high-scoring spam actions. > > # > > # Combining this with a ruleset makes it even more > powerful, as different > > # recipients and/or senders can have different sets of > rules applied to them. > > " > > > > But no example of how to actually say: > > > > "if SpamScore>9=>quarantine for To address of blah@blah.com" > > > > Is there more details I can find anywhere on the wiki > or anywhere else on how I can setup the above? > >? ? > You first need a ruleset to apply the action to just blah@blah.com. So > set > SpamAssassin Rule Actions = > %rules-dir%/spam.rule.actions.rules > > Then in /etc/MailScanner/rules/spam.rule.actions.rules put > this > > To: blah@blah.com > SpamScore>9=>store,not-deliver > FromOrTo: default deliver > > That should do the trick. Do you understand it? Yes that's perfect thanks. I have this now as: JKF_ANTI_PHISH=>not-deliver,store,forward spam@example.com, header "X-Anti-Phish: Was to _TO_" To: user@example.com SpamScore>9=>store,not-deliver FromOrTo: default deliver and will monitor over the coming days but I trust it will work fine. Thanks Jules. Michael. > Jules __________________________________________________________________________________ Get more done like never before with Yahoo!7 Mail. Learn more: http://au.overview.mail.yahoo.com/ From MailScanner at ecs.soton.ac.uk Thu Sep 24 10:04:44 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 24 10:05:03 2009 Subject: Examples of SpamAssassin Rule Actions In-Reply-To: <190307.70549.qm@web33308.mail.mud.yahoo.com> References: <190307.70549.qm@web33308.mail.mud.yahoo.com> <4ABB362C.5060708@ecs.soton.ac.uk> Message-ID: On 24/09/2009 09:55, Michael Mansour wrote: > Hi Julian, > > --- On Thu, 24/9/09, Julian Field wrote: > > >> From: Julian Field >> Subject: Re: Examples of SpamAssassin Rule Actions >> To: "MailScanner discussion" >> Received: Thursday, 24 September, 2009, 6:23 PM >> >> >> On 24/09/2009 09:08, Michael Mansour wrote: >> >>> Hi, >>> >>> I have a requirement to consider spam which scores >>> >> under the high scoring spam threshold for an individual, to >> be consider that message high scoring spam. >> >>> I have looked at the "SpamAssassin Rule Actions" >>> >> setting and there's examples of: >> >>> " >>> # You can also trigger actions on the spam score of >>> >> the message. You can >> >>> # compare the spam score with a number and cause this >>> >> to trigger an action. >> >>> # For example, instead of a SA_RULENAME you can >>> >> specify >> >>> # SpamScore>number or SpamScore>=number or >>> >> SpamScore==number or >> >>> # SpamScore>> # where "number" is the threshold value you are >>> >> comparing it against. >> >>> # So you could have a rule/action pair that looks >>> >> like >> >>> # >>> >> SpamScore>25=>delete >> >>> # This would cause all messages with a total spam >>> >> score of more than 25 to be >> >>> # deleted. You can use this to implement multiple >>> >> levels of spam actions in >> >>> # addition to the normal spam actions and the >>> >> high-scoring spam actions. >> >>> # >>> # Combining this with a ruleset makes it even more >>> >> powerful, as different >> >>> # recipients and/or senders can have different sets of >>> >> rules applied to them. >> >>> " >>> >>> But no example of how to actually say: >>> >>> "if SpamScore>9=>quarantine for To address of blah@blah.com" >>> >>> Is there more details I can find anywhere on the wiki >>> >> or anywhere else on how I can setup the above? >> >>> >>> >> You first need a ruleset to apply the action to just blah@blah.com. So >> set >> SpamAssassin Rule Actions = >> %rules-dir%/spam.rule.actions.rules >> >> Then in /etc/MailScanner/rules/spam.rule.actions.rules put >> this >> >> To: blah@blah.com >> SpamScore>9=>store,not-deliver >> FromOrTo: default deliver >> >> That should do the trick. Do you understand it? >> > Yes that's perfect thanks. I have this now as: > > JKF_ANTI_PHISH=>not-deliver,store,forward spam@example.com, header "X-Anti-Phish: Was to _TO_" > If that is in a ruleset, it's missing the "direction" and "address-pattern" words at the start of the line, so won't work. > To: user@example.com SpamScore>9=>store,not-deliver > FromOrTo: default deliver > > and will monitor over the coming days but I trust it will work fine. > > Thanks Jules. > > Michael. > > >> Jules >> > > > __________________________________________________________________________________ > Get more done like never before with Yahoo!7 Mail. > Learn more: http://au.overview.mail.yahoo.com/ > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pedro.arinto at gmail.com Thu Sep 24 12:46:48 2009 From: pedro.arinto at gmail.com (Pedro Arinto) Date: Thu Sep 24 12:47:17 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> Message-ID: Hi Alex, Unfortunately, since I work in Portugal, it is impossible to avoid using non-English characters in filenames. Even if I could somehow tell our users to avoid international characters, i cannot control everyone who sends us email. All platforms I've tested (Mac, Windows & Linux) see the same messed up filenames in the zip file. The difference is that in Windows, with most unzip packages (like 7-zip), there is an error when unzipping the file. In Mac, Linux & Windows with Winzip, the unzip operation is successful, but the filenames are garbled. This wouldn't be a big problem if the file extension remained the same as the original file, but it also gets messed up. Since most of our users are non-technical, this is a big problem for them. Can the zip feature be enabled selectively with a ruleset ? This would partially solve our problems, but as far as I can tell it is a system-wide setting. Thanks, Pedro On Mon, Sep 21, 2009 at 4:07 PM, Alex Neuman wrote: > I don't know how to fix it, but here's a couple of thoughts: > > 1. Can you avoid using filenames with non-english characters? It's less > likely users will have problems that way - specially when going > cross-platform. > 2. Are you sure the filenames are messed up? Do all platforms (linux, mac, > unix) find the same, apparently corrupted filenames? How about all unzip > programs for Windows? Could be that the unzipping program is not UTF aware > or something like that. > 3. (and this is a question for Jules & the Gang) - what does MailScanner > use for ZIPping? is it some Archive::Zip module call? Can it be changed > (although it may impose a further performance penalty) to an external "zip" > program? Something like the internal vs. external TNEF issue? > > > > On Sep 21, 2009, at 9:49 AM, Pedro Arinto wrote: > > the filenames get messed up in the resulting ZIP file. Windows users are >> unable to uncompress this files >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090924/2db69ee8/attachment.html From ajayshikhare at gmail.com Thu Sep 24 12:51:39 2009 From: ajayshikhare at gmail.com (Ajay Shikhare) Date: Thu Sep 24 12:51:49 2009 Subject: Attachment size rule Message-ID: <563c31b50909240451i2cebc725vfa4aae2223cccf8f@mail.gmail.com> Hi People, I just want to reject all the message with attachments, as well as allow meeting invites. I researched and found that the meeting acceptance or invitation goes in winmail.dat ( Not Sure). I have already tries making rules with filename and filetype but no help. I even tried unparsing winmail.dat from mailscanner directive. I am stuck with this!!, your help is appreciated. Thanks in advance Aj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090924/7b4c824e/attachment.html From Phil.Udel at SalemCorp.com Thu Sep 24 14:14:39 2009 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Thu Sep 24 14:15:44 2009 Subject: Whitelist Issue In-Reply-To: <4ABA63E5.4080105@fsl.com> References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> <4AB938F2.9030601@fsl.com><5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> <4ABA63E5.4080105@fsl.com> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: Wednesday, September 23, 2009 2:08 PM To: MailScanner discussion Subject: Re: Whitelist Issue Phil Udel wrote: > > Neither the Domain or the IP are in the Whitelist. I should say that > this happens maybe once out of every 500 correct whitelisting's and it > seems to be the same Domains but different IP's. I can make my WL > Available but not on a Open List. >>As you are running MailWatch; what does it show under the 'From Address' >.section and send me your whitelist off-list and I'll take a quick peek at it to see if I can see anything obvious. The From Address is From: soliditytj4@researchtalk.com and the IP is 200.159.85.82. Thanks for the Help Steve. What is your Email? From steve.freegard at fsl.com Thu Sep 24 15:03:38 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Sep 24 15:03:53 2009 Subject: Whitelist Issue In-Reply-To: References: <42F1CAC77E354363B600FEA01FE016D7@salemcorp.com><4AB91F63.1020904@ecs.soton.ac.uk> <4AB938F2.9030601@fsl.com><5A0E4BED31C34A78BA16028EA0F2FCBD@salemcorp.com> <4ABA63E5.4080105@fsl.com> Message-ID: <4ABB7C3A.6040205@fsl.com> Phil Udel wrote: > > The From Address is From: soliditytj4@researchtalk.com and the IP is > 200.159.85.82. > Thanks for the Help Steve. What is your Email? > steve.freegard@fsl.com From MailScanner at ecs.soton.ac.uk Thu Sep 24 15:47:55 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 24 15:48:13 2009 Subject: Attachment size rule In-Reply-To: <563c31b50909240451i2cebc725vfa4aae2223cccf8f@mail.gmail.com> References: <563c31b50909240451i2cebc725vfa4aae2223cccf8f@mail.gmail.com> <4ABB869B.4080603@ecs.soton.ac.uk> Message-ID: MailScanner will unpack the TNEF (winmail.dat) file for you. So you shouldn't have to worry about that. You should be able to allow the filetype or filename that includes the meeting invitation while banning everything else. Filename.rules.conf or filetype.rules.conf should do that for you, but keep an eye on the "Archives: Filename Rules" and associated options, as it may be considering the TNEF files as members of an archive, at which point the archive filename rules and archive filetype rules will apply, not the normal ones that apply to direct attachments. On 24/09/2009 12:51, Ajay Shikhare wrote: > Hi People, > > I just want to reject all the message with attachments, as well as > allow meeting invites. I researched and found that the meeting > acceptance or invitation goes in winmail.dat ( Not Sure). > > I have already tries making rules with filename and filetype but no > help. I even tried unparsing winmail.dat from mailscanner directive. > > I am stuck with this!!, your help is appreciated. > > Thanks in advance > Aj Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 24 15:49:13 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 24 15:49:31 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> Message-ID: Why did you think the "Zip Attachments" feature is a system-wide setting. The line above the setting clearly says: # This can also be the filename of a ruleset. I will take a look at the filenames problem, but no guarantees I can fix it easily. On 24/09/2009 12:46, Pedro Arinto wrote: > Hi Alex, > > Unfortunately, since I work in Portugal, it is impossible to avoid > using non-English characters in filenames. Even if I could somehow > tell our users to avoid international characters, i cannot control > everyone who sends us email. > All platforms I've tested (Mac, Windows & Linux) see the same messed > up filenames in the zip file. The difference is that in Windows, with > most unzip packages (like 7-zip), there is an error when unzipping the > file. In Mac, Linux & Windows with Winzip, the unzip operation is > successful, but the filenames are garbled. This wouldn't be a big > problem if the file extension remained the same as the original file, > but it also gets messed up. Since most of our users are non-technical, > this is a big problem for them. > > Can the zip feature be enabled selectively with a ruleset ? This would > partially solve our problems, but as far as I can tell it is a > system-wide setting. > > Thanks, > > Pedro > > > On Mon, Sep 21, 2009 at 4:07 PM, Alex Neuman > wrote: > > I don't know how to fix it, but here's a couple of thoughts: > > 1. Can you avoid using filenames with non-english characters? It's > less likely users will have problems that way - specially when > going cross-platform. > 2. Are you sure the filenames are messed up? Do all platforms > (linux, mac, unix) find the same, apparently corrupted filenames? > How about all unzip programs for Windows? Could be that the > unzipping program is not UTF aware or something like that. > 3. (and this is a question for Jules & the Gang) - what does > MailScanner use for ZIPping? is it some Archive::Zip module call? > Can it be changed (although it may impose a further performance > penalty) to an external "zip" program? Something like the internal > vs. external TNEF issue? > > > > On Sep 21, 2009, at 9:49 AM, Pedro Arinto wrote: > > the filenames get messed up in the resulting ZIP file. Windows > users are unable to uncompress this files > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Sep 24 16:52:53 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 24 16:53:19 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> Message-ID: Please try out 4.78.16 which is available for download at www.mailscanner.info. Hopefully the handling of Unicode and foreign characters sets in attachment filenames will be a lot better than it was. Please let me know what you think. I am now approaching a stable release, so please report any and all bugs as soon as you can. Thanks folks! Jules. On 24/09/2009 15:49, Julian Field wrote: > Why did you think the "Zip Attachments" feature is a system-wide > setting. The line above the setting clearly says: > # This can also be the filename of a ruleset. > > I will take a look at the filenames problem, but no guarantees I can > fix it easily. > > On 24/09/2009 12:46, Pedro Arinto wrote: >> Hi Alex, >> >> Unfortunately, since I work in Portugal, it is impossible to avoid >> using non-English characters in filenames. Even if I could somehow >> tell our users to avoid international characters, i cannot control >> everyone who sends us email. >> All platforms I've tested (Mac, Windows & Linux) see the same messed >> up filenames in the zip file. The difference is that in Windows, with >> most unzip packages (like 7-zip), there is an error when unzipping >> the file. In Mac, Linux & Windows with Winzip, the unzip operation is >> successful, but the filenames are garbled. This wouldn't be a big >> problem if the file extension remained the same as the original file, >> but it also gets messed up. Since most of our users are >> non-technical, this is a big problem for them. >> >> Can the zip feature be enabled selectively with a ruleset ? This >> would partially solve our problems, but as far as I can tell it is a >> system-wide setting. >> >> Thanks, >> >> Pedro >> >> >> On Mon, Sep 21, 2009 at 4:07 PM, Alex Neuman > > wrote: >> >> I don't know how to fix it, but here's a couple of thoughts: >> >> 1. Can you avoid using filenames with non-english characters? It's >> less likely users will have problems that way - specially when >> going cross-platform. >> 2. Are you sure the filenames are messed up? Do all platforms >> (linux, mac, unix) find the same, apparently corrupted filenames? >> How about all unzip programs for Windows? Could be that the >> unzipping program is not UTF aware or something like that. >> 3. (and this is a question for Jules & the Gang) - what does >> MailScanner use for ZIPping? is it some Archive::Zip module call? >> Can it be changed (although it may impose a further performance >> penalty) to an external "zip" program? Something like the internal >> vs. external TNEF issue? >> >> >> >> On Sep 21, 2009, at 9:49 AM, Pedro Arinto wrote: >> >> the filenames get messed up in the resulting ZIP file. Windows >> users are unable to uncompress this files >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > Jules > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Sep 24 18:34:22 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Sep 24 18:34:37 2009 Subject: OT - TLS question Message-ID: <4ABBAD9E.8000409@cnpapers.com> I'm considering using TLS on our mail server. It's mostly for our roaming users, and unfortunately, our people in charge are suggesting we use our main gateway/mail store box instead of setting up a separate box for "submission". How many of you use TLS for your general incoming mail server? The main problem I see is that most people might shy away from the initial acceptance of the certificate, and I don't think I've ever seen someone else asking me to accept theirs. Am I missing something here? Steve Campbell From clacroix at cegep-ste-foy.qc.ca Thu Sep 24 18:54:05 2009 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Thu Sep 24 18:54:19 2009 Subject: OT - TLS question In-Reply-To: <4ABBAD9E.8000409@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> Message-ID: <4ABBB23D.4020206@cegep-ste-foy.qc.ca> Not sure if this can help you, but on my single machine email system i have MailScanner installed and postfix to listen on smtps (465) with sasl authentication. That way when an employee is outside of the college, he is forced to enter his email password before the mail is sent. This prevents the "open relay". I also have a webmail installed in case someone wants to use it. Steve Campbell wrote: > I'm considering using TLS on our mail server. It's mostly for our > roaming users, and unfortunately, our people in charge are suggesting > we use our main gateway/mail store box instead of setting up a > separate box for "submission". > > How many of you use TLS for your general incoming mail server? The > main problem I see is that most people might shy away from the initial > acceptance of the certificate, and I don't think I've ever seen > someone else asking me to accept theirs. > > Am I missing something here? > > Steve Campbell > From campbell at cnpapers.com Thu Sep 24 19:17:38 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Sep 24 19:17:59 2009 Subject: OT - TLS question In-Reply-To: <4ABBB23D.4020206@cegep-ste-foy.qc.ca> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> Message-ID: <4ABBB7C2.6080701@cnpapers.com> Charles Lacroix wrote: > > Not sure if this can help you, but on my single machine email system i > have MailScanner installed and postfix to > listen on smtps (465) with sasl authentication. That way when an > employee is outside of the college, he is forced to > enter his email password before the mail is sent. This prevents the > "open relay". > > I also have a webmail installed in case someone wants to use it. > > > Steve Campbell wrote: >> I'm considering using TLS on our mail server. It's mostly for our >> roaming users, and unfortunately, our people in charge are suggesting >> we use our main gateway/mail store box instead of setting up a >> separate box for "submission". >> >> How many of you use TLS for your general incoming mail server? The >> main problem I see is that most people might shy away from the >> initial acceptance of the certificate, and I don't think I've ever >> seen someone else asking me to accept theirs. >> >> Am I missing something here? >> >> Steve Campbell >> > Thanks Charles, I'm going to start using saslauthd on port 587. Our roaming users can use this and will have to be authenticated. No problem there. People who send mail now are not required to do this on port 25, and we accept mail freely on that port. Got a lot of stuff set up to avoid open relaying also. But as I understand it, if I install my certificate and use TLS, I can't use it on just one port (587) and everyone that sends mail will be asked to accept our certificate, regardless of which port they are sending to. This seems like a lot of useless fuss for people who are just sending mail to our users. The roamers will be able to relay through this server. Our users (sales staff, wouldn't you know) don't really want to use our webmail system out in the field. I kinda don't blame them as it's a little clunky. So this is just a way for them to send mail through our system and still have the benefits of MailScanner, etc. As I think I understand this, TLS would just give us encryption as they send in their authenication credentials. steve From steve.freegard at fsl.com Thu Sep 24 19:20:33 2009 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Sep 24 19:20:45 2009 Subject: My Whitelist In-Reply-To: <5453D556EFE44B4BB7DC19E39DFDE9C4@salemcorp.com> References: <5453D556EFE44B4BB7DC19E39DFDE9C4@salemcorp.com> Message-ID: <4ABBB871.8070504@fsl.com> Phil Udel wrote: > Thanks for looking at it No problem - here's your culprit: From: *@*alk.com yes You've also got several entries with multiple '@' characters too - they'll simply not match anything and you might as well nuke them. Regards, Steve. From clacroix at cegep-ste-foy.qc.ca Thu Sep 24 19:26:43 2009 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Thu Sep 24 19:26:59 2009 Subject: OT - TLS question In-Reply-To: <4ABBB7C2.6080701@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> Message-ID: <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> Steve Campbell wrote: > > > Charles Lacroix wrote: >> >> Not sure if this can help you, but on my single machine email system >> i have MailScanner installed and postfix to >> listen on smtps (465) with sasl authentication. That way when an >> employee is outside of the college, he is forced to >> enter his email password before the mail is sent. This prevents the >> "open relay". >> >> I also have a webmail installed in case someone wants to use it. >> >> >> Steve Campbell wrote: >>> I'm considering using TLS on our mail server. It's mostly for our >>> roaming users, and unfortunately, our people in charge are >>> suggesting we use our main gateway/mail store box instead of setting >>> up a separate box for "submission". >>> >>> How many of you use TLS for your general incoming mail server? The >>> main problem I see is that most people might shy away from the >>> initial acceptance of the certificate, and I don't think I've ever >>> seen someone else asking me to accept theirs. >>> >>> Am I missing something here? >>> >>> Steve Campbell >>> >> > Thanks Charles, > > I'm going to start using saslauthd on port 587. Our roaming users can > use this and will have to be authenticated. No problem there. > > People who send mail now are not required to do this on port 25, and > we accept mail freely on that port. Got a lot of stuff set up to avoid > open relaying also. But as I understand it, if I install my > certificate and use TLS, I can't use it on just one port (587) and > everyone that sends mail will be asked to accept our certificate, > regardless of which port they are sending to. This seems like a lot of > useless fuss for people who are just sending mail to our users. The > roamers will be able to relay through this server. > > Our users (sales staff, wouldn't you know) don't really want to use > our webmail system out in the field. I kinda don't blame them as it's > a little clunky. So this is just a way for them to send mail through > our system and still have the benefits of MailScanner, etc. > > As I think I understand this, TLS would just give us encryption as > they send in their authenication credentials. > > steve > The ssl/tls layer is there to make sure passwords aren't passed in clear. But ... if you let your users pop/imap in clear, why not add smtp on 587 with sasl too and skip the TLS and self-signed certificate and the zillion of questions. It all depends on your paranoia level :) Later Charles From ka at pacific.net Thu Sep 24 19:34:17 2009 From: ka at pacific.net (Ken A) Date: Thu Sep 24 19:35:08 2009 Subject: OT - TLS question In-Reply-To: <4ABBB7C2.6080701@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> Message-ID: <4ABBBBA9.7030108@pacific.net> Steve Campbell wrote: > > > Charles Lacroix wrote: >> >> Not sure if this can help you, but on my single machine email system i >> have MailScanner installed and postfix to >> listen on smtps (465) with sasl authentication. That way when an >> employee is outside of the college, he is forced to >> enter his email password before the mail is sent. This prevents the >> "open relay". >> >> I also have a webmail installed in case someone wants to use it. >> >> >> Steve Campbell wrote: >>> I'm considering using TLS on our mail server. It's mostly for our >>> roaming users, and unfortunately, our people in charge are suggesting >>> we use our main gateway/mail store box instead of setting up a >>> separate box for "submission". >>> >>> How many of you use TLS for your general incoming mail server? The >>> main problem I see is that most people might shy away from the >>> initial acceptance of the certificate, and I don't think I've ever >>> seen someone else asking me to accept theirs. >>> >>> Am I missing something here? >>> >>> Steve Campbell >>> >> > Thanks Charles, > > I'm going to start using saslauthd on port 587. Our roaming users can > use this and will have to be authenticated. No problem there. > > People who send mail now are not required to do this on port 25, and we > accept mail freely on that port. Got a lot of stuff set up to avoid open > relaying also. But as I understand it, if I install my certificate and > use TLS, I can't use it on just one port (587) and everyone that sends > mail will be asked to accept our certificate, regardless of which port > they are sending to. This seems like a lot of useless fuss for people > who are just sending mail to our users. The roamers will be able to > relay through this server. > > Our users (sales staff, wouldn't you know) don't really want to use our > webmail system out in the field. I kinda don't blame them as it's a > little clunky. So this is just a way for them to send mail through our > system and still have the benefits of MailScanner, etc. > > As I think I understand this, TLS would just give us encryption as they > send in their authenication credentials. > > steve > Signed ssl certs are cheap these days. Or you could have a separate sendmail listening on 587 (separate config file). Ken -- Ken Anderson Pacific Internet - http://www.pacific.net From campbell at cnpapers.com Thu Sep 24 19:37:39 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Sep 24 19:37:55 2009 Subject: OT - TLS question In-Reply-To: <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> Message-ID: <4ABBBC73.7030906@cnpapers.com> Charles Lacroix wrote: > Steve Campbell wrote: >> >> >> Charles Lacroix wrote: >>> >>> Not sure if this can help you, but on my single machine email system >>> i have MailScanner installed and postfix to >>> listen on smtps (465) with sasl authentication. That way when an >>> employee is outside of the college, he is forced to >>> enter his email password before the mail is sent. This prevents the >>> "open relay". >>> >>> I also have a webmail installed in case someone wants to use it. >>> >>> >>> Steve Campbell wrote: >>>> I'm considering using TLS on our mail server. It's mostly for our >>>> roaming users, and unfortunately, our people in charge are >>>> suggesting we use our main gateway/mail store box instead of >>>> setting up a separate box for "submission". >>>> >>>> How many of you use TLS for your general incoming mail server? The >>>> main problem I see is that most people might shy away from the >>>> initial acceptance of the certificate, and I don't think I've ever >>>> seen someone else asking me to accept theirs. >>>> >>>> Am I missing something here? >>>> >>>> Steve Campbell >>>> >>> >> Thanks Charles, >> >> I'm going to start using saslauthd on port 587. Our roaming users can >> use this and will have to be authenticated. No problem there. >> >> People who send mail now are not required to do this on port 25, and >> we accept mail freely on that port. Got a lot of stuff set up to >> avoid open relaying also. But as I understand it, if I install my >> certificate and use TLS, I can't use it on just one port (587) and >> everyone that sends mail will be asked to accept our certificate, >> regardless of which port they are sending to. This seems like a lot >> of useless fuss for people who are just sending mail to our users. >> The roamers will be able to relay through this server. >> >> Our users (sales staff, wouldn't you know) don't really want to use >> our webmail system out in the field. I kinda don't blame them as it's >> a little clunky. So this is just a way for them to send mail through >> our system and still have the benefits of MailScanner, etc. >> >> As I think I understand this, TLS would just give us encryption as >> they send in their authenication credentials. >> >> steve >> > The ssl/tls layer is there to make sure passwords aren't passed in > clear. But ... if you let your users pop/imap in clear, why not add > smtp on 587 with sasl too > and skip the TLS and self-signed certificate and the zillion of > questions. > > It all depends on your paranoia level :) > > Later > Charles > > That was sort of my original question - should I use TLS at all? The only harm is that they'll be on someone else's network broadcasting their passwords. I think most sites set up a server just for this "roaming" network traffic and use TLS as a SmartHost type setup. Our manager decided we didn't need that extra hardware. It'd only matter to people who had their clients set up to use TLS anyway. I know Thunderbird defaults to "use it if they offer it", but not sure how most other clients do it. Anyway, thanks for the input. steve > > > From richard.siddall at elirion.net Thu Sep 24 19:52:41 2009 From: richard.siddall at elirion.net (Richard Siddall) Date: Thu Sep 24 19:53:00 2009 Subject: OT - TLS question In-Reply-To: <4ABBBC73.7030906@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> Message-ID: <4ABBBFF9.50602@elirion.net> Steve Campbell wrote: >> > That was sort of my original question - should I use TLS at all? > > The only harm is that they'll be on someone else's network broadcasting > their passwords. I think most sites set up a server just for this > "roaming" network traffic and use TLS as a SmartHost type setup. Our > manager decided we didn't need that extra hardware. It'd only matter to > people who had their clients set up to use TLS anyway. I know > Thunderbird defaults to "use it if they offer it", but not sure how most > other clients do it. > > Anyway, thanks for the input. > > steve >> I believe you can use TLS on port 587 on an as-needed basis, although you could configure your MTA to require clients to use TLS. I believe TLS is negotiated after the client connects, unlike port 465. BTW, we use a wildcard SSL certificate, which is fairly cheap, on a machine that's mail.ourdomain.tld, pop.ourdomain.tld, webmail.ourdomain.tld, and a few other things. The certificate's installed into our web server, MTA, and POP/IMAP server. Regards, Richard Siddall From ssilva at sgvwater.com Thu Sep 24 19:55:37 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 24 19:56:15 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> Message-ID: on 9-24-2009 8:52 AM Julian Field spake the following: > Please try out 4.78.16 which is available for download at > www.mailscanner.info. > > Hopefully the handling of Unicode and foreign characters sets in > attachment filenames will be a lot better than it was. > > Please let me know what you think. > > I am now approaching a stable release, so please report any and all bugs > as soon as you can. > > Thanks folks! > Jules. WOW! In one message you say it could be difficult, and 63 minutes later you have a fix! And all the while supporting a college IT department. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090924/988242cc/signature.bin From Kevin_Miller at ci.juneau.ak.us Thu Sep 24 20:09:14 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 24 20:09:26 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> Message-ID: <4A09477D575C2C4B86497161427DD94C126BA5C432@city-exchange07> Scott Silva wrote: > WOW! In one message you say it could be difficult, and 63 minutes > later you have a fix! And all the while supporting a college IT > department. That explains the cape and spandex suit w/a big red S on the chest! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From MailScanner at ecs.soton.ac.uk Thu Sep 24 21:08:45 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Sep 24 21:09:03 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: <4A09477D575C2C4B86497161427DD94C126BA5C432@city-exchange07> References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C126BA5C432@city-exchange07> <4ABBD1CD.6040300@ecs.soton.ac.uk> Message-ID: On 24/09/2009 20:09, Kevin Miller wrote: > Scott Silva wrote: > > >> WOW! In one message you say it could be difficult, and 63 minutes >> later you have a fix! And all the while supporting a college IT >> department. >> > That explains the cape and spandex suit w/a big red S on the chest! > I would like to formally state that I wear my underpants *inside* my trousers. :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Fri Sep 25 08:27:31 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Sep 25 08:27:49 2009 Subject: OT - TLS question In-Reply-To: <4ABBBC73.7030906@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> Message-ID: <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> [snip] > That was sort of my original question - should I use TLS at all? > > The only harm is that they'll be on someone else's network broadcasting > their passwords. I think most sites set up a server just for this > "roaming" network traffic and use TLS as a SmartHost type setup. Our > manager decided we didn't need that extra hardware. It'd only matter to > people who had their clients set up to use TLS anyway. I know > Thunderbird defaults to "use it if they offer it", but not sure how > most > other clients do it. > > Anyway, thanks for the input. > > steve We moved to TLS as a requirement for all our outgoing email a year or so back using a proper SSL (didn't cost much at all) mainly to stop passwords being broadcast in the clear and to try and reduce the chance of a compromise. It hasn't caused many problems as we didn't enforce TLS for a while and gave our clients plenty of notification of moving to requiring TLS and then chased up those that didn't make the switch before enforcing the requirement. We have the luxury of having all our outgoing email going through different servers from our inbound email which makes life much easier. Jason From pedro.arinto at gmail.com Fri Sep 25 10:36:37 2009 From: pedro.arinto at gmail.com (Pedro Arinto) Date: Fri Sep 25 10:37:06 2009 Subject: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> Message-ID: Hi Julian, Sorry, I was mistaken about the system-wide setting. I must have looked in the wrong place. I'll try the new version and report my findings. Thanks for taking the time to look into this. Pedro On Thu, Sep 24, 2009 at 3:49 PM, Julian Field wrote: > Why did you think the "Zip Attachments" feature is a system-wide setting. > The line above the setting clearly says: > # This can also be the filename of a ruleset. > > I will take a look at the filenames problem, but no guarantees I can fix it > easily. > > On 24/09/2009 12:46, Pedro Arinto wrote: > >> Hi Alex, >> >> Unfortunately, since I work in Portugal, it is impossible to avoid using >> non-English characters in filenames. Even if I could somehow tell our users >> to avoid international characters, i cannot control everyone who sends us >> email. >> All platforms I've tested (Mac, Windows & Linux) see the same messed up >> filenames in the zip file. The difference is that in Windows, with most >> unzip packages (like 7-zip), there is an error when unzipping the file. In >> Mac, Linux & Windows with Winzip, the unzip operation is successful, but the >> filenames are garbled. This wouldn't be a big problem if the file extension >> remained the same as the original file, but it also gets messed up. Since >> most of our users are non-technical, this is a big problem for them. >> >> Can the zip feature be enabled selectively with a ruleset ? This would >> partially solve our problems, but as far as I can tell it is a system-wide >> setting. >> >> Thanks, >> >> Pedro >> >> >> On Mon, Sep 21, 2009 at 4:07 PM, Alex Neuman > alex@rtpty.com>> wrote: >> >> I don't know how to fix it, but here's a couple of thoughts: >> >> 1. Can you avoid using filenames with non-english characters? It's >> less likely users will have problems that way - specially when >> going cross-platform. >> 2. Are you sure the filenames are messed up? Do all platforms >> (linux, mac, unix) find the same, apparently corrupted filenames? >> How about all unzip programs for Windows? Could be that the >> unzipping program is not UTF aware or something like that. >> 3. (and this is a question for Jules & the Gang) - what does >> MailScanner use for ZIPping? is it some Archive::Zip module call? >> Can it be changed (although it may impose a further performance >> penalty) to an external "zip" program? Something like the internal >> vs. external TNEF issue? >> >> >> >> On Sep 21, 2009, at 9:49 AM, Pedro Arinto wrote: >> >> the filenames get messed up in the resulting ZIP file. Windows >> users are unable to uncompress this files >> >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090925/9702bc5a/attachment.html From stef at aoc-uk.com Fri Sep 25 11:00:48 2009 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Sep 25 11:01:05 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: <200909251001.n8PA0vAX007135@safir.blacknight.ie> Hi all, > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Jules Field > Sent: 20 September 2009 21:44 > To: MailScanner mailing list > Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update > > However, the point of this message is to tell you I have updated > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > as the location of the original Google-hosted data file has > moved to SourceForge, and so the address of it has changed. Just a quick note to the list, in case anyone has as ancient a system as mine. The new version of the script passes --no-check-certificates to wget, so you need at least version 1.10 of wget for this to work (latest is 1.12). 1.9.1 and previous are no good. Regards Stef From jvoorhees1 at gmail.com Fri Sep 25 16:42:04 2009 From: jvoorhees1 at gmail.com (Jose Perez) Date: Fri Sep 25 16:42:12 2009 Subject: Is this possible? Maybe feature request In-Reply-To: References: <4AB761B7.9000405@ecs.soton.ac.uk> Message-ID: On Mon, Sep 21, 2009 at 6:21 AM, Julian Field wrote: > It's not currently possible to auto-insert more than 1 image, sorry. > I haven't got the time to write it for you at the moment, you are the only > person who has ever needed to insert multiple images, so you're not very > high priority, sorry. > > Jules. > > Ok, no problem. I can wait. Thanks anyway for answer my question. Good bye :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090925/b692fe01/attachment.html From MailScanner at ecs.soton.ac.uk Fri Sep 25 16:44:54 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Sep 25 16:45:23 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: <200909251001.n8PA0vAX007135@safir.blacknight.ie> References: <4AB69429.2060200@ecs.soton.ac.uk> <200909251001.n8PA0vAX007135@safir.blacknight.ie> <4ABCE576.3020408@ecs.soton.ac.uk> Message-ID: On 25/09/2009 11:00, Stef Morrell wrote: > Hi all, > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Jules Field >> Sent: 20 September 2009 21:44 >> To: MailScanner mailing list >> Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update >> >> However, the point of this message is to tell you I have updated >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> as the location of the original Google-hosted data file has >> moved to SourceForge, and so the address of it has changed. >> > Just a quick note to the list, in case anyone has as ancient a system as > mine. > > The new version of the script passes --no-check-certificates to wget, so > you need at least version 1.10 of wget for this to work (latest is > 1.12). > > 1.9.1 and previous are no good. > You can try taking out the --no-check-certificates but you might find it won't get the file. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lorodoes.com Fri Sep 25 18:52:06 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Fri Sep 25 18:52:22 2009 Subject: Dangours content Message-ID: <20090925175206.6C905D68046@plutopapers.com> Can i use the whitelist wildcard (&whitelist) inside of the content.scan.rules file so that everything from the whitelist is allowed to be sent and not scanned? Garrod Alwood IT Consultant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090925/611f9f06/attachment.html From mark at msapiro.net Fri Sep 25 21:29:49 2009 From: mark at msapiro.net (Mark Sapiro) Date: Fri Sep 25 21:30:00 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> Message-ID: <20090925202949.GA2808@msapiro> On Thu, Sep 24, 2009 at 04:52:53PM +0100, Julian Field wrote: > Please try out 4.78.16 which is available for download at > www.mailscanner.info. > > Hopefully the handling of Unicode and foreign characters sets in > attachment filenames will be a lot better than it was. > > Please let me know what you think. > > I am now approaching a stable release, so please report any and all bugs > as soon as you can. > Hi Jules, What is the status of the filename reporting issue noted at http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html and discussed in the three messages at http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093278.html http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093279.html and http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093285.html I have seen nothing further on this since my reply in the last of these messages. I have just verified the issue still exists in 4.78.16. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Sat Sep 26 12:01:06 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Sep 26 13:01:22 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: <20090925202949.GA2808@msapiro> References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> Message-ID: Mark Sapiro wrote: > On Thu, Sep 24, 2009 at 04:52:53PM +0100, Julian Field wrote: > >> Please try out 4.78.16 which is available for download at >> www.mailscanner.info. >> >> Hopefully the handling of Unicode and foreign characters sets in >> attachment filenames will be a lot better than it was. >> >> Please let me know what you think. >> >> I am now approaching a stable release, so please report any and all bugs >> as soon as you can. >> >> > > > > Hi Jules, > > What is the status of the filename reporting issue noted at > > http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html > > and discussed in the three messages at > > http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093278.html > > http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093279.html > > and > > http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093285.html > > I have seen nothing further on this since my reply in the last of these > messages. I have just verified the issue still exists in 4.78.16 I was unable to reproduce the problem. I tested the code that generates the safe filenames, and it worked just as I expected. If you can send me the raw sendmail queue files of a message that demonstrates the bug, I will take a look. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mike at mlrw.com Sat Sep 26 15:51:37 2009 From: mike at mlrw.com (Mike Wallace) Date: Sat Sep 26 15:51:48 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: <4AB69429.2060200@ecs.soton.ac.uk> Message-ID: <342B7C29-36EA-47F7-93BD-4CBC05B7B8DC@mlrw.com> Jules, I have found an anomaly in the beta with the --lint virus scan results. On a MailScanner box running 4.77.1, when I run MailScanner --lint I get the following for virus checking: MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd = = = ======================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses = = = ======================================================================== On a MailScanner box running 4.78.16 I get the following: MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd = = = ======================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses = = = ======================================================================== Both boxes were built the same way with the only difference being the version of MailScanner installed. Is this behavior correct? Thanks. Mike On Sep 20, 2009, at 4:44 PM, Jules Field wrote: > Firstly, I'm still here, don't worry :-) > Just my day job is really busy at the moment, as we're now in the > run-up to the start of the new academic year, and I have taken on a > load of extra work to ease the strain on the guys who work for me. > > I'm still intending to do a stable release of MailScanner on 1st > October. So if there's anything important I need to know about the > current version, please tell me in a reply to this message (to the > list is fine, just I can then just check 1 thread). > > However, the point of this message is to tell you I have updated > http://www.jules.fm/Logbook/files/anti-phishing-v2.html > as the location of the original Google-hosted data file has moved to > SourceForge, and so the address of it has changed. > > If you don't update the script to the new version, it won't be doing > anything at all for you right now. > > Best regards, > Jules. > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From MailScanner at ecs.soton.ac.uk Sun Sep 27 19:09:00 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Sep 27 19:09:20 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: <342B7C29-36EA-47F7-93BD-4CBC05B7B8DC@mlrw.com> References: <4AB69429.2060200@ecs.soton.ac.uk> <342B7C29-36EA-47F7-93BD-4CBC05B7B8DC@mlrw.com> <4ABFAA3C.2080607@ecs.soton.ac.uk> Message-ID: On 26/09/2009 15:51, Mike Wallace wrote: > Jules, > > I have found an anomaly in the beta with the --lint virus scan results. > > On a MailScanner box running 4.77.1, when I run MailScanner --lint I > get the following for virus checking: > > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > > On a MailScanner box running 4.78.16 I get the following: > > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > =========================================================================== > > > > Both boxes were built the same way with the only difference being the > version of MailScanner installed. > > Is this behavior correct? Looks like a bug-fix to me. There's only 1 infection in the test message, so it should only report 1 infection. Jules. > > On Sep 20, 2009, at 4:44 PM, Jules Field wrote: > >> Firstly, I'm still here, don't worry :-) >> Just my day job is really busy at the moment, as we're now in the >> run-up to the start of the new academic year, and I have taken on a >> load of extra work to ease the strain on the guys who work for me. >> >> I'm still intending to do a stable release of MailScanner on 1st >> October. So if there's anything important I need to know about the >> current version, please tell me in a reply to this message (to the >> list is fine, just I can then just check 1 thread). >> >> However, the point of this message is to tell you I have updated >> http://www.jules.fm/Logbook/files/anti-phishing-v2.html >> as the location of the original Google-hosted data file has moved to >> SourceForge, and so the address of it has changed. >> >> If you don't update the script to the new version, it won't be doing >> anything at all for you right now. >> >> Best regards, >> Jules. >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Sun Sep 27 19:21:32 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Sep 27 19:21:43 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> Message-ID: <20090927182132.GA736@msapiro> On Sat, Sep 26, 2009 at 12:01:06PM +0100, Julian Field wrote: > Mark Sapiro wrote: > >On Thu, Sep 24, 2009 at 04:52:53PM +0100, Julian Field wrote: > > > >>Please try out 4.78.16 which is available for download at > >>www.mailscanner.info. > >> > >>Hopefully the handling of Unicode and foreign characters sets in > >>attachment filenames will be a lot better than it was. > >> > >>Please let me know what you think. > >> > >>I am now approaching a stable release, so please report any and all bugs > >>as soon as you can. > >> > >> > > > > > > > >Hi Jules, > > > >What is the status of the filename reporting issue noted at > > > >http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html > > > >and discussed in the three messages at > > > >http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093278.html > > > >http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093279.html > > > >and > > > >http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093285.html > > > >I have seen nothing further on this since my reply in the last of these > >messages. I have just verified the issue still exists in 4.78.16 > I was unable to reproduce the problem. I tested the code that generates > the safe filenames, and it worked just as I expected. > If you can send me the raw sendmail queue files of a message that > demonstrates the bug, I will take a look. I don't use sendmail, so I can't send you sendmail queue files. I can send you postfix files, but that should not be necessary since a message is trivial to create. I have attached message.zip which contains message.txt which is a raw message that shows the problem. In this case, there are two attached files "Motion & Order.txt .doc" and "Motion & Order.doc .doc" which are reported by MailScanner as "Motion %26 Order.doc: and "Motion %26 Order-1.doc" This depends on the & in the file name and the exact munging/dropping of the first extension also depends on how many spaces are between the two extensions. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- A non-text attachment was scrubbed... Name: message.zip Type: application/x-zip-compressed Size: 893 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090927/db53fd75/message.bin From mark at msapiro.net Sun Sep 27 19:34:05 2009 From: mark at msapiro.net (Mark Sapiro) Date: Sun Sep 27 19:52:23 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: Message-ID: Jules Field wrote: > >On 26/09/2009 15:51, Mike Wallace wrote: >> Jules, >> >> I have found an anomaly in the beta with the --lint virus scan results. >> >> On a MailScanner box running 4.77.1, when I run MailScanner --lint I >> get the following for virus checking: >> >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamd >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> =========================================================================== >> >> >> On a MailScanner box running 4.78.16 I get the following: >> >> MailScanner.conf says "Virus Scanners = clamd" >> Found these virus scanners installed: clamd >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 1 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 1 viruses >> =========================================================================== >> >> >> >> Both boxes were built the same way with the only difference being the >> version of MailScanner installed. >> >> Is this behavior correct? >Looks like a bug-fix to me. There's only 1 infection in the test >message, so it should only report 1 infection. If I am not mistaken, this is normal and expected. The box that reports 2 infections has ClamAV Full Message Scan = yes and the box that reports 1 has ClamAV Full Message Scan = no The full message scan results in two hits - one on the full message and one on the attached file. I know Mike has said in another thread that these settings are the same (yes) on both boxes, but in my experience since well before and including several 4.77.x versions, but maybe not 4.77.1, on Centos 5.0 with ClamAV Full Message Scan = yes, I always get 2 infections reported from MailScanner --lint. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mike at mlrw.com Mon Sep 28 00:10:22 2009 From: mike at mlrw.com (Mike Wallace) Date: Mon Sep 28 00:10:37 2009 Subject: Anti-Phishing / Spear-Phishing script IMPORTANT update In-Reply-To: References: Message-ID: Mark, Both machines definitely have "ClamAV Full Message Scan = yes", so that is not the case for the difference. To even verify that it had nothing to do with me using includes for my site specific configuration, I took the 4.77 config file and used that on the 4.78 system. The virus scan results were the same, the only complaint being the version in the config file did not match the running version. So I guess Jules fixed a bug that we had never noticed before. Mike On Sep 27, 2009, at 2:34 PM, Mark Sapiro wrote: > Jules Field wrote:/; >> >> On 26/09/2009 15:51, Mike Wallace wrote: >>> Jules, >>> >>> I have found an anomaly in the beta with the --lint virus scan >>> results. >>> >>> On a MailScanner box running 4.77.1, when I run MailScanner --lint I >>> get the following for virus checking: >>> >>> MailScanner.conf says "Virus Scanners = clamd" >>> Found these virus scanners installed: clamd >>> = >>> = >>> = >>> = >>> = >>> = >>> = >>> ==================================================================== >>> >>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ >>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 2 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 2 viruses >>> = >>> = >>> = >>> = >>> = >>> = >>> = >>> ==================================================================== >>> >>> >>> On a MailScanner box running 4.78.16 I get the following: >>> >>> MailScanner.conf says "Virus Scanners = clamd" >>> Found these virus scanners installed: clamd >>> = >>> = >>> = >>> = >>> = >>> = >>> = >>> ==================================================================== >>> >>> Filename Checks: Windows/DOS Executable (1 eicar.com) >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >>> Virus Scanning: Clamd found 1 infections >>> Infected message 1 came from 10.1.1.1 >>> Virus Scanning: Found 1 viruses >>> = >>> = >>> = >>> = >>> = >>> = >>> = >>> ==================================================================== >>> >>> >>> >>> Both boxes were built the same way with the only difference being >>> the >>> version of MailScanner installed. >>> >>> Is this behavior correct? >> Looks like a bug-fix to me. There's only 1 infection in the test >> message, so it should only report 1 infection. > > > If I am not mistaken, this is normal and expected. The box that > reports > 2 infections has > > ClamAV Full Message Scan = yes > > and the box that reports 1 has > > ClamAV Full Message Scan = no > > The full message scan results in two hits - one on the full message > and > one on the attached file. > > I know Mike has said in another thread > > > that these settings are the same (yes) on both boxes, but in my > experience since well before and including several 4.77.x versions, > but > maybe not 4.77.1, on Centos 5.0 with ClamAV Full Message Scan = yes, I > always get 2 infections reported from MailScanner --lint. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From sagarun at gmail.com Mon Sep 28 08:36:37 2009 From: sagarun at gmail.com (Arun SAG) Date: Mon Sep 28 08:37:07 2009 Subject: Perl-DBI dependency failed Message-ID: Hi, when i tried to install perl-DBD-SQLite which is required for mailscanner using yum, some dependencies were not resolved [root@localhost zer0c00l]# yum install perl-DBD-SQLite Loaded plugins: fastestmirror, priorities [..] --> Running transaction check ---> Package perl-DBD-SQLite.i386 0:1.25-2.el5.rf set to be updated --> Processing Dependency: perl-DBI >= 1.57 for package: perl-DBD-SQLite --> Finished Dependency Resolution perl-DBD-SQLite-1.25-2.el5.rf.i386 from rpmforge has depsolving problems --> Missing Dependency: perl-DBI >= 1.57 is needed by package perl-DBD-SQLite-1.25-2.el5.rf.i386 (rpmforge) Error: Missing Dependency: perl-DBI >= 1.57 is needed by package perl-DBD-SQLite-1.25-2.el5.rf.i386 (rpmforge) so, i tried to remove perl-DBI,but it removes mysql and dovecot with it what should i do? can i go ahead and remove perl-DBI , perl-DBI is available in rpmforge repository? Will removing older version perl-DBI break dovecot and mysql? To install mailscanner i followed: http://www.linuxmail.info/how-to-install-mailscanner-centos-5/ Cheers Arun SAG -- A computer is like air conditioning: it becomes useless when you open windows. <-Fighting 4 Freed om-> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090928/265a5829/attachment.html From MailScanner at ecs.soton.ac.uk Mon Sep 28 12:26:58 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Sep 28 12:27:18 2009 Subject: Perl-DBI dependency failed In-Reply-To: References: <4AC09D82.8050409@ecs.soton.ac.uk> Message-ID: Shame you didn't just use my install.sh script. :( This is all documented on the MailScanner website. It would have worked then. :) Jules. On 28/09/2009 08:36, Arun SAG wrote: > Hi, > when i tried to install perl-DBD-SQLite which is required for > mailscanner using yum, some dependencies were not resolved > > [root@localhost zer0c00l]# yum install perl-DBD-SQLite > Loaded plugins: fastestmirror, priorities > [..] > --> Running transaction check > ---> Package perl-DBD-SQLite.i386 0:1.25-2.el5.rf set to be updated > --> Processing Dependency: perl-DBI >= 1.57 for package: perl-DBD-SQLite > --> Finished Dependency Resolution > perl-DBD-SQLite-1.25-2.el5.rf.i386 from rpmforge has depsolving problems > --> Missing Dependency: perl-DBI >= 1.57 is needed by package > perl-DBD-SQLite-1.25-2.el5.rf.i386 (rpmforge) > Error: Missing Dependency: perl-DBI >= 1.57 is needed by package > perl-DBD-SQLite-1.25-2.el5.rf.i386 (rpmforge) > > so, i tried to remove perl-DBI,but it removes mysql and dovecot with > it what should i do? can i go ahead and remove perl-DBI , perl-DBI > is available in rpmforge repository? Will removing older version > perl-DBI break dovecot and mysql? > > To install mailscanner i followed: > http://www.linuxmail.info/how-to-install-mailscanner-centos-5/ > > Cheers > Arun SAG > -- > A computer is like air conditioning: it becomes useless when you open > windows. > <-Fighting 4 Freed om-> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sagarun at gmail.com Mon Sep 28 12:51:59 2009 From: sagarun at gmail.com (Arun SAG) Date: Mon Sep 28 12:52:32 2009 Subject: Perl-DBI dependency failed In-Reply-To: References: <4AC09D82.8050409@ecs.soton.ac.uk> Message-ID: On Mon, Sep 28, 2009 at 4:56 PM, Julian Field wrote: > >Shame you didn't just use my install.sh script. :( > >This is all documented on the MailScanner website. > >It would have worked then. :) > Yeah just tried it works fine :) , I am wondering why mail scanner was not integrated into repository of centos so that i can install it with ease (yum install MailScanner) Thanks -- A computer is like air conditioning: it becomes useless when you open windows. <-Fighting 4 Freedom-> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090928/feaedd1a/attachment.html From J.Ede at birchenallhowden.co.uk Mon Sep 28 14:11:15 2009 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Sep 28 14:11:33 2009 Subject: Perl-DBI dependency failed In-Reply-To: References: <4AC09D82.8050409@ecs.soton.ac.uk> Message-ID: <1213490F1F316842A544A850422BFA960F96CD4B2F@BHLSBS.bhl.local> There is... http://www.fsl.com/index.php/barricademx/mailscanner-repository/mailscanner-production Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arun SAG Sent: 28 September 2009 12:52 To: MailScanner discussion Subject: Re: Perl-DBI dependency failed On Mon, Sep 28, 2009 at 4:56 PM, Julian Field > wrote: >Shame you didn't just use my install.sh script. :( >This is all documented on the MailScanner website. >It would have worked then. :) Yeah just tried it works fine :) , I am wondering why mail scanner was not integrated into repository of centos so that i can install it with ease (yum install MailScanner) Thanks -- A computer is like air conditioning: it becomes useless when you open windows. <-Fighting 4 Freedom-> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090928/a457420e/attachment.html From lorenzo at argroup.it Mon Sep 28 14:22:31 2009 From: lorenzo at argroup.it (lorenzo santi) Date: Mon Sep 28 14:22:43 2009 Subject: problem with some mail Message-ID: <4AC0B897.2050407@argroup.it> hi, i have a system with postfix + mailscanner i found that some mail in the log ends with: mail postfix/qmgr[31256]: 4F4591D6431: from=, size=227819, nrcpt=1 (queue active) this mail is NOT delivered and seems disappeared. i cant "locate" the message in no queue or other directory. and in mailwatch looks like are normal delivered mail. any suggestion? thanks Lorenzo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lorodoes.com Mon Sep 28 23:48:44 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Mon Sep 28 23:49:01 2009 Subject: Debian Packages Message-ID: <6ee4c057ddd079e824725950cf749114.squirrel@www.lorodoes.com> What is the possibility of having the releases in both deb and rpms or is there a way for me to do my own debs? From lists at elasticmind.net Tue Sep 29 13:35:10 2009 From: lists at elasticmind.net (Mog) Date: Tue Sep 29 13:35:47 2009 Subject: OT - TLS question In-Reply-To: <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> Message-ID: <4AC1FEFE.2070608@elasticmind.net> Jason Ede wrote: > [snip] > >> That was sort of my original question - should I use TLS at all? >> >> The only harm is that they'll be on someone else's network broadcasting >> their passwords. I think most sites set up a server just for this >> "roaming" network traffic and use TLS as a SmartHost type setup. Our >> manager decided we didn't need that extra hardware. It'd only matter to >> people who had their clients set up to use TLS anyway. I know >> Thunderbird defaults to "use it if they offer it", but not sure how >> most >> other clients do it. >> >> Anyway, thanks for the input. >> >> steve >> > > We moved to TLS as a requirement for all our outgoing email a year or so back using a proper SSL (didn't cost much at all) mainly to stop passwords being broadcast in the clear and to try and reduce the chance of a compromise. It hasn't caused many problems as we didn't enforce TLS for a while and gave our clients plenty of notification of moving to requiring TLS and then chased up those that didn't make the switch before enforcing the requirement. We have the luxury of having all our outgoing email going through different servers from our inbound email which makes life much easier. > > Jason > Personally I think yes, you should definitely provide support for TLS (we do on all our servers). I could be wrong, but I think that once activated it encrypts the remainder of the SMTP session, so both the user's credentials and the content of their mail is encrypted. Naturally not everyone will be using TLS when sending you email on port 25, so you probably don't want to be enforcing the use of TLS, but definitely make it available. It's just the same as providing IMAPS and IMAP to cater for people who do and do not use SSL for their IMAP connections. Mog From campbell at cnpapers.com Tue Sep 29 14:54:08 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 29 14:54:23 2009 Subject: OT - TLS question In-Reply-To: <4AC1FEFE.2070608@elasticmind.net> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> <4AC1FEFE.2070608@elasticmind.net> Message-ID: <4AC21180.8000604@cnpapers.com> I was under the impression that once I added support for TLS, then it was server-wide, and that most clients were set up as "use TLS if available". It's not going to be a problem for our users, but all those in the wild that send mail and get the pop-up might not know what it's for. I use sendmail, so is there a way to have the server only use it on a particular port and not another? I only want it on port 587, not port 25. Thanks for the reply steve Mog wrote: > > > Jason Ede wrote: >> [snip] >> >>> That was sort of my original question - should I use TLS at all? >>> >>> The only harm is that they'll be on someone else's network broadcasting >>> their passwords. I think most sites set up a server just for this >>> "roaming" network traffic and use TLS as a SmartHost type setup. Our >>> manager decided we didn't need that extra hardware. It'd only matter to >>> people who had their clients set up to use TLS anyway. I know >>> Thunderbird defaults to "use it if they offer it", but not sure how >>> most >>> other clients do it. >>> >>> Anyway, thanks for the input. >>> >>> steve >>> >> >> We moved to TLS as a requirement for all our outgoing email a year or >> so back using a proper SSL (didn't cost much at all) mainly to stop >> passwords being broadcast in the clear and to try and reduce the >> chance of a compromise. It hasn't caused many problems as we didn't >> enforce TLS for a while and gave our clients plenty of notification >> of moving to requiring TLS and then chased up those that didn't make >> the switch before enforcing the requirement. We have the luxury of >> having all our outgoing email going through different servers from >> our inbound email which makes life much easier. >> >> Jason > > Personally I think yes, you should definitely provide support for TLS > (we do on all our servers). I could be wrong, but I think that once > activated it encrypts the remainder of the SMTP session, so both the > user's credentials and the content of their mail is encrypted. > Naturally not everyone will be using TLS when sending you email on > port 25, so you probably don't want to be enforcing the use of TLS, > but definitely make it available. > > It's just the same as providing IMAPS and IMAP to cater for people who > do and do not use SSL for their IMAP connections. > > Mog From gary at sgluk.com Tue Sep 29 15:09:25 2009 From: gary at sgluk.com (Gary Pentland) Date: Tue Sep 29 15:09:36 2009 Subject: OT - TLS question In-Reply-To: <4AC21180.8000604@cnpapers.com> References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> <4AC1FEFE.2070608@elasticmind.net> <4AC21180.8000604@cnpapers.com> Message-ID: Thats all configurable (what isn't in sendmail)... Something like this should do it but read the cf documentation and use google! You may need other options so test this carefully with your setup FEATURE(`no_default_msa') DAEMON_OPTIONS(`Name=tls,Port=587, Modifiers=s') DAEMON_OPTIONS(`Name=mta,Port=25') Hope that helps you find out what you need to do Gary -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: 29 September 2009 14:54 To: MailScanner discussion Subject: Re: OT - TLS question I was under the impression that once I added support for TLS, then it was server-wide, and that most clients were set up as "use TLS if available". It's not going to be a problem for our users, but all those in the wild that send mail and get the pop-up might not know what it's for. I use sendmail, so is there a way to have the server only use it on a particular port and not another? I only want it on port 587, not port 25. Thanks for the reply steve Mog wrote: > > > Jason Ede wrote: >> [snip] >> >>> That was sort of my original question - should I use TLS at all? >>> >>> The only harm is that they'll be on someone else's network broadcasting >>> their passwords. I think most sites set up a server just for this >>> "roaming" network traffic and use TLS as a SmartHost type setup. Our >>> manager decided we didn't need that extra hardware. It'd only matter to >>> people who had their clients set up to use TLS anyway. I know >>> Thunderbird defaults to "use it if they offer it", but not sure how >>> most >>> other clients do it. >>> >>> Anyway, thanks for the input. >>> >>> steve >>> >> >> We moved to TLS as a requirement for all our outgoing email a year or >> so back using a proper SSL (didn't cost much at all) mainly to stop >> passwords being broadcast in the clear and to try and reduce the >> chance of a compromise. It hasn't caused many problems as we didn't >> enforce TLS for a while and gave our clients plenty of notification >> of moving to requiring TLS and then chased up those that didn't make >> the switch before enforcing the requirement. We have the luxury of >> having all our outgoing email going through different servers from >> our inbound email which makes life much easier. >> >> Jason > > Personally I think yes, you should definitely provide support for TLS > (we do on all our servers). I could be wrong, but I think that once > activated it encrypts the remainder of the SMTP session, so both the > user's credentials and the content of their mail is encrypted. > Naturally not everyone will be using TLS when sending you email on > port 25, so you probably don't want to be enforcing the use of TLS, > but definitely make it available. > > It's just the same as providing IMAPS and IMAP to cater for people who > do and do not use SSL for their IMAP connections. > > Mog -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hugh.fraser at arcelormittal.com Tue Sep 29 18:05:15 2009 From: hugh.fraser at arcelormittal.com (hugh.fraser@arcelormittal.com) Date: Tue Sep 29 18:05:32 2009 Subject: Dangerous content detection with "file" command Message-ID: I have a word document that was mistakenly flagged as "executable". Adding some debugging into the "SweepOther.pm" code revealed that the document contained a Title property of "The Quest of the Self". The linux "file" command used to identify file types returns this property (along with author and others) in it's output as follows: Support.doc: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, Code page : 1252, Title: The Quest of the Self, Author: johndoe, Template: Normal, Last Sa ved By: JOHN DOE, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Sep 17 09:57:00 20 09, Last Saved Time/Date: Thu Sep 17 09:57:00 2009, Number of Pages: 1, Number o f Words: 2597, Number of Characters: 14289, Security: 0 MailScanner does a simple regex compare of the output from the "file" command and sees the string "ELF" in it (in the word Self), and flags the file as executable. This will happen with any Word doucment that contains any matching strings in the title, subject, author, category, comments, or any other property fields. A simple change in the regex used in the CheckFileContentTypes to only capture the "file" command's output up to the first "," does the trick, and I've checked some other files in quarantine to see if it would be a problem. So far, I don't see a problem. The diffs for SweepOther.pm are as follows: 410c410 < $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*(.*)$/; --- > $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*),/; From campbell at cnpapers.com Tue Sep 29 18:12:34 2009 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 29 18:12:53 2009 Subject: OT - TLS question In-Reply-To: References: <4ABBAD9E.8000409@cnpapers.com> <4ABBB23D.4020206@cegep-ste-foy.qc.ca> <4ABBB7C2.6080701@cnpapers.com> <4ABBB9E3.3000100@cegep-ste-foy.qc.ca> <4ABBBC73.7030906@cnpapers.com> <1213490F1F316842A544A850422BFA960F96CD4AD7@BHLSBS.bhl.local> <4AC1FEFE.2070608@elasticmind.net> <4AC21180.8000604@cnpapers.com> Message-ID: <4AC24002.7050300@cnpapers.com> Gary Pentland wrote: > Thats all configurable (what isn't in sendmail)... > > Something like this should do it but read the cf documentation and use google! You may need other options so test this carefully with your setup > > FEATURE(`no_default_msa') > DAEMON_OPTIONS(`Name=tls,Port=587, Modifiers=s') > DAEMON_OPTIONS(`Name=mta,Port=25') > > Hope that helps you find out what you need to do > > Gary > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: 29 September 2009 14:54 > To: MailScanner discussion > Subject: Re: OT - TLS question > > I was under the impression that once I added support for TLS, then it > was server-wide, and that most clients were set up as "use TLS if > available". It's not going to be a problem for our users, but all those > in the wild that send mail and get the pop-up might not know what it's for. > > I use sendmail, so is there a way to have the server only use it on a > particular port and not another? I only want it on port 587, not port 25. > > Thanks for the reply > > steve > > Mog wrote: > >> Jason Ede wrote: >> >>> [snip] >>> >>> >>>> That was sort of my original question - should I use TLS at all? >>>> >>>> The only harm is that they'll be on someone else's network broadcasting >>>> their passwords. I think most sites set up a server just for this >>>> "roaming" network traffic and use TLS as a SmartHost type setup. Our >>>> manager decided we didn't need that extra hardware. It'd only matter to >>>> people who had their clients set up to use TLS anyway. I know >>>> Thunderbird defaults to "use it if they offer it", but not sure how >>>> most >>>> other clients do it. >>>> >>>> Anyway, thanks for the input. >>>> >>>> steve >>>> >>>> >>> We moved to TLS as a requirement for all our outgoing email a year or >>> so back using a proper SSL (didn't cost much at all) mainly to stop >>> passwords being broadcast in the clear and to try and reduce the >>> chance of a compromise. It hasn't caused many problems as we didn't >>> enforce TLS for a while and gave our clients plenty of notification >>> of moving to requiring TLS and then chased up those that didn't make >>> the switch before enforcing the requirement. We have the luxury of >>> having all our outgoing email going through different servers from >>> our inbound email which makes life much easier. >>> >>> Jason >>> >> Personally I think yes, you should definitely provide support for TLS >> (we do on all our servers). I could be wrong, but I think that once >> activated it encrypts the remainder of the SMTP session, so both the >> user's credentials and the content of their mail is encrypted. >> Naturally not everyone will be using TLS when sending you email on >> port 25, so you probably don't want to be enforcing the use of TLS, >> but definitely make it available. >> >> It's just the same as providing IMAPS and IMAP to cater for people who >> do and do not use SSL for their IMAP connections. >> >> Mog >> Gary, Thanks loads. It seems that I hadn't used the FEATURE(`no_default_msa'). I was able to get both port 25 and port 587 working like I needed it to work. The only problem I ran into was when I used the Modifirers=s (M=s), I couldn't send at all to that port in any MUA configuration. I'm using "Ea" instead and that does both auth and tls for me. I don't understand it, but it works as though 's' were set. Port 25 is clear of both auth and tls and is blocked for relaying through other means. Again, thanks for the heads-up steve From mike at mlrw.com Tue Sep 29 18:21:10 2009 From: mike at mlrw.com (Mike Wallace) Date: Tue Sep 29 18:21:37 2009 Subject: Help on new install please ? In-Reply-To: References: <29925743.321249141079643.JavaMail.root@office.splatnix.net> <4A757DF9.3010103@ecs.soton.ac.uk> Message-ID: <19DA8256-B16B-4E64-B428-089894438B31@mlrw.com> CentOS 5.3 as part of the mail-servers package installs spamassassin and if you install clamav and clamd from rpmforge, do you need to use your Clam/SA tarball? Thanks. On Aug 2, 2009, at 7:52 AM, Jules Field wrote: > I tend to use SA from my tarball, and ClamAV from http://packages.sw.be/clamav > which is an RPM repository. That way MailScanner gets SA the way it > wants, but you get clamd and stuff too. > > The install.sh for my tarball will ask you if you want to install > ClamAV, just say no and tell it the path to clamscan when it asks > for it. > > On 01/08/2009 16:37, --[ UxBoD ]-- wrote: >> Hi, >> >> Just installing a new mini-itx server with CentOS 5.3. Should I go >> with Julians Clam/SA tarball or use the repo ? >> >> Best Regards, >> >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > From mailscanner_list at phisch.ca Tue Sep 29 21:23:36 2009 From: mailscanner_list at phisch.ca (Jared) Date: Tue Sep 29 21:23:49 2009 Subject: ClamAV only scanning message headers Message-ID: <4AC26CC8.9070309@phisch.ca> Greetings, MailScanner community, I have been using MailScanner with Postfix and ClamAV for several years now and it has been an extremely effective system for combating spam and malware for my users. I have just refreshed our system to bring the relevant software up to a reasonable rev as well as putting it on much more capable hardware. Everything seems to be working with the exception of my virus scanning. Here?s the situation: My ?Incoming Work Dir? is set to /tmp (as it?s in RAM rather than on disk for speed). As mail comes in, I can see that a MailScanner child creates a subdirectory of /tmp with its PID, and then calls the ClamAV wrapper to scan that directory. My expectation is that MailScanner decodes all MIME parts and decodes Base64 for the AV engine to troll and will leave them in that temporary directory. The problem is that the only file being written out into those directories is the message header ? no other MIME parts (or even a plain-text part, for that matter) ever make it into the directory. As a result, ClamAV is unable to detect infections because it will never see them. I have confirmed that ClamAV is able to detect viruses (by using an EICAR test file) when run from the command line and/or the MailScanner wrapper script, and that Clam is only being ?fed? files like /tmp/PID/MessageID.header Is there something that I?m missing in my install? Do I have a fundamental misunderstanding of how MailScanner interacts with ClamAV via the wrapper? I have tried running MailScanner in debug mode, but there?s really no useful information in there. Any guidance would be very much appreciated! Jared #./MailScanner -v Running on SunOS ***** 5.10 Generic_141414-08 sun4v sparc SUNW,SPARC-Enterprise-T5220 This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.56.8 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.60 HTML::Entities 3.61 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 3.07 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.07 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.09 POSIX 1.78 Socket 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 0.17 Convert::TNEF 1.814 DB_File 1.25 DBD::SQLite 1.607 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Inline missing Mail::ClamAV 3.002005 Mail::SpamAssassin 1.999001 Mail::SPF::Query 0.20 Net::CIDR::Lite 1.25 Net::IP 0.65 Net::DNS 0.39 Net::LDAP missing Parse::RecDescent missing SAVI 2.56 Test::Harness 0.92 Test::Simple 1.95 Text::Balanced 1.38 URI From ssilva at sgvwater.com Wed Sep 30 00:51:25 2009 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Sep 30 00:51:59 2009 Subject: ClamAV only scanning message headers In-Reply-To: <4AC26CC8.9070309@phisch.ca> References: <4AC26CC8.9070309@phisch.ca> Message-ID: on 9-29-2009 1:23 PM Jared spake the following: > Greetings, MailScanner community, > > I have been using MailScanner with Postfix and ClamAV for several years > now and it has been an extremely effective system for combating spam and > malware for my users. I have just refreshed our system to bring the > relevant software up to a reasonable rev as well as putting it on much > more capable hardware. > > Everything seems to be working with the exception of my virus scanning. > Here?s the situation: > My ?Incoming Work Dir? is set to /tmp (as it?s in RAM rather than on > disk for speed). As mail comes in, I can see that a MailScanner child > creates a subdirectory of /tmp with its PID, and then calls the ClamAV > wrapper to scan that directory. My expectation is that MailScanner > decodes all MIME parts and decodes Base64 for the AV engine to troll and > will leave them in that temporary directory. > > The problem is that the only file being written out into those > directories is the message header ? no other MIME parts (or even a > plain-text part, for that matter) ever make it into the directory. As a > result, ClamAV is unable to detect infections because it will never see > them. > > I have confirmed that ClamAV is able to detect viruses (by using an > EICAR test file) when run from the command line and/or the MailScanner > wrapper script, and that Clam is only being ?fed? files like > /tmp/PID/MessageID.header > > Is there something that I?m missing in my install? Do I have a > fundamental misunderstanding of how MailScanner interacts with ClamAV > via the wrapper? I have tried running MailScanner in debug mode, but > there?s really no useful information in there. > > Any guidance would be very much appreciated! > Read http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips and maybe http://wiki.mailscanner.info/doku.php?id=maq:index#i_don_t_get_output_from_clamav_or_other_anti-virus_what_is_wrong -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090929/6ddc9714/signature.bin From MailScanner at ecs.soton.ac.uk Wed Sep 30 09:16:57 2009 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Sep 30 09:17:20 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <05E66494-C4A0-437A-BB15-A6FEE2D4809D@rtpty.com> <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> Message-ID: On 26/09/2009 12:01, Julian Field wrote: > Mark Sapiro wrote: >> On Thu, Sep 24, 2009 at 04:52:53PM +0100, Julian Field wrote: >>> Please try out 4.78.16 which is available for download at >>> www.mailscanner.info. >>> >>> Hopefully the handling of Unicode and foreign characters sets in >>> attachment filenames will be a lot better than it was. >>> >>> Please let me know what you think. >>> >>> I am now approaching a stable release, so please report any and all >>> bugs as soon as you can. >>> >> >> >> >> Hi Jules, >> >> What is the status of the filename reporting issue noted at >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093259.html >> >> >> and discussed in the three messages at >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093278.html >> >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093279.html >> >> >> and >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-September/093285.html >> >> >> I have seen nothing further on this since my reply in the last of these >> messages. I have just verified the issue still exists in 4.78.16 > I was unable to reproduce the problem. I tested the code that > generates the safe filenames, and it worked just as I expected. > If you can send me the raw sendmail queue files of a message that > demonstrates the bug, I will take a look. > I have just re-read the original posting (093259.html) and the report there states that the filename-extension-hiding rule was still triggered, the only problem was with the filename reported in the logs and so on. The filename reported in all output is always the "sanitised" filename, not the original (potentially evil) filename. I have just tried it out with a message with 3 file attached to it: Nasty & horrible.doc .doc Nasty&horrible.doc .doc Nasty&horrible.doc.zip and in all cases it behaves just the way I would expect it to. Other than the filenames reported, what do you actually think is going wrong? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mark at msapiro.net Wed Sep 30 16:39:36 2009 From: mark at msapiro.net (Mark Sapiro) Date: Wed Sep 30 16:39:46 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: References: <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> Message-ID: <20090930153936.GA1856@msapiro> On Wed, Sep 30, 2009 at 09:16:57AM +0100, Julian Field wrote: > > I have just tried it out with a message with 3 file attached to it: > Nasty & horrible.doc .doc > Nasty&horrible.doc .doc > Nasty&horrible.doc.zip > and in all cases it behaves just the way I would expect it to. > > Other than the filenames reported, what do you actually think is going > wrong? Nothing, but the file name reporting is the problem. If the name contains an ampersand or perhaps other characters that are turned into %nn, in some cases, the 'first extension' will be dropped entirely in the report. For example, in the test mail I sent in the zip file attached to the message archived at the names "Motion & Order.txt .doc" and "Motion & Order.doc .doc" are reported as MailScanner: Attempt to hide real filename extension (Motion %26 Order.doc) leaving the recipient and the mail admin wondering how that name triggered that rule. I don't have any problem with certain characters being escaped as %nn, but I do think that dropping pieces of the name, in particular in some cases entire 'extensions' is a problem. -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Wed Sep 30 17:02:04 2009 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Sep 30 17:02:23 2009 Subject: Filename reporting issue - was: Filename enconding in auto-zip feature In-Reply-To: <20090930153936.GA1856@msapiro> References: <4ABB86E9.5070802@ecs.soton.ac.uk> <4ABB95D5.3090500@ecs.soton.ac.uk> <20090925202949.GA2808@msapiro> <4ABDF472.2040503@ecs.soton.ac.uk> <4AC313F9.4080405@ecs.soton.ac.uk> <20090930153936.GA1856@msapiro> <4AC380FC.60902@ecs.soton.ac.uk> Message-ID: On 30/09/2009 16:39, Mark Sapiro wrote: > On Wed, Sep 30, 2009 at 09:16:57AM +0100, Julian Field wrote: > >> I have just tried it out with a message with 3 file attached to it: >> Nasty& horrible.doc .doc >> Nasty&horrible.doc .doc >> Nasty&horrible.doc.zip >> and in all cases it behaves just the way I would expect it to. >> >> Other than the filenames reported, what do you actually think is going >> wrong? >> > > Nothing, but the file name reporting is the problem. If the name contains > an ampersand or perhaps other characters that are turned into %nn, in some > cases, the 'first extension' will be dropped entirely in the report. For > example, in the test mail I sent in the zip file attached to the message > archived at > > the names "Motion& Order.txt .doc" and "Motion& Order.doc .doc" are > reported as > > MailScanner: Attempt to hide real filename extension (Motion %26 Order.doc) > > leaving the recipient and the mail admin wondering how that name triggered > that rule. > > I don't have any problem with certain characters being escaped as %nn, > but I do think that dropping pieces of the name, in particular in some > cases entire 'extensions' is a problem. > It all depends on the length of the filename after the last filename extension has been removed. This is truncated at a fixed point. So some other "extensions" may be lost. I'm not sure there is any easy way, heuristically, of trimming the filename while leaving *all* the extensions, as it's unknown what is and is not an extension, and what is just a dot in the middle of the text of the "main" bit of the filename. Julian.Field.doc JulianField.docx.doc Julian.Field.docx.doc What's an extension and what isn't? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cfisk at qwicnet.com Wed Sep 30 20:45:30 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Wed Sep 30 20:45:53 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules Message-ID: Quick question on these. If I change these files do I need to restart MailScanner? Thanks! Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Wed Sep 30 20:49:36 2009 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Sep 30 20:49:51 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C126BA5C474@city-exchange07> Christopher Fisk wrote: > Quick question on these. If I change these files do I need to > restart MailScanner? You can do a "MailScanner reload" which rereads the config w/o stopping the critter... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ecasarero at gmail.com Wed Sep 30 20:53:57 2009 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Sep 30 20:54:33 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules In-Reply-To: References: Message-ID: <7d9b3cf20909301253o7831938cg8ee1704e3b86b11@mail.gmail.com> 2009/9/30 Christopher Fisk > Quick question on these. If I change these files do I need to restart > MailScanner? > > > Yes or wait MS to restart every 7200 secs (dependin on your MailScanner.conf) > > Thanks! > > > Christopher Fisk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090930/df60f260/attachment.html From cfisk at qwicnet.com Wed Sep 30 21:19:19 2009 From: cfisk at qwicnet.com (Christopher Fisk) Date: Wed Sep 30 21:19:38 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules In-Reply-To: <4A09477D575C2C4B86497161427DD94C126BA5C474@city-exchange07> Message-ID: > Christopher Fisk wrote: > > Quick question on these. If I change these files do I > need to > > restart MailScanner? > You can do a "MailScanner reload" which rereads the > config w/o stopping the critter... Can I do a killall -HUP MailScanner Safely to force a reload? I don't have an init script setup currently for these systems, and I'm trying to write a script to create the spam.blacklist.rules and spam.whitelist.rules list from a MySQL database. I just tested it and it reloaded fine, but I want to make sure I'm not breaking anything. It would only when I add or remove a whitelist or blacklist entry, a few times a week. Christopher Fisk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lorodoes.com Wed Sep 30 21:44:31 2009 From: admin at lorodoes.com (Garrod Alwood) Date: Wed Sep 30 21:44:47 2009 Subject: Changes to spam.blacklist.rules and spam.whitelist.rules In-Reply-To: References: Message-ID: <8ed158576b2dd049680fe4dacc2c124a.squirrel@www.lorodoes.com> Whenever I change anything I do a MailScanner restart and that works pretty well. Specially when I need to get an change up really fast. >> Christopher Fisk wrote: >> > Quick question on these. If I change these files do I >> need to >> > restart MailScanner? > >> You can do a "MailScanner reload" which rereads the >> config w/o stopping the critter... > > > Can I do a > > killall -HUP MailScanner > > Safely to force a reload? I don't have an init script setup currently for > these systems, and I'm trying to write a script to create the > spam.blacklist.rules and spam.whitelist.rules list from a MySQL database. > > > I just tested it and it reloaded fine, but I want to make sure I'm not > breaking anything. It would only when I add or remove a whitelist or > blacklist entry, a few times a week. > > > > Christopher Fisk > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! >