From supunr at lankacom.net Thu Apr 1 08:30:15 2010 From: supunr at lankacom.net (Supun Rathnayake) Date: Thu Apr 1 08:30:34 2010 Subject: Spam-Virus Action ? Message-ID: <4BB44B87.6060201@lankacom.net> Dear All, I believe that the newer mailscanner versions ( I found the below text in MailScanner.conf - version 4.79.11 ) has the ability to differentiate between real Virus and Spam-Virus ( clamav spam signatures ) as below. Is it possible to quarantine these messages straight away rather than forwarding again for SPAM checking with spamassassin etc. so that we save more CPU and time ? Abstract from MailScanner.conf : # Some virus scanners now use their signatures to detect spam as well as # viruses. These "viruses" are called "spam-viruses". When they are found # the following header will be added to your message before it is passed to # SpamAssassin, listing all the "spam-viruses" that were found as a comma- # separated list. # This can also be the filename of a ruleset. Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: # This defines which virus reports from your virus scanners are really the # names of "spam-viruses" as described in the "Spam-Virus Header" section # above. This is a space-separated list of strings which can contain "*" # wildcards to mean "any string of characters", and which will match the # whole name of the virus reported by your virus scanner. So for example # "HTML/*" will match all virus names which start with the string "HTML/". # The supplied example is suitable for F-Prot6 and the SaneSecurity # databases for ClamAV. The test is case-sensitive. # This cannot be a ruleset, it must be a simple value as described. Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* -- With Best Regards, Supun Rathnayake Lanka communication Services (Pvt) Ltd. 65C, Dharmapala Mawatha, Colombo 07. Sri Lanka. Tel: +94-11-2437545 http://www.lankacom.net http://blog.lankacom.net From prandal at herefordshire.gov.uk Thu Apr 1 10:59:35 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 1 10:59:50 2010 Subject: ClamAv 0.96 is out Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> Hi folks, ClamAV 0.96 has been released. Users upgrading from the rpmforge repo will need to edit their clamd.conf files to get a working clamd (the change is trivial, to set up the local socket details ). However, once I'd done all that, I got the following in MailScanner --lint (version 4.80.1) MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Found spam-virus Eicar-Test-Signature in 1 at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 1091 Virus Scanning: Clamd found 1 infections Virus Scanning: Found 1 viruses ======================================================================== === Any ideas? It's all working OK apart from this message. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100401/fa3ccff6/attachment.html From prandal at herefordshire.gov.uk Thu Apr 1 11:41:24 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 1 11:41:40 2010 Subject: ClamAv 0.96 is out In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> There's one other thing to check. I ended up with both main.cld and main.cvd in /var/clamav There should only be one of these. To be safe, stop MailScanner, delete both, and run freshclam. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 01 April 2010 11:00 To: mailscanner@lists.mailscanner.info Subject: ClamAv 0.96 is out Hi folks, ClamAV 0.96 has been released. Users upgrading from the rpmforge repo will need to edit their clamd.conf files to get a working clamd (the change is trivial, to set up the local socket details ). However, once I'd done all that, I got the following in MailScanner --lint (version 4.80.1) MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Found spam-virus Eicar-Test-Signature in 1 at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 1091 Virus Scanning: Clamd found 1 infections Virus Scanning: Found 1 viruses ======================================================================== === Any ideas? It's all working OK apart from this message. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100401/06c54784/attachment.html From pascal.maes at elec.ucl.ac.be Thu Apr 1 11:48:49 2010 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Apr 1 11:49:12 2010 Subject: Question about ScamNailer Message-ID: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> Hello, When I send a message containing an email address, it is rejected for the following reason : Apr 1 08:46:18 smtp-1 postfix/cleanup[15068]: 57A32E97EF: milter-reject: END-OF-MESSAGE from Ulysse.elec.ucl.ac.be[130.104.236.7]: 5.7.1 ClamAV: Virus ScamNailer.Phish.ypeXSgbo1s.UNOFFICIAL found; from= to= proto=ESMTP helo= But when I try to find that email address in the files emails.2010-134[.*] I don't find anything Why is my message rejected ? Thanks, -- Pascal From steveb_clamav at sanesecurity.com Thu Apr 1 12:15:57 2010 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Thu Apr 1 12:16:14 2010 Subject: Question about ScamNailer In-Reply-To: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> References: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> Message-ID: <166081091b11052cfcb846884eb2c5fa.squirrel@saturn.dataflame.net> > > But when I try to find that email address in the files > > Why is my message rejected ? Hi, I'd check the database data of scamnailer.ndb, is it up-do-date? The ScamNailer format is now like this: ScamNailer.Phish.account_update_team_AT_hotmail.com I've also type in the virus name into the decoder here, but it's not found: http://sanesecurity.co.uk/decodesigs.htm Cheers, Steve Sanesecurity From pascal.maes at elec.ucl.ac.be Thu Apr 1 12:16:39 2010 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Apr 1 12:17:09 2010 Subject: Question about ScamNailer In-Reply-To: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> References: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> Message-ID: <46A126B9-6DB2-42AA-B074-AEB612235912@elec.ucl.ac.be> Le 1 avr. 2010 ? 12:48, Pascal Maes a ?crit : > Hello, > > When I send a message containing an email address, it is rejected for the following reason : > > Apr 1 08:46:18 smtp-1 postfix/cleanup[15068]: 57A32E97EF: milter-reject: END-OF-MESSAGE from Ulysse.elec.ucl.ac.be[130.104.236.7]: 5.7.1 ClamAV: Virus ScamNailer.Phish.ypeXSgbo1s.UNOFFICIAL found; from= to= proto=ESMTP helo= > > > But when I try to find that email address in the files > > emails.2010-134[.*] > > I don't find anything > > > Why is my message rejected ? > > > Thanks, > -- > Pascal > Well, it seems that "ScamNailer.Phish.ypeXSgbo1s" is related whith the files emails.2010-134.3 which contains > n at gmail.com and all the messages rejected contain an email address ending whit that string We are using clamav-096rc2 Regards, -- Pascal From NWL002 at shsu.edu Thu Apr 1 13:58:23 2010 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Apr 1 13:58:34 2010 Subject: RBL Configuration Message-ID: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> Where in the MailScanner / Sendmail configuration could a particular RBL be configured? We received a notification that we are heavily utilizing a particular list, but can find no evidence on our edge boxes of it being configured (besides in spam.lists.conf which based on the config file translates the names of the "Spam List" values to the real DNS names of the spam blacklists). Thanks, Norman From bpirie at rma.edu Thu Apr 1 14:03:20 2010 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Apr 1 14:03:40 2010 Subject: RBL Configuration In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> Message-ID: <4BB49998.4070603@rma.edu> Norman, "Spam List = "and "Spam Domain List = " are the MailScanner RBL settings. Also be aware that default Spamassassin settings use multiple RBLs, so it may be there that you need to make changes. An MTA can also be configured to query RBLs directly, without MailScanner or Spamassassin's involvement, but this is usually not the default. Brendan On 4/1/2010 8:58 AM, Laskie, Norman wrote: > Where in the MailScanner / Sendmail configuration could a particular RBL be configured? We received a notification that we are heavily utilizing a particular list, but can find no evidence on our edge boxes of it being configured (besides in spam.lists.conf which based on the config file translates the names of the "Spam List" values to the real DNS names of the spam blacklists). > > Thanks, > Norman > > From ms-list at alexb.ch Thu Apr 1 14:14:05 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Apr 1 14:14:14 2010 Subject: RBL Configuration In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> Message-ID: <4BB49C1D.7050907@alexb.ch> On 2010-04-01 14:58, Laskie, Norman wrote: > Where in the MailScanner / Sendmail configuration could a particular RBL be configured? We received a notification that we are heavily utilizing a particular list, but can find no evidence on our edge boxes of it being configured (besides in spam.lists.conf which based on the config file translates the names of the "Spam List" values to the real DNS names of the spam blacklists). Could also be in Spamassassin Which RBL warned you? From maxsec at gmail.com Thu Apr 1 14:20:52 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Apr 1 14:21:02 2010 Subject: RBL Configuration In-Reply-To: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> References: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> Message-ID: On 1 April 2010 13:58, Laskie, Norman wrote: > Where in the MailScanner / Sendmail configuration could a particular RBL be > configured? We received a notification that we are heavily utilizing a > particular list, but can find no evidence on our edge boxes of it being > configured (besides in spam.lists.conf which based on the config file > translates the names of the "Spam List" values to the real DNS names of the > spam blacklists). > > Thanks, > Norman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > More than likely it's spamassassin, if you've got the network access it'll be using RBLs by default. check the rbl_tests in the SA rule space (should be whereever sa-update drops the rules on your system) and give the one that's complaining a zero score in your mailscanner.cf -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100401/5120feb7/attachment.html From NWL002 at shsu.edu Thu Apr 1 16:44:06 2010 From: NWL002 at shsu.edu (Laskie, Norman) Date: Thu Apr 1 16:44:21 2010 Subject: RBL Configuration In-Reply-To: <4BB49C1D.7050907@alexb.ch> References: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B13@EXMBX.SHSU.EDU> <4BB49C1D.7050907@alexb.ch> Message-ID: <8FAC1E47484E43469AA28DBF35C955E4BDDEA11B19@EXMBX.SHSU.EDU> It was spamhaus. I have set the rule values to 0 in spam.assassin.rules.conf.. would this be the correct location? score RCVD_IN_PBL 0 score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 Thanks again, Norman -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens Sent: Thursday, April 01, 2010 8:14 AM To: MailScanner discussion Subject: Re: RBL Configuration On 2010-04-01 14:58, Laskie, Norman wrote: > Where in the MailScanner / Sendmail configuration could a particular RBL be configured? We received a notification that we are heavily utilizing a particular list, but can find no evidence on our edge boxes of it being configured (besides in spam.lists.conf which based on the config file translates the names of the "Spam List" values to the real DNS names of the spam blacklists). Could also be in Spamassassin Which RBL warned you? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mark at msapiro.net Thu Apr 1 18:22:04 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu Apr 1 18:22:15 2010 Subject: ClamAv 0.96 is out In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> Message-ID: <4BB4D63C.1050108@msapiro.net> On 11:59 AM, Randal, Phil wrote: > There's one other thing to check. > > I ended up with both main.cld and main.cvd in /var/clamav Thanks very much for that hint. See below. > ClamAV 0.96 has been released. > > Users upgrading from the rpmforge repo will need to edit their > clamd.conf files to get a working clamd (the change is trivial, to set > up the local socket details ). > > However, once I'd done all that, I got the following in MailScanner > --lint (version 4.80.1) > > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: > Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 Does clamd drop privileges? If so does the clamd User have sufficient permissions on /var/spool/MailScanner/incoming? Did you previously comment out "User clamav" in clamd.conf and forget that change? My situation was different. I did a yum update from the dag rpms, and added the necessary LocalSocket to /etc/clamd.conf, and I couldn't start clamd at all :( I got: Starting Clam AntiVirus Daemon: LibClamAV Error: cli_loadinfo: Digital signature not found LibClamAV Error: Can't load main.info: Malformed database LibClamAV Error: cli_tgzload: Can't load main.info LibClamAV Error: Can't load /var/clamav/main.cld: Malformed database ERROR: Malformed database After some panic and even trying to remove the rpms and install 0.95.3, I saw your note and removed /var/clamav/main.cld and updated again from the new rpms and all is well, so thank you for that hint. I don't see any problem when running MailScanner --lint. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From pascal.maes at elec.ucl.ac.be Thu Apr 1 18:59:07 2010 From: pascal.maes at elec.ucl.ac.be (Pascal Maes) Date: Thu Apr 1 18:59:20 2010 Subject: Question about ScamNailer In-Reply-To: <166081091b11052cfcb846884eb2c5fa.squirrel@saturn.dataflame.net> References: <61B11C6E-AD7C-4152-9C6A-7A3EA57C7EC1@elec.ucl.ac.be> <166081091b11052cfcb846884eb2c5fa.squirrel@saturn.dataflame.net> Message-ID: <3EEEA037-93F5-4717-9F4B-0097B8FFC708@elec.ucl.ac.be> Le 1 avr. 2010 ? 13:15, Steve Basford a ?crit : >> >> But when I try to find that email address in the files >> >> Why is my message rejected ? > > Hi, > > I'd check the database data of scamnailer.ndb, is it up-do-date? > > The ScamNailer format is now like this: > > ScamNailer.Phish.account_update_team_AT_hotmail.com > > I've also type in the virus name into the decoder here, but it's not found: > > http://sanesecurity.co.uk/decodesigs.htm > > Cheers, > > Steve > Sanesecurity > Hello, We are using the script ClamNailer and we have the version 1.00 This script downloads the emails files from http://www.mailscanner.tv and create the scamnailer database from clamav. The script has been modified to include some more addresses. I think that the problem comes from the file emails.2010-134.3 which contains > n at gmail.com Regards, -- Pascal From iulianld at gmail.com Fri Apr 2 09:31:31 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Fri Apr 2 09:31:40 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB4D63C.1050108@msapiro.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> Message-ID: >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: >> Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 > > > Does clamd drop privileges? If so does the clamd User have sufficient > permissions on /var/spool/MailScanner/incoming? Did you previously > comment out "User clamav" in clamd.conf and forget that change? > Same permission problem. Running on Centos 5.4; MailScanner version 4.79.11; Perl version 5.008008 (5.8.8); calmav/clamd 0.96-1.el5.rf I have tried with "Incoming Work Group = clamav" "Incoming Work Permissions = 0640" in MailScaneer.conf but the error is still there. I obtained better results modifying clamd.conf "User root" I'm not happy with this but at list is working. If someone have an better alternative please give me at list an hint. Iulian L.D. From marc at marcsnet.com Fri Apr 2 12:22:47 2010 From: marc at marcsnet.com (Marc Lucke) Date: Fri Apr 2 12:23:05 2010 Subject: Emails Randomly Reaching Destination In-Reply-To: References: <001201cac764$e0891e20$a19b5a60$@com> <223f97701003190637p9613a21p55c9a6f1eee3b872@mail.gmail.com> <003701cac773$846c7fb0$8d457f10$@com> Message-ID: <4BB5D387.6030403@marcsnet.com> X-mine-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=6.239, required 5, BAYES_00 -1.00, DKIMREP 0.00, DKIM_SIGNED -0.10, DKIM_VERIFIED -0.50, DOMAINKEY_DOMAIN 1.00, HABEAS_ACCREDITED_SOI -4.30, HTML_MESSAGE 0.00, MISSING_MIME_HB_SEP 2.12, MSGID_FROM_MTA_HEADER 0.80, RCVD_IN_BSP_TRUSTED -4.30, SPF_PASS -1.00) Huh? Anyone seen this or have any ideas? From mark at msapiro.net Fri Apr 2 16:40:00 2010 From: mark at msapiro.net (Mark Sapiro) Date: Fri Apr 2 16:40:11 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> Message-ID: <4BB60FD0.8020907@msapiro.net> On 11:59 AM, Iulian L Dragomir wrote: >>> Other Checks: Found 1 problems >>> Virus and Content Scanning: Starting >>> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: >>> Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 >> >> >> Does clamd drop privileges? If so does the clamd User have sufficient >> permissions on /var/spool/MailScanner/incoming? Did you previously >> comment out "User clamav" in clamd.conf and forget that change? >> > > Same permission problem. Running on Centos 5.4; MailScanner version > 4.79.11; Perl version 5.008008 (5.8.8); calmav/clamd 0.96-1.el5.rf > I have tried with > > "Incoming Work Group = clamav" > "Incoming Work Permissions = 0640" > > in MailScaneer.conf but the error is still there. You've set the group to 'clamav' but you haven't given the group write permission. Try Incoming Work Permissions = 0660 > I obtained better results modifying clamd.conf > > "User root" This is the same as just removing or commenting "User clamav". -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From iulianld at gmail.com Fri Apr 2 22:03:10 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Fri Apr 2 22:03:19 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB60FD0.8020907@msapiro.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> Message-ID: On Fri, Apr 2, 2010 at 6:40 PM, Mark Sapiro wrote: > On 11:59 AM, Iulian L Dragomir wrote: >>>> Other Checks: Found 1 problems >>>> Virus and Content Scanning: Starting >>>> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: >>>> Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 >>> >>> >>> Does clamd drop privileges? If so does the clamd User have sufficient >>> permissions on /var/spool/MailScanner/incoming? Did you previously >>> comment out "User clamav" in clamd.conf and forget that change? >>> >> >> Same permission problem. Running on Centos 5.4; MailScanner version >> 4.79.11; Perl version 5.008008 (5.8.8); calmav/clamd 0.96-1.el5.rf >> I have tried with >> >> "Incoming Work Group = clamav" >> "Incoming Work Permissions = 0640" >> >> in MailScaneer.conf but the error is still there. > > > You've set the group to 'clamav' but you haven't given the group write > permission. Try > > Incoming Work Permissions = 0660 > >> I obtained better results modifying clamd.conf >> >> "User root" > > > This is the same as just removing or commenting "User clamav". > > -- > Mark Sapiro ? ? ? ?The highway is for gamblers, > San Francisco Bay Area, California ? ?better use your sense - B. Dylan > > An repeatable experiment is always a relevant experiment. For relevant results i reinstalled MailScanner. This are the steps i followed: 1. uninstall apt-get remove mailscanner # yes .. i use apt-get as a substitute for yum from time to time 2. clean up files left behind rm -rf /etc/MailScanner rm -rf /usr/lib/MailScanner rm -rf /var/spool/MailScanner 3. reinstall MS following the steps from http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html 4. fix broken packages yum remove perl-Storable # at least on Centos 5.4 it seams that perl obsoletes perl-Storable 5. fix distribution specific paths for clam update changing in /usr/lib/MailScanner/clamav-autoupdate the line $PackageDir = shift || "/usr/local"; to $PackageDir = shift || "/usr"; and in /etc/virus.scanners.conf the coresponding lines clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local to clamav /usr/lib/MailScanner/clamav-wrapper /usr clamd /bin/false /usr 6. matching the clamd socket from MailScanner.conf with the clamd socket from clamd.conf. In my case i have "Clamd Socket = /tmp/clamd.socket" in MailScanner.conf and "LocalSocket /tmp/clamd.socket" in clamd.conf Test 1. without any other modification i start the demons and did a MailScanner --lint. Relevant result: MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/18084 Virus Scanning: Clamd found 1 infections Virus Scanning: Found 1 viruses =========================================================================== Test 2. ( suggested solution by MailScanner.conf ) - stop the demons - edit the MailScanner.conf Incoming Work Group = clamav Incoming Work Permissions = 0640 - start the demons - MailScanner --lint with the result: MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintJxQvbT/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/20855 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Test 3 (suggested solution) - stop the demons - edit the MailScanner.conf Incoming Work Group = clamav Incoming Work Permissions = 0660 - start the demons - MailScanner --lint with the result: MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintmrDiJo/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/23144 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== as you can see the error was not fixed :( any other suggestions / hints ? Iulian L.D. From inetadmin at ruraltel.net Fri Apr 2 22:11:19 2010 From: inetadmin at ruraltel.net (Clayton Keller) Date: Fri Apr 2 22:11:30 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> Message-ID: <4BB65D77.2070900@ruraltel.net> On 4/2/2010 4:03 PM, Iulian L Dragomir wrote: > On Fri, Apr 2, 2010 at 6:40 PM, Mark Sapiro wrote: >> On 11:59 AM, Iulian L Dragomir wrote: >>>>> Other Checks: Found 1 problems >>>>> Virus and Content Scanning: Starting >>>>> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: >>>>> Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 >>>> >>>> >>>> Does clamd drop privileges? If so does the clamd User have sufficient >>>> permissions on /var/spool/MailScanner/incoming? Did you previously >>>> comment out "User clamav" in clamd.conf and forget that change? >>>> >>> >>> Same permission problem. Running on Centos 5.4; MailScanner version >>> 4.79.11; Perl version 5.008008 (5.8.8); calmav/clamd 0.96-1.el5.rf >>> I have tried with >>> >>> "Incoming Work Group = clamav" >>> "Incoming Work Permissions = 0640" >>> >>> in MailScaneer.conf but the error is still there. >> >> >> You've set the group to 'clamav' but you haven't given the group write >> permission. Try >> >> Incoming Work Permissions = 0660 >> >>> I obtained better results modifying clamd.conf >>> >>> "User root" >> >> >> This is the same as just removing or commenting "User clamav". >> >> -- >> Mark Sapiro The highway is for gamblers, >> San Francisco Bay Area, California better use your sense - B. Dylan >> >> > > An repeatable experiment is always a relevant experiment. > For relevant results i reinstalled MailScanner. > > This are the steps i followed: > > 1. uninstall > > apt-get remove mailscanner # yes .. i use apt-get as a > substitute for yum from time to time > > 2. clean up files left behind > > rm -rf /etc/MailScanner > rm -rf /usr/lib/MailScanner > rm -rf /var/spool/MailScanner > > 3. reinstall MS following the steps from > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > 4. fix broken packages > > yum remove perl-Storable # at least on Centos 5.4 it seams that > perl obsoletes perl-Storable > > 5. fix distribution specific paths for clam update changing in > > > /usr/lib/MailScanner/clamav-autoupdate the line > $PackageDir = shift || "/usr/local"; > > to > $PackageDir = shift || "/usr"; > > > and in /etc/virus.scanners.conf the coresponding lines > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > > to > clamav /usr/lib/MailScanner/clamav-wrapper /usr > clamd /bin/false /usr > > 6. matching the clamd socket from MailScanner.conf with the clamd > socket from clamd.conf. In my case i have > "Clamd Socket = /tmp/clamd.socket" in MailScanner.conf > and > "LocalSocket /tmp/clamd.socket" in clamd.conf > > > Test 1. > > without any other modification i start the demons and did a > MailScanner --lint. Relevant result: > > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission > denied. ERROR :: /var/spool/MailScanner/incoming/18084 > Virus Scanning: Clamd found 1 infections > Virus Scanning: Found 1 viruses > =========================================================================== > > Test 2. ( suggested solution by MailScanner.conf ) > > - stop the demons > - edit the MailScanner.conf > Incoming Work Group = clamav > Incoming Work Permissions = 0640 > - start the demons > - MailScanner --lint with the result: > > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintJxQvbT/lstat() failed: > Permission denied. ERROR :: /var/spool/MailScanner/incoming/20855 > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > > Test 3 (suggested solution) > > - stop the demons > - edit the MailScanner.conf > Incoming Work Group = clamav > Incoming Work Permissions = 0660 > - start the demons > - MailScanner --lint with the result: > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamd > > =========================================================================== > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintmrDiJo/lstat() failed: > Permission denied. ERROR :: /var/spool/MailScanner/incoming/23144 > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus Scanning: Clamd found 2 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 2 viruses > =========================================================================== > > as you can see the error was not fixed :( > > any other suggestions / hints ? > > Iulian L.D. I have similar issues in the past. Who's the owner/group of the directory the user clamav is trying to access and scan from? In your instance: var/spool/MailScanner/incoming/23144 I've had similar issues, not MailScanner related, but had to include the clamav group as a part of that group as well. For instance you had a mailscanner group that had access to that directory that group would include the clamav group as such: /etc/group: ... mailscanner:x:101:clamav Just a thought... From ms-list at alexb.ch Fri Apr 2 22:17:45 2010 From: ms-list at alexb.ch (Alex Broens) Date: Fri Apr 2 22:17:56 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB65D77.2070900@ruraltel.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> Message-ID: <4BB65EF9.1030705@alexb.ch> On 2010-04-02 23:11, Clayton Keller wrote: > On 4/2/2010 4:03 PM, Iulian L Dragomir wrote: >> On Fri, Apr 2, 2010 at 6:40 PM, Mark Sapiro wrote: >>> On 11:59 AM, Iulian L Dragomir wrote: >>>>>> Other Checks: Found 1 problems >>>>>> Virus and Content Scanning: Starting >>>>>> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintdwYGUC/lstat() failed: >>>>>> Permission denied. ERROR :: /var/spool/MailScanner/incoming/17633 >>>>> >>>>> >>>>> Does clamd drop privileges? If so does the clamd User have sufficient >>>>> permissions on /var/spool/MailScanner/incoming? Did you previously >>>>> comment out "User clamav" in clamd.conf and forget that change? >>>>> >>>> >>>> Same permission problem. Running on Centos 5.4; MailScanner version >>>> 4.79.11; Perl version 5.008008 (5.8.8); calmav/clamd 0.96-1.el5.rf >>>> I have tried with >>>> >>>> "Incoming Work Group = clamav" >>>> "Incoming Work Permissions = 0640" >>>> >>>> in MailScaneer.conf but the error is still there. >>> >>> >>> You've set the group to 'clamav' but you haven't given the group write >>> permission. Try >>> >>> Incoming Work Permissions = 0660 >>> >>>> I obtained better results modifying clamd.conf >>>> >>>> "User root" >>> >>> >>> This is the same as just removing or commenting "User clamav". >>> >>> -- >>> Mark Sapiro The highway is for gamblers, >>> San Francisco Bay Area, California better use your sense - B. Dylan >>> >>> >> >> An repeatable experiment is always a relevant experiment. >> For relevant results i reinstalled MailScanner. >> >> This are the steps i followed: >> >> 1. uninstall >> >> apt-get remove mailscanner # yes .. i use apt-get as a >> substitute for yum from time to time >> >> 2. clean up files left behind >> >> rm -rf /etc/MailScanner >> rm -rf /usr/lib/MailScanner >> rm -rf /var/spool/MailScanner >> >> 3. reinstall MS following the steps from >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html >> >> >> 4. fix broken packages >> >> yum remove perl-Storable # at least on Centos 5.4 it seams that >> perl obsoletes perl-Storable >> >> 5. fix distribution specific paths for clam update changing in >> >> >> /usr/lib/MailScanner/clamav-autoupdate the line >> $PackageDir = shift || "/usr/local"; >> >> to >> $PackageDir = shift || "/usr"; >> >> >> and in /etc/virus.scanners.conf the coresponding lines >> clamav /usr/lib/MailScanner/clamav-wrapper /usr/local >> clamd /bin/false /usr/local >> >> to >> clamav /usr/lib/MailScanner/clamav-wrapper /usr >> clamd /bin/false /usr >> >> 6. matching the clamd socket from MailScanner.conf with the clamd >> socket from clamd.conf. In my case i have >> "Clamd Socket = /tmp/clamd.socket" in MailScanner.conf >> and >> "LocalSocket /tmp/clamd.socket" in clamd.conf >> >> >> Test 1. >> >> without any other modification i start the demons and did a >> MailScanner --lint. Relevant result: >> >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission >> denied. ERROR :: /var/spool/MailScanner/incoming/18084 >> Virus Scanning: Clamd found 1 infections >> Virus Scanning: Found 1 viruses >> =========================================================================== >> >> >> Test 2. ( suggested solution by MailScanner.conf ) >> >> - stop the demons >> - edit the MailScanner.conf >> Incoming Work Group = clamav >> Incoming Work Permissions = 0640 >> - start the demons >> - MailScanner --lint with the result: >> >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintJxQvbT/lstat() failed: >> Permission denied. ERROR :: /var/spool/MailScanner/incoming/20855 >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> =========================================================================== >> >> >> >> Test 3 (suggested solution) >> >> - stop the demons >> - edit the MailScanner.conf >> Incoming Work Group = clamav >> Incoming Work Permissions = 0660 >> - start the demons >> - MailScanner --lint with the result: >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamd >> >> =========================================================================== >> >> Filename Checks: Windows/DOS Executable (1 eicar.com) >> Other Checks: Found 1 problems >> Virus and Content Scanning: Starting >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlintmrDiJo/lstat() failed: >> Permission denied. ERROR :: /var/spool/MailScanner/incoming/23144 >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> Virus Scanning: Clamd found 2 infections >> Infected message 1 came from 10.1.1.1 >> Virus Scanning: Found 2 viruses >> =========================================================================== >> >> >> as you can see the error was not fixed :( >> >> any other suggestions / hints ? >> >> Iulian L.D. > > I have similar issues in the past. Who's the owner/group of the > directory the user clamav is trying to access and scan from? > > In your instance: var/spool/MailScanner/incoming/23144 > > I've had similar issues, not MailScanner related, but had to include the > clamav group as a part of that group as well. > > For instance you had a mailscanner group that had access to that > directory that group would include the clamav group as such: > > /etc/group: > .... > mailscanner:x:101:clamav > > Just a thought... > often a good option: clamd.confg #AllowSupplementaryGroups no AllowSupplementaryGroups yes Alex From iulianld at gmail.com Fri Apr 2 23:00:53 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Fri Apr 2 23:01:02 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB65EF9.1030705@alexb.ch> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> Message-ID: on my test system i have: /var/spool/Mailscanner contains 2 folders name perms owner group ============================= incoming drwxr-xr-x root clamav quarantine drwxr-xr-x root root /var/spool/Mailscanner/incoming contains : name perms owner group ============================= 22715 drwxrwx--- root clamav 22779 drwxrwx--- root clamav 22837 drwxrwx--- root clamav 22894 drwxrwx--- root clamav 22951 drwxrwx--- root clamav Locks drwxr-x--- root root SpamAssassin-Temp drwx------- root root Processing.db -rw------- root root SpamAssassin.cache.db -rw------- root root as such it looks that the clamav group have the necessary rights to access the mailscanner incoming folders (the 22xxx folders ) Also MailScanner is running as root so the suggestion related to /etc/group: ... mailscanner:x:101:clamav is not helping ... i do not even have a user named mailscanner clamd.conf have the setting for supplementary groups enabled by default. That is one of the things i already verified. From brian at tyler.com Fri Apr 2 23:00:50 2010 From: brian at tyler.com (Brian Cullins) Date: Fri Apr 2 23:01:27 2010 Subject: ClamAV Upgrade Issues Message-ID: <01c401cad2af$f5fdef50$e1f9cdf0$@com> After upgrading to Spamassassin 3.3.0, it is now broken. MailScanner scans mail and delivers it as if the "Use Spamassassin" pref is set to "No". I have reverted to the older version of SA and even installed the latest beta of MS and it is still broken...any ideas? Thanks, Brian Cullins -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100402/cf6d2180/attachment.html From brian at tyler.com Fri Apr 2 23:03:24 2010 From: brian at tyler.com (Brian Cullins) Date: Fri Apr 2 23:04:02 2010 Subject: ClamAV Upgrade Issues Message-ID: <01c901cad2b0$521cb2d0$f6561870$@com> I'm trying to upgrade ClamAV on one of my older machines (FC10) but it errors when it gets to Mail::ClamAV module. It complains that my version is too old: The clamav version you are using is too old. Please upgrade to at least 0.95.1 make: *** No targets specified and no makefile found. Stop. IT thinks my version is .94 for some reason. I have tried removing clamav using yum and also removed every clamav file I could find. If I install 0.95.1 from an rpm, it seems to install with no problems but Mail::ClamAV will still complain about the version. Any ideas what may cause this? Thanks, Brian Cullins -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100402/fcf61ee1/attachment.html From mikael at syska.dk Fri Apr 2 23:40:18 2010 From: mikael at syska.dk (Mikael Syska) Date: Fri Apr 2 23:40:31 2010 Subject: ClamAV Upgrade Issues In-Reply-To: <01c401cad2af$f5fdef50$e1f9cdf0$@com> References: <01c401cad2af$f5fdef50$e1f9cdf0$@com> Message-ID: Hi, MailScanner --lint spamassassin --lint sa-update and read the mailling list ... maybe there are some ideas what could be wrong. mvh On Sat, Apr 3, 2010 at 12:00 AM, Brian Cullins wrote: > After upgrading to Spamassassin 3.3.0, it is now broken. MailScanner scans > mail and delivers it as if the "Use Spamassassin" pref is set to "No". I > have reverted to the older version of SA and even installed the latest beta > of MS and it is still broken...any ideas? > > > > Thanks, > > Brian Cullins > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From brian at tyler.com Fri Apr 2 23:59:05 2010 From: brian at tyler.com (Brian Cullins) Date: Fri Apr 2 23:59:37 2010 Subject: ClamAV Upgrade Issues In-Reply-To: <01c401cad2af$f5fdef50$e1f9cdf0$@com> References: <01c401cad2af$f5fdef50$e1f9cdf0$@com> Message-ID: <01e901cad2b8$18795260$496bf720$@com> ignore this pls...or delete it. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brian Cullins Sent: Friday, April 02, 2010 5:01 PM To: mailscanner@lists.mailscanner.info Subject: ClamAV Upgrade Issues After upgrading to Spamassassin 3.3.0, it is now broken. MailScanner scans mail and delivers it as if the "Use Spamassassin" pref is set to "No". I have reverted to the older version of SA and even installed the latest beta of MS and it is still broken...any ideas? Thanks, Brian Cullins -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100402/047cb369/attachment.html From mark at msapiro.net Sat Apr 3 01:07:22 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat Apr 3 01:07:36 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> Message-ID: <4BB686BA.1000607@msapiro.net> On 4/2/2010 11:01 PM, Iulian L Dragomir wrote: > on my test system i have: > > /var/spool/Mailscanner contains 2 folders > > name perms owner group > ============================= > incoming drwxr-xr-x root clamav chmod g+w incoming > quarantine drwxr-xr-x root root > > /var/spool/Mailscanner/incoming contains : > > name perms owner group > ============================= > 22715 drwxrwx--- root clamav > 22779 drwxrwx--- root clamav > 22837 drwxrwx--- root clamav > 22894 drwxrwx--- root clamav > 22951 drwxrwx--- root clamav > Locks drwxr-x--- root root > SpamAssassin-Temp drwx------- root root > Processing.db -rw------- root root > SpamAssassin.cache.db -rw------- root root > > as such it looks that the clamav group have the necessary rights to > access the mailscanner incoming folders (the 22xxx folders ) Those 22xxx folders are named for the PIDs of the process that creates them. Each new MailScanner --lint is a new PID which tries to create a new directory, but it can't because the group doesn't have write permission on the directory. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Sat Apr 3 01:18:33 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat Apr 3 01:18:45 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB686BA.1000607@msapiro.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> Message-ID: <4BB68959.9060008@msapiro.net> On 4/2/2010 5:07 PM, Mark Sapiro wrote: > > Those 22xxx folders are named for the PIDs of the process that creates > them. Each new MailScanner --lint is a new PID which tries to create a > new directory, but it can't because the group doesn't have write > permission on the directory. Upon rereading, I see the above is perhaps ambiguous. I meant to say Each new MailScanner --lint is a new PID which tries to create a new incoming/ppppp directory, but it can't because the group doesn't have write permission on the incoming/ directory. But now I'm not sure if that's a correct explanation since MailScanner should have permission and clamd's pid should be fixed, but still I think the incoming/ directory should be g+w. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From iulianld at gmail.com Sat Apr 3 05:05:20 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Sat Apr 3 05:05:29 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB68959.9060008@msapiro.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: On Sat, Apr 3, 2010 at 3:18 AM, Mark Sapiro wrote: > On 4/2/2010 5:07 PM, Mark Sapiro wrote: >> >> Those 22xxx folders are named for the PIDs of the process that creates >> them. Each new MailScanner --lint is a new PID which tries to create a >> new directory, but it can't because the group doesn't have write >> permission on the directory. > > > Upon rereading, I see the above is perhaps ambiguous. I meant to say > > Each new MailScanner --lint is a new PID which tries to create a > new incoming/ppppp directory, but it can't because the group doesn't > have write permission on the incoming/ directory. > > But now I'm not sure if that's a correct explanation since MailScanner > should have permission and clamd's pid should be fixed, but still I > think the incoming/ directory should be g+w. > I changed the permission of the incoming dir. Now it can be written by the group members. I still have in MailScanner.conf the settings "Incoming Work Group = clamav" and "Incoming Work Permissions = 0660" name perms owner group ============================= incoming drwxrwxr-x root clamav MailScanner --lint continue to produce the undesirable result: MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlint8Gqn77/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/13434 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Any other sugestions ? From maillists at conactive.com Sat Apr 3 13:02:20 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 13:02:31 2010 Subject: ClamAV Upgrade Issues In-Reply-To: <01c901cad2b0$521cb2d0$f6561870$@com> References: <01c901cad2b0$521cb2d0$f6561870$@com> Message-ID: Brian Cullins wrote on Fri, 2 Apr 2010 17:03:24 -0500: > Mail::ClamAV module Do not use it, AFAIK it's outdated. User clamd. Searching the archive of this list should have revealed that. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Apr 3 13:51:52 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 13:52:05 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: Iulian L Dragomir wrote on Sat, 3 Apr 2010 07:05:20 +0300: > Any other sugestions ? This is weird. I've just upgraded and thought I would be able to identify the problem quickly and set it. But, alas, there is really nothing so far that is working. I upped the incoming permissions even to 777 and saw no change, I added clamav to the postfix group (and vice versa), I added g+w to the incoming directory itself. No change. Suggestions on how to get the permissions for the bottom-most working dir? If I knew these that might help to identify the problem. But I'm not able to catch these settings, it's too quick. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Apr 3 14:18:05 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 14:18:15 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB68959.9060008@msapiro.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: Mark Sapiro wrote on Fri, 02 Apr 2010 17:18:33 -0700: > Each new MailScanner --lint is a new PID which tries to create a > new incoming/ppppp directory, but it can't because the group doesn't > have write permission on the incoming/ directory. > > But now I'm not sure if that's a correct explanation since MailScanner > should have permission and clamd's pid should be fixed, but still I > think the incoming/ directory should be g+w. can I think the point is that it worked before the upgrade, but not after. So, it cannot have something to do with MailScanner not being able to write that directory. It surely can! With the *old* permission settings. This is clamd having some kind of traversal problem (that's also why Iulian's temporary solution to set it to run as root works). man lstat says you need x permissions for all directories in the path. Everyone has down to incoming. The workdir has if you set to Incoming Work Permissions = 0666 for instance. Now all directories except the topmost can be traversed by anyone. Conclusion: clamd is either not picking up the clamav group in this context (although it's running as group clamav) or the bottom-most directory gets different permission/group than the dir, such that an x permission for the group or the clamav group is missing. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Apr 3 14:29:16 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 14:29:27 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: I've come to the preliminary conclusion that this is a problem with --lint only. I'm not seeing any complaints from clamd in warn unless I do a -- lint. --lint must be setting ownership/permisssions slightly different from the worker code - e.g. it's a bug in the --lint code. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From doc at maddoc.net Sat Apr 3 14:45:19 2010 From: doc at maddoc.net (Doc Schneider) Date: Sat Apr 3 14:45:30 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: <4BB7466F.8050307@maddoc.net> Kai Schaetzl wrote: > I've come to the preliminary conclusion that this is a problem with --lint > only. I'm not seeing any complaints from clamd in warn unless I do a -- > lint. --lint must be setting ownership/permisssions slightly different > from the worker code - e.g. it's a bug in the --lint code. > > Kai > Yeah I've pretty much come to the same conclusion. Something about the MailScanner --lint is not doing the correct permissions. I'e stopped my clamd service and started clamd --debug but it doesn't complain. Go figure. I think the ClamAV team might have changed some return codes with MailScanner is not seeing right. I know there was something on the clamav-users list about freshclam having some return codes changed. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From maillists at conactive.com Sat Apr 3 17:21:18 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 17:21:29 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB7466F.8050307@maddoc.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> <4BB7466F.8050307@maddoc.net> Message-ID: Doc Schneider wrote on Sat, 03 Apr 2010 08:45:19 -0500: > I'e stopped my clamd service and started clamd --debug but it doesn't > complain. Go figure. I think the ClamAV team might have changed some > return codes with MailScanner is not seeing right. I know there was > something on the clamav-users list about freshclam having some return > codes changed. Perhaps this lstat() call is new? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From doc at maddoc.net Sat Apr 3 17:47:51 2010 From: doc at maddoc.net (Doc Schneider) Date: Sat Apr 3 17:48:03 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> <4BB7466F.8050307@maddoc.net> Message-ID: <4BB77137.3090407@maddoc.net> Kai Schaetzl wrote: > Doc Schneider wrote on Sat, 03 Apr 2010 08:45:19 -0500: > >> I'e stopped my clamd service and started clamd --debug but it doesn't >> complain. Go figure. I think the ClamAV team might have changed some >> return codes with MailScanner is not seeing right. I know there was >> something on the clamav-users list about freshclam having some return >> codes changed. > > Perhaps this lstat() call is new? > > Kai > Nope lstat has been in there for a long time. Jules may have changed the way it works in the later versions? I spoke to someone using postfix and an older version of MailScanner and they aren't having this issue. I'm running mine using the latest Beta with sendmail and smtpf. I'll try it with the latest stable to be sure it isn't something in the beta code causing this, I doubt it but never hurts to try. Although I think it is a harmless error and clamd is still scanning. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From maillists at conactive.com Sat Apr 3 21:31:20 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 3 21:31:36 2010 Subject: ClamAv 0.96 is out In-Reply-To: <4BB77137.3090407@maddoc.net> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45429633@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> <4BB7466F.8050307@maddoc.net> <4BB77137.3090407@maddoc.net> Message-ID: Doc Schneider wrote on Sat, 03 Apr 2010 11:47:51 -0500: > Nope lstat has been in there for a long time. Jules may have changed the > way it works in the later versions? I'm talking of lstat() in clamd. It sounds like you think I thought of MS. > I spoke to someone using postfix and > an older version of MailScanner and they aren't having this issue. That is to be expected as MS changed from using a fixed working dir to a dir changing each time some months ago. > I'll try > it with the latest stable to be sure it isn't something in the beta code > causing this, I doubt it but never hurts to try. I'm using the lastest stable. There is somethign new in clamd and I think that's an additional lstat() call that wasn't there before. Or nobody noticed this harmless error earlier and it only gets attention ebcause of the enw clamav. I can't say if I saw it before. I haven't run MS --lint for some time as I don't need to, MS is always working for me -) Let's wait what Jules has to say next week :-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From iulianld at gmail.com Mon Apr 5 11:29:16 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Mon Apr 5 11:29:25 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> <4BB7466F.8050307@maddoc.net> <4BB77137.3090407@maddoc.net> Message-ID: I made one more test. Test 4 I uninstalled the 0.96 version of clamav / clamd and installed the old one ( 0.95.3-1.el5.rf). I cleaned up the signature folder and set up the local socket details. I changed back the permission for the /var/spool/MailScanner/incoming to : name perms owner group ============================= incoming drwxr-xr-x root clamav Also i changed in MailScanner.conf the settings of incoming work dir to: Incoming Work Group = clamav Incoming Work Permissions = 0640 The reason is this : for pattern matching reading wrights of the PID folders should be sufficient. MailScanner --lint is producing now the folowing results: ... MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== ... It looks to me that the error is clamd version 0.96 related. Iulian L.D. From brose at med.wayne.edu Mon Apr 5 16:54:51 2010 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Apr 5 16:55:24 2010 Subject: New Mass Mailing Virus making rounds? Message-ID: Is anyone aware of a new virus making rounds? The number of rejected smtp connections on my MXs went thru the roof around 8pm EST Sunday night and into today. Rejections are due to no PTRs and obvious bogus non-existing domains in many causes hundreds of random return addresses from the same sending IP. I googled and such and I'm not coming across any discussions of some new worm so now I'm curious if any other MailScanner users have seen this and have any info. -=B ________________________________ This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/86e76934/attachment.html From uxbod at splatnix.net Mon Apr 5 17:39:03 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Apr 5 17:39:28 2010 Subject: New Mass Mailing Virus making rounds? In-Reply-To: Message-ID: <32041491.15.1270485543905.JavaMail.root@office.splatnix.net> Is anyone aware of a new virus making rounds? The number of rejected smtp connections on my MXs went thru the roof around 8pm EST Sunday night and into today. Rejections are due to no PTRs and obvious bogus non-existing domains in many causes hundreds of random return addresses from the same sending IP. I googled and such and I?m not coming across any discussions of some new worm so now I?m curious if any other MailScanner users have seen this and have any info. -=B This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Have not seen a spike here ... do you have any further details about it ? -- Thanks, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/7c32f0ea/attachment.html From brose at med.wayne.edu Mon Apr 5 18:23:39 2010 From: brose at med.wayne.edu (Rose, Bobby) Date: Mon Apr 5 18:24:00 2010 Subject: New Mass Mailing Virus making rounds? In-Reply-To: <32041491.15.1270485543905.JavaMail.root@office.splatnix.net> References: <32041491.15.1270485543905.JavaMail.root@office.splatnix.net> Message-ID: Nope since none of the payload is getting thru since the sending hosts don?t have PTRs or the domain of the return address is non-existing. Here?s a very small subset of return addresses involving host adsl-99-39-203-126.dsl.chcgil.sbcglobal.net [99.39.203.126] that are clearly randomly generated. from=gyfvzpajoy@2Z4Zn_ti.com from=shasgpuqc@e05NR_bB.com from=bfdiutkvwg@BkE906Sh.com from=yyizeckfyn@7oGw8VY.com from=vgnnsxdads@3U1HR1T.com Other hosts have been 120.69.98.66.l.sta.codetel.net.do [66.98.69.120] 190-37-15-174.dyn.dsl.cantv.net [190.37.15.174] 200-102-26-22.bnut3702.dsl.brasiltelecom.net.br [200.102.26.22] 190.74-184-226.dyn.dsl.cantv.net [190.74.184.226] adsl89-121-149-63.romtelecom.net [89.121.149.63] the list goes on?. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: Monday, April 05, 2010 12:39 PM To: MailScanner discussion Subject: Re: New Mass Mailing Virus making rounds? ________________________________ Is anyone aware of a new virus making rounds? The number of rejected smtp connections on my MXs went thru the roof around 8pm EST Sunday night and into today. Rejections are due to no PTRs and obvious bogus non-existing domains in many causes hundreds of random return addresses from the same sending IP. I googled and such and I?m not coming across any discussions of some new worm so now I?m curious if any other MailScanner users have seen this and have any info. -=B ________________________________ This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Have not seen a spike here ... do you have any further details about it ? -- Thanks, Phil ________________________________ This document may include proprietary and confidential information of Wayne State University Physician Group and may only be read by those person(s) to whom it is addressed. If you have received this e-mail message in error, please notify us immediately. This document may not be reproduced, copied, distributed, published, modified or furnished to third parties, without prior written consent of Wayne State University Physician Group. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/7dbae991/attachment.html From ssilva at sgvwater.com Mon Apr 5 19:15:56 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 5 19:16:23 2010 Subject: A quick question before I dig more about spamassassin rule actions and latest stable Message-ID: Is any one else having problems with spamassassin rule actions not working, especially delete or non-store? I just started digging into this, and don't have much details yet so please no flames about posting configs! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/ce19c7b2/signature.bin From ssilva at sgvwater.com Mon Apr 5 19:55:35 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 5 19:55:54 2010 Subject: Stopping storage from "SpamAssassin Rule Actions" In-Reply-To: <809311.86892.qm@web33305.mail.mud.yahoo.com> References: <809311.86892.qm@web33305.mail.mud.yahoo.com> Message-ID: on 3-11-2010 5:49 PM Michael Mansour spake the following: > Hi Scott, > > --- On Fri, 12/3/10, Scott Silva wrote: > >> From: Scott Silva >> Subject: Re: Stopping storage from "SpamAssassin Rule Actions" >> To: mailscanner@lists.mailscanner.info >> Received: Friday, 12 March, 2010, 11:49 AM >> on 3-11-2010 12:58 PM Michael Mansour >> spake the following: >>> Hi, >>> >>> I have this rule in place: >>> >>> SpamAssassin Rule Actions = >> SpamScore>18=>delete,not-deliver,forward highspam@domain.com >>> but I still have those messages with SpamScore > 18 >> stored in MailWatch. >>> What can I do via the "SpamAssassin Rule Actions" >> setting to make sure those messages are not stored. I've >> tried "not-store" and "delete" but they're still being >> stored. >>> Thanks. >>> >>> Michael. >>> >>> ? ? ??? >> But not-store is the proper word looking at mine. >> I have; >> SpamAssassin Rule Actions = SpamScore>25=>not-store >> for messages with high scores to keep my quarantine >> smaller. >> >> They still log in mailwatch, but the release tab is gone >> since the message is >> not there > > I've changed mine back to not-store and will test again. When I had it like that before I still had the "release" button below and the message stored on the MX server, which is why I tried "delete" and it still did the same thing, so thought I'd ask on the list. > > I don't mind the message headers and information being stored in MailWatch, I'm just trying to avoid the storage of the (very highspam) mail on the mail servers after they've been analysed and reported. > > I quarantine all mail into MailWatch, clean, normal spam, high spam. I've got SA rules in place which bump up the SA score so high scoring spam is now _very_ high scoring spam, and that spam never has false positives so I don't want them stored. > > I'll report back later today to see if the "not-stored" option works this time. > > Thanks. > > Michael. > Digging in one of my systems, I see that this is not working for me either... Started a new thread since this is a month old. And looking at other systems also. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/96010df4/signature.bin From jmalone at nrao.edu Mon Apr 5 22:24:50 2010 From: jmalone at nrao.edu (Josh Malone) Date: Mon Apr 5 22:25:05 2010 Subject: Problem with still deliver silent viruses Message-ID: <8d531c44d7e9c71b6b4b17ce5435987e@nrao.edu> Hi, It seems that as of MailScanner 4.79, still deliver silent viruses = yes has changed and mailscanner now sends the message without stripping the infected attachment if a virus scanner actually finds a virus. What I'm seeing is that, for example, *.exe that doesn't contain a virus identified by our scanner (sophos) is being stripped out, but if sophos finds a virus, mailscanner goes through the motions, "quarantines" the file but then fails to strip the actually infected exe out of the message. If I completely turn off the virus scanning (Virus Scanning = no) then all exe files get removed from messages and the stripped message is delivered to users like I want. I have confirmed this behaviour on 2 systems, both RedHat Enterprise, one 5.4 and one 5.5. I really hope not to get bogged down in why we use "still deliver silent viruses = yes" but we have a 2-layer system and a latter part of our filter sorts virus-laden mail out of inboxes. According to this thread: http://lists.mailscanner.info/pipermail/mailscanner/2010-March/095233.html it seems like there may have been a specific change responsible for this new behaviour. Does anybody have any insight on that? Thanks, -Josh -- -------------------------------------------------------- Joshua Malone Systems Administrator (jmalone@nrao.edu) NRAO Charlottesville 434-296-0263 www.cv.nrao.edu 434-249-5699 (mobile) BOFH excuse #426: internet is needed to catch the etherbunny -------------------------------------------------------- From ssilva at sgvwater.com Tue Apr 6 00:33:25 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 6 00:33:46 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: on 4-3-2010 5:51 AM Kai Schaetzl spake the following: > Iulian L Dragomir wrote on Sat, 3 Apr 2010 07:05:20 +0300: > >> Any other sugestions ? > > This is weird. I've just upgraded and thought I would be able to identify > the problem quickly and set it. But, alas, there is really nothing so far > that is working. > I upped the incoming permissions even to 777 and saw no change, I added > clamav to the postfix group (and vice versa), I added g+w to the incoming > directory itself. No change. > Suggestions on how to get the permissions for the bottom-most working dir? > If I knew these that might help to identify the problem. But I'm not able > to catch these settings, it's too quick. > > Kai > I have resolved this on my servers.. A Centos 4 and CentOS 5 server. Changed incoming work user to clamav and changed incoming work group to blank... Seems to have cleared all messages and no adverse effects after running several hours... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/339026ad/signature.bin From ngoc5593 at yahoo.com Tue Apr 6 06:32:38 2010 From: ngoc5593 at yahoo.com (le minh ngoc) Date: Tue Apr 6 06:32:48 2010 Subject: i want to pause receive mail In-Reply-To: <161b1c931003281202n1d4cd19dr27966e5aaf8136dc@mail.gmail.com> Message-ID: <66896.23551.qm@web53107.mail.re2.yahoo.com> Dear all, I would like to pause receive email form members of forumplease help me, because i receive so many email that i don't have free time to read them Brgs!Le Minh Ngoc.? --- On Sun, 3/28/10, Dave Jones wrote: From: Dave Jones Subject: Re: MCP notifications when blocking To: mailscanner@lists.mailscanner.info Date: Sunday, March 28, 2010, 3:02 PM On 25 March 2010 03:27, Michael Mansour wrote:> Hi,>> I have MCP enabled for a couple of domains.> > One of them has asked that:>> 1. emails "From" their domain that trigger an MCP block, generates a "notice">> 2. that the notice goes to an email address they've provided >> Obviously so they can see if the message blocked from them by MCP is valid or not.>> I've spent quite some time trying to figure out how to do this but am not sure. >> Anyone have any suggestions?>> Michael.> I have the same issue as Michael. ?I would like to replace the MCPfunctionality with "SpamAssassin Rule Actions" with SA meta rules but I haven't found a way to send the recipient the report template%report-dir%/recipient.mcp.report.txt. ?The users would get confusedwith the "notify" spam message and not know it was blocked because of profanity or racial wording. I asked this same question last year but didn't get any answers. Has anyone found a way to do action "notify" to mimic the MCP "Recipient MCP Report"? ?If not, maybe this could be an enhancementrequest for a new action like "notify-mcp"? Dave? -----Inline Attachment Follows----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100405/ec0cb6b0/attachment.html From uxbod at splatnix.net Tue Apr 6 09:46:03 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Apr 6 09:46:32 2010 Subject: i want to pause receive mail In-Reply-To: <66896.23551.qm@web53107.mail.re2.yahoo.com> Message-ID: <7739136.55.1270543563432.JavaMail.root@office.splatnix.net> Dear all, I would like to pause receive email form members of forum please help me, because i receive so many email that i don't have free time to read them Brgs! Le Minh Ngoc. --- On Sun, 3/28/10, Dave Jones wrote: From: Dave Jones Subject: Re: MCP notifications when blocking To: mailscanner@lists.mailscanner.info Date: Sunday, March 28, 2010, 3:02 PM On 25 March 2010 03:27, Michael Mansour < micoots@yahoo.com > wrote: > Hi, > > I have MCP enabled for a couple of domains. > > One of them has asked that: > > 1. emails "From" their domain that trigger an MCP block, generates a "notice" > > 2. that the notice goes to an email address they've provided > > Obviously so they can see if the message blocked from them by MCP is valid or not. > > I've spent quite some time trying to figure out how to do this but am not sure. > > Anyone have any suggestions? > > Michael. > I have the same issue as Michael. I would like to replace the MCP functionality with "SpamAssassin Rule Actions" with SA meta rules but I haven't found a way to send the recipient the report template %report-dir%/recipient.mcp.report.txt. The users would get confused with the "notify" spam message and not know it was blocked because of profanity or racial wording. I asked this same question last year but didn't get any answers. Has anyone found a way to do action "notify" to mimic the MCP "Recipient MCP Report"? If not, maybe this could be an enhancement request for a new action like "notify-mcp"? Dave -----Inline Attachment Follows----- Are you sure you are asking on the correct mailling-list ? -- Thanks, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100406/01974f2b/attachment.html From lhaig at haigmail.com Tue Apr 6 09:57:49 2010 From: lhaig at haigmail.com (Lance Haig) Date: Tue Apr 6 09:58:10 2010 Subject: CentOS perl issues Message-ID: <4BBAF78D.2060105@haigmail.com> Hi, I am running CentOS 5 with MailScanner 4.78.17 I am trying to run yum update and I get the error below. Does anyone have suggestions as to how I can get past this? Thanks Lance Transaction Check Error: file /usr/share/man/man3/Math::BigRat.3pm.gz from install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/File::Temp.3pm.gz from install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/bin/prove from install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man1/prove.1.gz from install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Harness.3pm.gz from install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Sys::Syslog.3pm.gz from install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Builder.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Builder::Module.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Builder::Tester.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::More.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Simple.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/Test::Tutorial.3pm.gz from install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/bigint.3pm.gz from install of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/bignum.3pm.gz from install of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 file /usr/share/man/man3/bigrat.3pm.gz from install of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package perl-5.8.8-27.el5.i386 -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com From alvaro at hostalia.com Tue Apr 6 11:26:59 2010 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Tue Apr 6 11:27:10 2010 Subject: Deliver Cleaned Messages tagged as spam Message-ID: <4BBB0C73.6090804@hostalia.com> Hello, I use "Deliver Cleaned Messages" to notify recipients with the "Deleted Virus Message Report" when a virus has been deleted. The problem is that if that message has been detected as spam too, it's deliveried with the spam warning in the subject and the headers saying that it's spam. Is there any way to avoid it and to add only the "Virus Subject Text"? Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From Kevin_Miller at ci.juneau.ak.us Tue Apr 6 17:26:43 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Apr 6 17:26:56 2010 Subject: i want to pause receive mail In-Reply-To: <66896.23551.qm@web53107.mail.re2.yahoo.com> References: <161b1c931003281202n1d4cd19dr27966e5aaf8136dc@mail.gmail.com> <66896.23551.qm@web53107.mail.re2.yahoo.com> Message-ID: <4A09477D575C2C4B86497161427DD94C149F868741@city-exchange07> Easy. Go to http://lists.mailscanner.info/mailman/listinfo/mailscanner and scroll down to the bottom of the page to the mailScanner Subscribers section. Enter your email address in the blank on the line that says "To unsubscribe from MailScanner, get a password reminder, or change your subscription options enter your subscription email address:" It will prompt you for your password that you created when you first subscribed. After you enter that, it will open a page where you can unsubscribe, change the delivery of messages to digest (one message a day), suspend delivery of mail, etc. Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of le minh ngoc Sent: Monday, April 05, 2010 9:33 PM To: MailScanner discussion Subject: i want to pause receive mail Dear all, I would like to pause receive email form members of forum please help me, because i receive so many email that i don't have free time to read them Brgs! Le Minh Ngoc. From dgottsc at emory.edu Tue Apr 6 21:45:22 2010 From: dgottsc at emory.edu (Gottschalk, David) Date: Tue Apr 6 21:45:50 2010 Subject: Filename Blocking Issue Message-ID: I have a strange issue with filenames being blocked that I have disabled. It appears that double file extensions are being blocked within .zip files, but not if they are not in a zip archive. I've disabled them in the filename.rules.conf with: # Deny all other double file extensions. This catches any hidden filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I changed this to allow, but the same issue occurred. Is this a bug, or am I missing something obvious? I couldn't find anything regarding this issue on the list. Here is a example of a message being blocked. Apr 1 15:08:00 [mail.info] o31J7xJu028562: from=, size=219934, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=SMTP_TLSAUTH, relay=removed Apr 1 15:08:00 MailScanner: [mail.info] Filename Checks: Found possible filename hiding (o31J7xJu028562 rdf.tex.bak) Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.tex.bak" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.zip" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.info] Message o31J7xJu028562 from removed (removed) to emory.edu is too big for spam checks (220506 > 150000 bytes) Thanks for any help that can be provided. David Gottschalk UTS Email team david.gottschalk@emory.edu This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From micoots at yahoo.com Wed Apr 7 04:17:35 2010 From: micoots at yahoo.com (Michael Mansour) Date: Wed Apr 7 04:17:45 2010 Subject: CentOS perl issues In-Reply-To: <4BBAF78D.2060105@haigmail.com> Message-ID: <162417.35511.qm@web33305.mail.mud.yahoo.com> Hi, In your /etc/yum.repos.d/rpmforge.repo file change: enabled=1 to: enabled=0 so that RPMforge isn't automatically enabled. Be selective with your perl modules. Regards, Michael. --- On Tue, 6/4/10, Lance Haig wrote: > From: Lance Haig > Subject: CentOS perl issues > To: "MailScanner discussion" > Received: Tuesday, 6 April, 2010, 6:57 PM > Hi, > > I am running CentOS 5 with MailScanner 4.78.17 > > I am trying to run yum update and I get the error below. > Does anyone have suggestions as to how I can get past this? > > Thanks > > Lance > > Transaction Check Error: > ? file /usr/share/man/man3/Math::BigRat.3pm.gz from > install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/File::Temp.3pm.gz from > install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/bin/prove from install of > perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file > from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man1/prove.1.gz from install of > perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file > from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Test::Harness.3pm.gz from > install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Sys::Syslog.3pm.gz from > install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with > file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Test::Builder.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file > /usr/share/man/man3/Test::Builder::Module.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file > /usr/share/man/man3/Test::Builder::Tester.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file > /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Test::More.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Test::Simple.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/Test::Tutorial.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts > with file from package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/bigint.3pm.gz from install > of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from > package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/bignum.3pm.gz from install > of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from > package perl-5.8.8-27.el5.i386 > ? file /usr/share/man/man3/bigrat.3pm.gz from install > of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from > package perl-5.8.8-27.el5.i386 > > > -- > This message was scanned by Better Hosted and is believed > to be clean. > http://www.betterhosted.com > > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! From micoots at yahoo.com Wed Apr 7 04:26:16 2010 From: micoots at yahoo.com (Michael Mansour) Date: Wed Apr 7 04:26:26 2010 Subject: A quick question before I dig more about spamassassin rule actions and latest stable In-Reply-To: Message-ID: <802947.10470.qm@web33306.mail.mud.yahoo.com> Hi Scott, --- On Tue, 6/4/10, Scott Silva wrote: > From: Scott Silva > Subject: A quick question before I dig more about spamassassin rule actions and latest stable > To: mailscanner@lists.mailscanner.info > Received: Tuesday, 6 April, 2010, 4:15 AM > Is any one else having problems with > spamassassin rule actions not working, > especially delete or non-store? I just started digging into > this, and don't > have much details yet so please no flames about posting > configs! About a month ago I posted various problems I experienced with the SpamAssassin Rule Actions system just not working as expected. It seems I'm not alone and I've not really followed up on those problems since my current rule in MailScanner.conf does the job, but I would rather make use of a rules file so I can have more rules and more granular control of the rules. Unfortunately I haven't been able to get much help from the list here, not sure where Jules is either as I believe I uncovered some bugs in it and who else is there to fix these? Michael. > -----Inline Attachment Follows----- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From mmcintosh at infowall.com Wed Apr 7 04:31:18 2010 From: mmcintosh at infowall.com (Mark McIntosh Infowall) Date: Wed Apr 7 04:31:50 2010 Subject: CentOS perl issues In-Reply-To: <162417.35511.qm@web33305.mail.mud.yahoo.com> References: <162417.35511.qm@web33305.mail.mud.yahoo.com> Message-ID: <4BBBFC86.5090003@infowall.com> Michael, I went through this recently as well when upgrading from centos 5.2 to 5.4 while upgrading MailScanner and clamd. I over wrote my custom postfix install as well as messed up my perl version. There is a bug upstream that causes perl to act badly it is documented if you search on google. I later redid my perl via non rpm centos repositories and all went fine. I agree disable rpmforge and use a different repository possibly the mailscanner repo or Hugo's if it is back up to date. Mine was 64bit versus 32 but I have seen this happen in 32 as well. Mark McIntosh Michael Mansour wrote: > Hi, > > In your /etc/yum.repos.d/rpmforge.repo file change: > > enabled=1 > > to: > > enabled=0 > > so that RPMforge isn't automatically enabled. Be selective with your perl modules. > > Regards, > > Michael. > > --- On Tue, 6/4/10, Lance Haig wrote: > >> From: Lance Haig >> Subject: CentOS perl issues >> To: "MailScanner discussion" >> Received: Tuesday, 6 April, 2010, 6:57 PM >> Hi, >> >> I am running CentOS 5 with MailScanner 4.78.17 >> >> I am trying to run yum update and I get the error below. >> Does anyone have suggestions as to how I can get past this? >> >> Thanks >> >> Lance >> >> Transaction Check Error: >> file /usr/share/man/man3/Math::BigRat.3pm.gz from >> install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/File::Temp.3pm.gz from >> install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/bin/prove from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man1/prove.1.gz from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Harness.3pm.gz from >> install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Sys::Syslog.3pm.gz from >> install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with >> file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Builder.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Module.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::More.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Simple.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigint.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bignum.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigrat.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> >> >> -- >> This message was scanned by Better Hosted and is believed >> to be clean. >> http://www.betterhosted.com >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From micoots at yahoo.com Wed Apr 7 04:32:33 2010 From: micoots at yahoo.com (Michael Mansour) Date: Wed Apr 7 04:32:44 2010 Subject: Stopping storage from "SpamAssassin Rule Actions" In-Reply-To: Message-ID: <152968.67836.qm@web33303.mail.mud.yahoo.com> Hi, --- On Tue, 6/4/10, Scott Silva wrote: > From: Scott Silva > Subject: Re: Stopping storage from "SpamAssassin Rule Actions" > To: mailscanner@lists.mailscanner.info > Received: Tuesday, 6 April, 2010, 4:55 AM > on 3-11-2010 5:49 PM Michael Mansour > spake the following: > > Hi Scott, > > > > --- On Fri, 12/3/10, Scott Silva > wrote: > > > >> From: Scott Silva > >> Subject: Re: Stopping storage from "SpamAssassin > Rule Actions" > >> To: mailscanner@lists.mailscanner.info > >> Received: Friday, 12 March, 2010, 11:49 AM > >> on 3-11-2010 12:58 PM Michael Mansour > >> spake the following: > >>> Hi, > >>> > >>> I have this rule in place: > >>> > >>> SpamAssassin Rule Actions = > >> SpamScore>18=>delete,not-deliver,forward highspam@domain.com > >>> but I still have those messages with SpamScore > > 18 > >> stored in MailWatch. > >>> What can I do via the "SpamAssassin Rule > Actions" > >> setting to make sure those messages are not > stored. I've > >> tried "not-store" and "delete" but they're still > being > >> stored. > >>> Thanks. > >>> > >>> Michael. > >>> > >>> ? ? ??? > >> But not-store is the proper word looking at mine. > >> I have; > >> SpamAssassin Rule Actions = > SpamScore>25=>not-store > >> for messages with high scores to keep my > quarantine > >> smaller. > >> > >> They still log in mailwatch, but the release tab > is gone > >> since the message is > >> not there > > > > I've changed mine back to not-store and will test > again. When I had it like that before I still had the > "release" button below and the message stored on the MX > server, which is why I tried "delete" and it still did the > same thing, so thought I'd ask on the list. > > > > I don't mind the message headers and information being > stored in MailWatch, I'm just trying to avoid the storage of > the (very highspam) mail on the mail servers after they've > been analysed and reported. > > > > I quarantine all mail into MailWatch, clean, normal > spam, high spam. I've got SA rules in place which bump up > the SA score so high scoring spam is now _very_ high scoring > spam, and that spam never has false positives so I don't > want them stored. > > > > I'll report back later today to see if the > "not-stored" option works this time. > > > > Thanks. > > > > Michael. > > > Digging in one of my systems, I see that this is not > working for me either... > Started a new thread since this is a month old. And looking > at other systems also. Just to report back as I said I would above, the "not-stored" option didn't work. Very high scoring spam still gets stored. Regards, Michael. > -----Inline Attachment Follows----- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From craigwhite at azapple.com Wed Apr 7 04:32:33 2010 From: craigwhite at azapple.com (Craig White) Date: Wed Apr 7 04:32:47 2010 Subject: CentOS perl issues In-Reply-To: <4BBAF78D.2060105@haigmail.com> References: <4BBAF78D.2060105@haigmail.com> Message-ID: <1270611153.7811.39.camel@lin-workstation.azapple.com> On Tue, 2010-04-06 at 09:57 +0100, Lance Haig wrote: > Hi, > > I am running CentOS 5 with MailScanner 4.78.17 > > I am trying to run yum update and I get the error below. Does anyone > have suggestions as to how I can get past this? > > Thanks > > Lance > > Transaction Check Error: > file /usr/share/man/man3/Math::BigRat.3pm.gz from install of > perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/File::Temp.3pm.gz from install of > perl-File-Temp-0.22-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/bin/prove from install of > perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man1/prove.1.gz from install of > perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Harness.3pm.gz from install of > perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Sys::Syslog.3pm.gz from install of > perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Builder.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Builder::Module.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Builder::Tester.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from > install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file > from package perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::More.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Simple.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/Test::Tutorial.3pm.gz from install of > perl-Test-Simple-0.94-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/bigint.3pm.gz from install of > perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/bignum.3pm.gz from install of > perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 > file /usr/share/man/man3/bigrat.3pm.gz from install of > perl-bignum-0.23-1.el5.rf.noarch conflicts with file from package > perl-5.8.8-27.el5.i386 ----- add exclude=perl-* to /etc/yum.repos.d/rpmforge.repo Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From iulianld at gmail.com Wed Apr 7 06:07:39 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Wed Apr 7 06:07:48 2010 Subject: CentOS perl issues In-Reply-To: <1270611153.7811.39.camel@lin-workstation.azapple.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> Message-ID: For one time occurrence use yum --exclude=package* update In your case if you want to exclude only those 6 packages : yum --exclude=perl-bignum --exclude=perl-File-Temp --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog --exclude=perl-Test-Harness --exclude=perl-Test-Simple update This 6 packages are for now the only packages that have older versions in mailscanner installation comparing to the rpmforge repo. In the future this list will not remain constant. If you want to exclude all perl packages use for one time update yum --exclude=perl* update If you need a more permanent solution use Craig's solution or look in to yum-protect-packages plug-in or use a more drastic solution (Michael's solution will disable rpmforge all together ) Other solutions are documented in the archive. Fore MailScanner updates use "./install.sh reinstall". More info on this subject here http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html Iulian L.D. From J.Ede at birchenallhowden.co.uk Wed Apr 7 09:38:35 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Apr 7 09:39:07 2010 Subject: bayes mysql performance Message-ID: <1213490F1F316842A544A850422BFA9635C5C718CE@BHLSBS.bhl.local> For information I finally tracked down the performance problems I was having with using bayes in mysql. It seems that the inserts were taking an age to run and with multiple parallel inserts (i.e. multiple MS children) then the locks were slowing it down further. Changing the table types of all of the bayes tables from MyISAM to InnoDB using ALTER TABLE bayes_seen ENGINE = innodb; and repeating for each table seem to make a massive performance difference. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100407/d02476f1/attachment.html From lhaig at haigmail.com Wed Apr 7 15:20:45 2010 From: lhaig at haigmail.com (Lance Haig) Date: Wed Apr 7 15:21:08 2010 Subject: CentOS perl issues In-Reply-To: <162417.35511.qm@web33305.mail.mud.yahoo.com> References: <162417.35511.qm@web33305.mail.mud.yahoo.com> Message-ID: <4BBC94BD.7000204@haigmail.com> Thanks Michael, I will have a look Lance On 07/04/2010 04:17, Michael Mansour wrote: > Hi, > > In your /etc/yum.repos.d/rpmforge.repo file change: > > enabled=1 > > to: > > enabled=0 > > so that RPMforge isn't automatically enabled. Be selective with your perl modules. > > Regards, > > Michael. > > --- On Tue, 6/4/10, Lance Haig wrote: > > >> From: Lance Haig >> Subject: CentOS perl issues >> To: "MailScanner discussion" >> Received: Tuesday, 6 April, 2010, 6:57 PM >> Hi, >> >> I am running CentOS 5 with MailScanner 4.78.17 >> >> I am trying to run yum update and I get the error below. >> Does anyone have suggestions as to how I can get past this? >> >> Thanks >> >> Lance >> >> Transaction Check Error: >> file /usr/share/man/man3/Math::BigRat.3pm.gz from >> install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/File::Temp.3pm.gz from >> install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/bin/prove from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man1/prove.1.gz from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Harness.3pm.gz from >> install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Sys::Syslog.3pm.gz from >> install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with >> file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Builder.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Module.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::More.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Simple.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigint.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bignum.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigrat.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> >> >> -- >> This message was scanned by Better Hosted and is believed >> to be clean. >> http://www.betterhosted.com >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam. > http://mx1.betterhosted.com/cgi-bin/learn-msg.cgi?id=972909F82E.A23B2 > > > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com From lhaig at haigmail.com Wed Apr 7 15:28:50 2010 From: lhaig at haigmail.com (Lance Haig) Date: Wed Apr 7 15:29:12 2010 Subject: CentOS perl issues In-Reply-To: References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> Message-ID: <4BBC96A2.6030309@haigmail.com> This is one of the key reason I love this list. Thanks for all the informed help and suggestions Lance On 07/04/2010 06:07, Iulian L Dragomir wrote: > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > > This 6 packages are for now the only packages that have older versions > in mailscanner installation comparing to the rpmforge repo. In the > future this list will not remain constant. > > If you want to exclude all perl packages use for one time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution or look in > to yum-protect-packages plug-in or use a more drastic solution > (Michael's solution will disable rpmforge all together ) Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh reinstall". More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com From lhaig at haigmail.com Wed Apr 7 15:29:46 2010 From: lhaig at haigmail.com (Lance Haig) Date: Wed Apr 7 15:30:12 2010 Subject: bayes mysql performance In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C718CE@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C718CE@BHLSBS.bhl.local> Message-ID: <4BBC96DA.7090601@haigmail.com> And Just when I am about to cluster my DB backend Thanks for the great tip. Lance On 07/04/2010 09:38, Jason Ede wrote: > > For information I finally tracked down the performance problems I was > having with using bayes in mysql. > > It seems that the inserts were taking an age to run and with multiple > parallel inserts (i.e. multiple MS children) then the locks were > slowing it down further. Changing the table types of all of the bayes > tables from MyISAM to InnoDB using > > ALTER TABLE bayes_seen ENGINE = innodb; > > and repeating for each table seem to make a massive performance > difference. > > Jason > > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100407/a69e8e38/attachment.html From john at tradoc.fr Wed Apr 7 15:39:25 2010 From: john at tradoc.fr (John Wilcock) Date: Wed Apr 7 15:39:42 2010 Subject: OT: Julian Message-ID: <4BBC991D.2000300@tradoc.fr> I see that Julian hasn't posted to this list since his 10th anniversary message almost a month ago, nor has he replied to a couple of recent offlist messages of mine. Has anyone here heard from him recently? I do hope his health problems haven't reared their ugly head again... John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maillists at conactive.com Wed Apr 7 15:44:35 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 7 15:44:49 2010 Subject: CentOS perl issues In-Reply-To: <4BBBFC86.5090003@infowall.com> References: <162417.35511.qm@web33305.mail.mud.yahoo.com> <4BBBFC86.5090003@infowall.com> Message-ID: Mark McIntosh Infowall wrote on Tue, 06 Apr 2010 23:31:18 -0400: > There is a bug > upstream that causes perl to act badly it is documented if you search on > google. If you overwrite Perl modules that other modules or Perl itself depend on it is to be expected that you run into problems. This is not a bug. Use modules that have been built for this Perl and all is well. I later redid my perl via non rpm centos repositories and all > went fine. I agree disable rpmforge and use a different repository Nonsense. The mistake you and Lance and others make is that you install the Perl packages that come with MailScanner. I've told it several times in the past on this list that doing it that way asks for trouble (on any OS with a package system for updates). You do not need a single Perl module from the MS package. All these modules are available from rpmforge and these work fine with MS. So, you simply install them and then you install only the mailscanner*.rpm from within the MS tarball. That's all and also much faster. > I later redid my perl via non rpm centos repositories and all > went fine. I wish you good luck the next time you get a perl update. Doing it that way also eliminates one of the advantages of CentOS. Maybe you should use a different OS. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From uxbod at splatnix.net Wed Apr 7 16:05:57 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Apr 7 16:06:21 2010 Subject: OT: Julian In-Reply-To: <4BBC991D.2000300@tradoc.fr> Message-ID: <33304282.128.1270652757989.JavaMail.root@office.splatnix.net> ----- Original Message ----- > I see that Julian hasn't posted to this list since his 10th > anniversary message almost a month ago, nor has he replied to a couple > of recent > offlist messages of mine. > > Has anyone here heard from him recently? I do hope his health problems > haven't reared their ugly head again... > > John. > > -- > -- Over 4000 webcams from ski resorts around the world - > www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Thanks, Phil From Hostmaster at computerservicecentre.com Wed Apr 7 16:17:51 2010 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Wed Apr 7 16:17:54 2010 Subject: OT: Julian In-Reply-To: <33304282.128.1270652757989.JavaMail.root@office.splatnix.net> References: <4BBC991D.2000300@tradoc.fr> <33304282.128.1270652757989.JavaMail.root@office.splatnix.net> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2AE69278@commssrv01.computerservicecentre.com> -----Original Message----- 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Please bear in mind that most UK universities are currently on their Easter break, so with a bit of luck he is spending some quality time with family and friends. -- Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From marc at marcsnet.com Wed Apr 7 19:08:40 2010 From: marc at marcsnet.com (Marc Lucke) Date: Wed Apr 7 19:09:26 2010 Subject: CentOS perl issues In-Reply-To: <4BBC96A2.6030309@haigmail.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com> Message-ID: <4BBCCA28.6060008@marcsnet.com> I like to use rpmforge because of updated (from CentOS5 repos) spamassassin and clamav and am quite happy to update manually. With the repo turned off this works: yum --enablerepo=rpmforge -y install clamav spamassassin Of course you need to update the perl module with something like cpan Mail::SpamAssassin && sa-update There's probably a way to tell yum to update only these packages from rpmforge automatically but I have bothered with that. It does annoy me that the rpmforge and centos repos clash on perl but meh - what can you do and would you bother? Marc Lance Haig wrote: > This is one of the key reason I love this list. > > Thanks for all the informed help and suggestions > > Lance > > On 07/04/2010 06:07, Iulian L Dragomir wrote: >> For one time occurrence use >> >> yum --exclude=package* update >> >> In your case if you want to exclude only those 6 packages : >> >> yum --exclude=perl-bignum --exclude=perl-File-Temp >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update >> >> This 6 packages are for now the only packages that have older versions >> in mailscanner installation comparing to the rpmforge repo. In the >> future this list will not remain constant. >> >> If you want to exclude all perl packages use for one time update >> >> yum --exclude=perl* update >> >> If you need a more permanent solution use Craig's solution or look in >> to yum-protect-packages plug-in or use a more drastic solution >> (Michael's solution will disable rpmforge all together ) Other >> solutions are documented in the archive. >> >> Fore MailScanner updates use "./install.sh reinstall". More info on >> this subject here >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html >> >> >> >> Iulian L.D. >> > > > -- > This message was scanned by Better Hosted and is believed to be clean. > http://www.betterhosted.com > From phaleintx at gmail.com Wed Apr 7 20:00:45 2010 From: phaleintx at gmail.com (Phil Hale) Date: Wed Apr 7 20:05:58 2010 Subject: CentOS perl issues In-Reply-To: <4BBCCA28.6060008@marcsnet.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com> <4BBCCA28.6060008@marcsnet.com> Message-ID: <1270666845.15782.30.camel@zues> Hello List, I'd recommend looking at using the yum Priorities and ProtectBase plugins as described here: http://wiki.centos.org/PackageManagement/Yum/Priorities http://wiki.centos.org/PackageManagement/Yum/ProtectBase CentOS discusses their use with 3rd party repositories on the following page under the heading "3rd Party Repositories" http://wiki.centos.org/AdditionalResources/Repositories Basically you set your CentOS repositories to be higher priority than rpmforge or epel and then packages from those repositories will not replace packages found in the base CentOS repositories. Phil Hale On Thu, 2010-04-08 at 04:08 +1000, Marc Lucke wrote: > I like to use rpmforge because of updated (from CentOS5 repos) > spamassassin and clamav and am quite happy to update manually. With the > repo turned off this works: > > yum --enablerepo=rpmforge -y install clamav spamassassin > > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin && sa-update > > There's probably a way to tell yum to update only these packages from > rpmforge automatically but I have bothered with that. It does annoy me > that the rpmforge and centos repos clash on perl but meh - what can you > do and would you bother? > > > Marc > > Lance Haig wrote: > > This is one of the key reason I love this list. > > > > Thanks for all the informed help and suggestions > > > > Lance > > > > On 07/04/2010 06:07, Iulian L Dragomir wrote: > >> For one time occurrence use > >> > >> yum --exclude=package* update > >> > >> In your case if you want to exclude only those 6 packages : > >> > >> yum --exclude=perl-bignum --exclude=perl-File-Temp > >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > >> > >> This 6 packages are for now the only packages that have older versions > >> in mailscanner installation comparing to the rpmforge repo. In the > >> future this list will not remain constant. > >> > >> If you want to exclude all perl packages use for one time update > >> > >> yum --exclude=perl* update > >> > >> If you need a more permanent solution use Craig's solution or look in > >> to yum-protect-packages plug-in or use a more drastic solution > >> (Michael's solution will disable rpmforge all together ) Other > >> solutions are documented in the archive. > >> > >> Fore MailScanner updates use "./install.sh reinstall". More info on > >> this subject here > >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > >> > >> > >> > >> Iulian L.D. > >> > > > > > > -- > > This message was scanned by Better Hosted and is believed to be clean. > > http://www.betterhosted.com > > From maillists at conactive.com Wed Apr 7 20:31:34 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 7 20:31:48 2010 Subject: CentOS perl issues In-Reply-To: <4BBCCA28.6060008@marcsnet.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com> <4BBCCA28.6060008@marcsnet.com> Message-ID: Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin no, you don't. > There's probably a way to tell yum to update only these packages from > rpmforge There are rumours that "yum update" is for this ... > It does annoy me > that the rpmforge and centos repos clash on perl but meh There is no clash. I suggest you try to understand how rpm, how yum and how RHEL/CentOS works. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From micoots at yahoo.com Thu Apr 8 06:31:47 2010 From: micoots at yahoo.com (Michael Mansour) Date: Thu Apr 8 06:31:57 2010 Subject: CentOS perl issues In-Reply-To: Message-ID: <828365.44461.qm@web33307.mail.mud.yahoo.com> Hi, --- On Wed, 7/4/10, Iulian L Dragomir wrote: > From: Iulian L Dragomir > Subject: Re: CentOS perl issues > To: "MailScanner discussion" > Received: Wednesday, 7 April, 2010, 3:07 PM > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages > : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple > update > > This 6 packages are for now the only packages that have > older versions > in mailscanner installation comparing to the rpmforge repo. > In the > future this list will not remain constant. > > If you want to exclude all perl packages? use for one > time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution > or look in > to yum-protect-packages plug-in or use a more drastic > solution > (Michael's solution will disable rpmforge all together ) I typically disable all 3rd party repo's and pick and choose what I want from them. So if there's certain RPMforge packages I want I simply do: # yum --enablerepo=rpmforge -y update blah.rpm This also allows me to list updated packages per repo by enabling what I want and checking against a pre-defined installation list. Been using this technique for years (before yum plugins were available) and it's worked well, so haven't bothered changing the way I do things. Regards, Michael. > Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh > reinstall".? More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From jeffrey at nikoletich.com Thu Apr 8 09:16:41 2010 From: jeffrey at nikoletich.com (jeffrey@nikoletich.com) Date: Thu Apr 8 09:16:53 2010 Subject: Issues with store and store-spam Message-ID: <380-2201044881641807@M2W111.mail2web.com> Hello All, I am having an issue with mailscanner an its quarantine. I currently have mailscanner to store spam and high spam messages in the quarantine and to deliver clean non spam messages to the user. The issues I am having is that mailscanner seems to be storing clean non spam messages as well. I have check my configuration and the conf is correct. It doesnt store every clean message, it seems to be random, so I am kinda lost with is now. Any help is appreciated. Thanks and advance, Jeff N. -------------------------------------------------------------------- mail2web.com ? Enhanced email for the mobile individual based on Microsoft? Exchange - http://link.mail2web.com/Personal/EnhancedEmail From maillists at conactive.com Thu Apr 8 10:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 8 10:31:31 2010 Subject: Issues with store and store-spam In-Reply-To: <380-2201044881641807@M2W111.mail2web.com> References: <380-2201044881641807@M2W111.mail2web.com> Message-ID: Jeffrey@nikoletich.com wrote on Thu, 8 Apr 2010 04:16:41 -0400: > The issues I am having is that mailscanner seems to be storing clean non > spam messages as well. I have check my configuration and the conf is > correct. And the proof is where? > It doesnt store every clean message, it seems to be random, so I am kinda > lost with is now. Again, where is the proof? I mean, how do you know that and how do you know that the configuration is correct? Obviously it *cannot* be correct. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From marc at marcsnet.com Thu Apr 8 11:09:56 2010 From: marc at marcsnet.com (Marc Lucke) Date: Thu Apr 8 11:10:12 2010 Subject: CentOS perl issues In-Reply-To: References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com> <4BBCCA28.6060008@marcsnet.com> Message-ID: <4BBDAB74.4030106@marcsnet.com> Thank you Kai for your abrasive and unhelpful response. Very productive. Kai Schaetzl wrote: > Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > > >> Of course you need to update the perl module with something like >> >> cpan Mail::SpamAssassin >> > > no, you don't. > > >> There's probably a way to tell yum to update only these packages from >> rpmforge >> > > There are rumours that "yum update" is for this ... > > >> It does annoy me >> that the rpmforge and centos repos clash on perl but meh >> > > There is no clash. I suggest you try to understand how rpm, how yum and > how RHEL/CentOS works. > > > Kai > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/909819e1/attachment.html From alex at rtpty.com Thu Apr 8 11:48:43 2010 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Apr 8 11:49:20 2010 Subject: CentOS perl issues In-Reply-To: <4BBDAB74.4030106@marcsnet.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com><4BBCCA28.6060008@marcsnet.com><4BBDAB74.4030106@marcsnet.com> Message-ID: <1784902539-1270723748-cardhu_decombobulator_blackberry.rim.net-1657107426-@bda942.bisx.prod.on.blackberry> I don't mean to be rude but no evidence has been provided to support your statements. One thing that might be happening might be that "clean" messages being stored might be whitelisted messages that really aren't "clean". But, again, no evidence of a "correct" configuration is provided, so assuming a "correct" configuration is not very helpful or productive on anyone's part either. I'm not defending or condoning Kai's tone, but simply trying to point out that saying "I believe my configuration is correct so the program is doing something wrong" might also be construed as abrasive, specially from the point of view of someone who might have contributed to the program. Imagine a teacher saying "I know I told your child how to do this correctly, but he randomly does crazy things". Without proper evidence of the instructions and purported behaviour, the human mind can easily construe it as an ad-hominem attack on the child (which it isn't) instead of a legitimate (albeit incompletely documented) observation. Please try using pastebin to provide samples of your configuration and samples of both "correctly stored", "correctly not stored", "incorrectly stored" and, if possible, "incorrectly not stored" messages so that by careful examination we might be able to shed some light on the situation. Reading http://bit.ly/howtogethelpwiththat will also save you - and the rest of the list members some time and energy. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 BB PIN: 20EA17C5 -----Original Message----- From: Marc Lucke Date: Thu, 08 Apr 2010 20:09:56 To: MailScanner discussion Subject: Re: CentOS perl issues -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From marc at marcsnet.com Thu Apr 8 12:27:58 2010 From: marc at marcsnet.com (Marc Lucke) Date: Thu Apr 8 12:28:12 2010 Subject: CentOS perl issues In-Reply-To: <1784902539-1270723748-cardhu_decombobulator_blackberry.rim.net-1657107426-@bda942.bisx.prod.on.blackberry> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com><4BBCCA28.6060008@marcsnet.com><4BBDAB74.4030106@marcsnet.com> <1784902539-1270723748-cardhu_decombobulator_blackberry.rim.net-1657107426-@bda942.bisx.prod.on.blackberry> Message-ID: <4BBDBDBE.2050203@marcsnet.com> Thank you Alex. I did not intend to be abrasive and I regret if anyone interpreted it that way. Alex Neuman van der Hans wrote: > I don't mean to be rude but no evidence has been provided to support your statements. > > One thing that might be happening might be that "clean" messages being stored might be whitelisted messages that really aren't "clean". > > But, again, no evidence of a "correct" configuration is provided, so assuming a "correct" configuration is not very helpful or productive on anyone's part either. > > I'm not defending or condoning Kai's tone, but simply trying to point out that saying "I believe my configuration is correct so the program is doing something wrong" might also be construed as abrasive, specially from the point of view of someone who might have contributed to the program. > > Imagine a teacher saying "I know I told your child how to do this correctly, but he randomly does crazy things". Without proper evidence of the instructions and purported behaviour, the human mind can easily construe it as an ad-hominem attack on the child (which it isn't) instead of a legitimate (albeit incompletely documented) observation. > > Please try using pastebin to provide samples of your configuration and samples of both "correctly stored", "correctly not stored", "incorrectly stored" and, if possible, "incorrectly not stored" messages so that by careful examination we might be able to shed some light on the situation. Reading http://bit.ly/howtogethelpwiththat will also save you - and the rest of the list members some time and energy. > > -- > > Alex Neuman van der Hans > Reliant Technologies > > +507 6781-9505 > +507 832-6725 > BB PIN: 20EA17C5 > > > -----Original Message----- > From: Marc Lucke > Date: Thu, 08 Apr 2010 20:09:56 > To: MailScanner discussion > Subject: Re: CentOS perl issues > > From dgottsc at emory.edu Thu Apr 8 14:19:22 2010 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Apr 8 14:19:37 2010 Subject: Filename Blocking Issue In-Reply-To: References: Message-ID: Anyone have a answer to this question? This is a pretty serious problem for me. Thanks. David Gottschalk UTS Email team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Tuesday, April 06, 2010 4:45 PM To: MailScanner discussion Subject: Filename Blocking Issue I have a strange issue with filenames being blocked that I have disabled. It appears that double file extensions are being blocked within .zip files, but not if they are not in a zip archive. I've disabled them in the filename.rules.conf with: # Deny all other double file extensions. This catches any hidden filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I changed this to allow, but the same issue occurred. Is this a bug, or am I missing something obvious? I couldn't find anything regarding this issue on the list. Here is a example of a message being blocked. Apr 1 15:08:00 [mail.info] o31J7xJu028562: from=, size=219934, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=SMTP_TLSAUTH, relay=removed Apr 1 15:08:00 MailScanner: [mail.info] Filename Checks: Found possible filename hiding (o31J7xJu028562 rdf.tex.bak) Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.tex.bak" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.zip" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.info] Message o31J7xJu028562 from removed (removed) to emory.edu is too big for spam checks (220506 > 150000 bytes) Thanks for any help that can be provided. David Gottschalk UTS Email team david.gottschalk@emory.edu This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lnhaig at gmail.com Thu Apr 8 14:21:01 2010 From: lnhaig at gmail.com (Lance.Haig) Date: Thu Apr 8 14:21:15 2010 Subject: messages killing MAilscanner Message-ID: <4BBDD83D.3000608@gmail.com> Hi , I am running MailScanner 4.79.11 of Mailscanner on Centos This morning I started seeing a large amount of messages in Mailwatch that show up red and the reason is MailScanner: killedmailscanner It seems that MailScanner is being restarted and is not able to deliver the mail. I also see this now http://slexy.org/view/s2gJENhAHf This error is part of the above error and is abit concerning. Apr 8 14:27:18 mx1 MailScanner[5071]: File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 403. HAve you seen this error before? Any Help is appreciated Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/753e1702/attachment.html From sandrews at andrewscompanies.com Thu Apr 8 15:54:51 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Apr 8 15:55:00 2010 Subject: OT: sendmail throttling Message-ID: <1964AAFBC212F742958F9275BF63DBB0E313F2@winchester.andrewscompanies.com> I see that I can greepause and otherwise limit in sendmail for inbound; but is there any way, globally or by domain, to rate limit outbound email? I've a few domains that if we send too much to, they defer the mail and I'd like to remain under that radar. Thanks, Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/93ba5544/attachment.html From lnhaig at gmail.com Thu Apr 8 16:07:41 2010 From: lnhaig at gmail.com (Lance.Haig) Date: Thu Apr 8 16:07:52 2010 Subject: messages killing MAilscanner Message-ID: <4BBDF13D.1090106@gmail.com> Hi , I am running MailScanner 4.79.11 of Mailscanner on Centos This morning I started seeing a large amount of messages in Mailwatch that show up red and the reason is MailScanner: killedmailscanner It seems that MailScanner is being restarted and is not able to deliver the mail. I also see this now http://slexy.org/view/s2gJENhAHf This error is part of the above error and is abit concerning. Apr 8 14:27:18 mx1 MailScanner[5071]: File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 403. HAve you seen this error before? Any Help is appreciated Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/e3164ebe/attachment.html From roland at inbox4u.de Thu Apr 8 16:37:18 2010 From: roland at inbox4u.de (Ehle, Roland) Date: Thu Apr 8 16:37:36 2010 Subject: AW: messages killing MAilscanner In-Reply-To: <4BBDF13D.1090106@gmail.com> References: <4BBDF13D.1090106@gmail.com> Message-ID: <421A1DB68F0A9B4984D56913C4DFDE2202B8E525@ts-dc3.ts-webarts.local> Hi, you should check your Perl installation. Additionally I suggest to install MailScanner again, this will install all Perl modules too. Regards, Roland Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Lance.Haig Gesendet: Donnerstag, 8. April 2010 17:08 An: MailScanner discussion Betreff: messages killing MAilscanner Hi , I am running MailScanner 4.79.11 of Mailscanner on Centos This morning I started seeing a large amount of messages in Mailwatch that show up red and the reason is MailScanner: killedmailscanner It seems that MailScanner is being restarted and is not able to deliver the mail. I also see this now http://slexy.org/view/s2gJENhAHf This error is part of the above error and is abit concerning. Apr 8 14:27:18 mx1 MailScanner[5071]: File checker failed with real error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm line 403. HAve you seen this error before? Any Help is appreciated Lance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/827302b2/attachment.html From maillists at conactive.com Thu Apr 8 19:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 8 19:31:27 2010 Subject: CentOS perl issues In-Reply-To: <4BBDAB74.4030106@marcsnet.com> References: <4BBAF78D.2060105@haigmail.com> <1270611153.7811.39.camel@lin-workstation.azapple.com> <4BBC96A2.6030309@haigmail.com> <4BBCCA28.6060008@marcsnet.com> <4BBDAB74.4030106@marcsnet.com> Message-ID: Marc Lucke wrote on Thu, 08 Apr 2010 20:09:56 +1000: > Thank you Kai for your abrasive and unhelpful response. Very productive. Your statements were wrong and misleading others. I could have indeed formulated my response a bit nicer. But seeing one bad advice after another and another in this thread was just not good for my temper. And if you would take the content you would see that the answers *are* helpful and well to the point. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Apr 8 19:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 8 19:31:31 2010 Subject: messages killing MAilscanner In-Reply-To: <4BBDD83D.3000608@gmail.com> References: <4BBDD83D.3000608@gmail.com> Message-ID: grab the message that creates the problem and pipe it thru the MailScanner debugging mode. If it makes it crash again, there is a chance that the problem is with the message. As Roland suggests it's a good idea to verify your MS installation first. As you overwrote the existing Perl modules with MS ones and maybe did some other "abusive" things to the Perl stack you may still get an unstable Perl setup with a reinstall, though. e.g. you can't be sure if the problem lies in the unstable Perl stack or somewhere else. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From craigwhite at azapple.com Thu Apr 8 19:45:22 2010 From: craigwhite at azapple.com (Craig White) Date: Thu Apr 8 19:45:44 2010 Subject: messages killing MAilscanner In-Reply-To: <4BBDD83D.3000608@gmail.com> References: <4BBDD83D.3000608@gmail.com> Message-ID: <1270752322.7811.51.camel@lin-workstation.azapple.com> On Thu, 2010-04-08 at 14:21 +0100, Lance.Haig wrote: > Hi , > > I am running MailScanner 4.79.11 of Mailscanner on Centos > > This morning I started seeing a large amount of messages in Mailwatch > that show up red and the reason is > > MailScanner: killedmailscanner > > It seems that MailScanner is being restarted and is not able to > deliver the mail. > > I also see this now > > http://slexy.org/view/s2gJENhAHf > > This error is part of the above error and is abit concerning. > > Apr 8 14:27:18 mx1 MailScanner[5071]: File checker failed with real > error: Can't fork at /usr/lib/MailScanner/MailScanner/SweepOther.pm > line 403. > > > HAve you seen this error before? > > Any Help is appreciated ---- I would go back to the directory where you unpacked MailScanner and reinstall... ./install.sh fast reinstall and that should fix whatever perl package changes occurred Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Thu Apr 8 20:31:18 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 8 20:31:28 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: > Changed > incoming work user to clamav and changed incoming work group to blank... Thanks for the suggestion, but this doesn't work for me. I changed to user = clamav and then also removed the group as you did. The result of that (in both cases) is that the owner of the directory is now postfix and the error already happens in MS. Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1211 As I said I think there is something wrong about the group ownership or permissions only in the lint code that wasn't a problem before 0.96 but now is. Maybe clamav used ftstat before which doesn't need execute permission. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Thu Apr 8 20:49:19 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 8 20:49:46 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: on 4-8-2010 12:31 PM Kai Schaetzl spake the following: > Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: > >> Changed >> incoming work user to clamav and changed incoming work group to blank... > > Thanks for the suggestion, but this doesn't work for me. I changed to user > = clamav and then also removed the group as you did. > > The result of that (in both cases) is that the owner of the directory is > now postfix and the error already happens in MS. > > Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not > writable > at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1211 > > As I said I think there is something wrong about the group ownership or > permissions only in the lint code that wasn't a problem before 0.96 but > now is. Maybe clamav used ftstat before which doesn't need execute > permission. > > Kai > I guess I should have been more specific. I am using sendmail. Maybe Julian will see this thread when he is free and something will pop in his head. I am also having some problems with the new spamassassin, but I downgraded, as I don't have time to deal with that right now. From jeffrey at nikoletich.com Thu Apr 8 22:25:33 2010 From: jeffrey at nikoletich.com (Jeffrey Nikoletich) Date: Thu Apr 8 22:25:48 2010 Subject: (no subject) In-Reply-To: <201004081102.o38B0OBW015659@safir.blacknight.ie> References: <201004081102.o38B0OBW015659@safir.blacknight.ie> Message-ID: <619229389-1270761932-cardhu_decombobulator_blackberry.rim.net-789613070-@bda602.bisx.prod.on.blackberry> Kai, What proof do you need? I can see the clean messages in the quarantine folder. Config is a basic config with nothing special with only deliver for clean messages. -- Jeffrey Nikoletich -----Original Message----- From: mailscanner-request@lists.mailscanner.info Date: Thu, 8 Apr 2010 12:02:04 To: Subject: MailScanner Digest, Vol 52, Issue 8 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: CentOS perl issues (Lance Haig) 2. Re: CentOS perl issues (Lance Haig) 3. Re: bayes mysql performance (Lance Haig) 4. OT: Julian (John Wilcock) 5. Re: CentOS perl issues (Kai Schaetzl) 6. Re: OT: Julian (--[ UxBoD ]--) 7. RE: OT: Julian (Hostmaster) 8. Re: CentOS perl issues (Marc Lucke) 9. Re: CentOS perl issues (Phil Hale) 10. Re: CentOS perl issues (Kai Schaetzl) 11. Re: CentOS perl issues (Michael Mansour) 12. Issues with store and store-spam (jeffrey@nikoletich.com) 13. Re: Issues with store and store-spam (Kai Schaetzl) 14. Re: CentOS perl issues (Marc Lucke) 15. Re: CentOS perl issues (Alex Neuman van der Hans) ---------------------------------------------------------------------- Message: 1 Date: Wed, 07 Apr 2010 15:20:45 +0100 From: Lance Haig Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBC94BD.7000204@haigmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Thanks Michael, I will have a look Lance On 07/04/2010 04:17, Michael Mansour wrote: > Hi, > > In your /etc/yum.repos.d/rpmforge.repo file change: > > enabled=1 > > to: > > enabled=0 > > so that RPMforge isn't automatically enabled. Be selective with your perl modules. > > Regards, > > Michael. > > --- On Tue, 6/4/10, Lance Haig wrote: > > >> From: Lance Haig >> Subject: CentOS perl issues >> To: "MailScanner discussion" >> Received: Tuesday, 6 April, 2010, 6:57 PM >> Hi, >> >> I am running CentOS 5 with MailScanner 4.78.17 >> >> I am trying to run yum update and I get the error below. >> Does anyone have suggestions as to how I can get past this? >> >> Thanks >> >> Lance >> >> Transaction Check Error: >> file /usr/share/man/man3/Math::BigRat.3pm.gz from >> install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/File::Temp.3pm.gz from >> install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/bin/prove from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man1/prove.1.gz from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Harness.3pm.gz from >> install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Sys::Syslog.3pm.gz from >> install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with >> file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Builder.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Module.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::More.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Simple.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigint.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bignum.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigrat.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> >> >> -- >> This message was scanned by Better Hosted and is believed >> to be clean. >> http://www.betterhosted.com >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam. > http://mx1.betterhosted.com/cgi-bin/learn-msg.cgi?id=972909F82E.A23B2 > > > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com ------------------------------ Message: 2 Date: Wed, 07 Apr 2010 15:28:50 +0100 From: Lance Haig Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: <4BBC96A2.6030309@haigmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is one of the key reason I love this list. Thanks for all the informed help and suggestions Lance On 07/04/2010 06:07, Iulian L Dragomir wrote: > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > > This 6 packages are for now the only packages that have older versions > in mailscanner installation comparing to the rpmforge repo. In the > future this list will not remain constant. > > If you want to exclude all perl packages use for one time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution or look in > to yum-protect-packages plug-in or use a more drastic solution > (Michael's solution will disable rpmforge all together ) Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh reinstall". More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com ------------------------------ Message: 3 Date: Wed, 07 Apr 2010 15:29:46 +0100 From: Lance Haig Subject: Re: bayes mysql performance To: mailscanner@lists.mailscanner.info Message-ID: <4BBC96DA.7090601@haigmail.com> Content-Type: text/plain; charset="iso-8859-1" And Just when I am about to cluster my DB backend Thanks for the great tip. Lance On 07/04/2010 09:38, Jason Ede wrote: > > For information I finally tracked down the performance problems I was > having with using bayes in mysql. > > It seems that the inserts were taking an age to run and with multiple > parallel inserts (i.e. multiple MS children) then the locks were > slowing it down further. Changing the table types of all of the bayes > tables from MyISAM to InnoDB using > > ALTER TABLE bayes_seen ENGINE = innodb; > > and repeating for each table seem to make a massive performance > difference. > > Jason > > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100407/a69e8e38/attachment-0001.html ------------------------------ Message: 4 Date: Wed, 07 Apr 2010 16:39:25 +0200 From: John Wilcock Subject: OT: Julian To: MailScanner discussion Message-ID: <4BBC991D.2000300@tradoc.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I see that Julian hasn't posted to this list since his 10th anniversary message almost a month ago, nor has he replied to a couple of recent offlist messages of mine. Has anyone here heard from him recently? I do hope his health problems haven't reared their ugly head again... John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr ------------------------------ Message: 5 Date: Wed, 07 Apr 2010 16:44:35 +0200 From: Kai Schaetzl Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Mark McIntosh Infowall wrote on Tue, 06 Apr 2010 23:31:18 -0400: > There is a bug > upstream that causes perl to act badly it is documented if you search on > google. If you overwrite Perl modules that other modules or Perl itself depend on it is to be expected that you run into problems. This is not a bug. Use modules that have been built for this Perl and all is well. I later redid my perl via non rpm centos repositories and all > went fine. I agree disable rpmforge and use a different repository Nonsense. The mistake you and Lance and others make is that you install the Perl packages that come with MailScanner. I've told it several times in the past on this list that doing it that way asks for trouble (on any OS with a package system for updates). You do not need a single Perl module from the MS package. All these modules are available from rpmforge and these work fine with MS. So, you simply install them and then you install only the mailscanner*.rpm from within the MS tarball. That's all and also much faster. > I later redid my perl via non rpm centos repositories and all > went fine. I wish you good luck the next time you get a perl update. Doing it that way also eliminates one of the advantages of CentOS. Maybe you should use a different OS. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 6 Date: Wed, 7 Apr 2010 16:05:57 +0100 (BST) From: "--[ UxBoD ]--" Subject: Re: OT: Julian To: MailScanner discussion Message-ID: <33304282.128.1270652757989.JavaMail.root@office.splatnix.net> Content-Type: text/plain; charset=utf-8 ----- Original Message ----- > I see that Julian hasn't posted to this list since his 10th > anniversary message almost a month ago, nor has he replied to a couple > of recent > offlist messages of mine. > > Has anyone here heard from him recently? I do hope his health problems > haven't reared their ugly head again... > > John. > > -- > -- Over 4000 webcams from ski resorts around the world - > www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Thanks, Phil ------------------------------ Message: 7 Date: Wed, 7 Apr 2010 16:17:51 +0100 From: "Hostmaster" Subject: RE: OT: Julian To: "MailScanner discussion" Message-ID: <3D9C92F3075F5144B46AA2C590F48E2AE69278@commssrv01.computerservicecentre.com> Content-Type: text/plain; charset="utf-8" -----Original Message----- 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Please bear in mind that most UK universities are currently on their Easter break, so with a bit of luck he is spending some quality time with family and friends. -- Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. ------------------------------ Message: 8 Date: Thu, 08 Apr 2010 04:08:40 +1000 From: Marc Lucke Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBCCA28.6060008@marcsnet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I like to use rpmforge because of updated (from CentOS5 repos) spamassassin and clamav and am quite happy to update manually. With the repo turned off this works: yum --enablerepo=rpmforge -y install clamav spamassassin Of course you need to update the perl module with something like cpan Mail::SpamAssassin && sa-update There's probably a way to tell yum to update only these packages from rpmforge automatically but I have bothered with that. It does annoy me that the rpmforge and centos repos clash on perl but meh - what can you do and would you bother? Marc Lance Haig wrote: > This is one of the key reason I love this list. > > Thanks for all the informed help and suggestions > > Lance > > On 07/04/2010 06:07, Iulian L Dragomir wrote: >> For one time occurrence use >> >> yum --exclude=package* update >> >> In your case if you want to exclude only those 6 packages : >> >> yum --exclude=perl-bignum --exclude=perl-File-Temp >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update >> >> This 6 packages are for now the only packages that have older versions >> in mailscanner installation comparing to the rpmforge repo. In the >> future this list will not remain constant. >> >> If you want to exclude all perl packages use for one time update >> >> yum --exclude=perl* update >> >> If you need a more permanent solution use Craig's solution or look in >> to yum-protect-packages plug-in or use a more drastic solution >> (Michael's solution will disable rpmforge all together ) Other >> solutions are documented in the archive. >> >> Fore MailScanner updates use "./install.sh reinstall". More info on >> this subject here >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html >> >> >> >> Iulian L.D. >> > > > -- > This message was scanned by Better Hosted and is believed to be clean. > http://www.betterhosted.com > ------------------------------ Message: 9 Date: Wed, 07 Apr 2010 14:00:45 -0500 From: Phil Hale Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <1270666845.15782.30.camel@zues> Content-Type: text/plain; charset="UTF-8" Hello List, I'd recommend looking at using the yum Priorities and ProtectBase plugins as described here: http://wiki.centos.org/PackageManagement/Yum/Priorities http://wiki.centos.org/PackageManagement/Yum/ProtectBase CentOS discusses their use with 3rd party repositories on the following page under the heading "3rd Party Repositories" http://wiki.centos.org/AdditionalResources/Repositories Basically you set your CentOS repositories to be higher priority than rpmforge or epel and then packages from those repositories will not replace packages found in the base CentOS repositories. Phil Hale On Thu, 2010-04-08 at 04:08 +1000, Marc Lucke wrote: > I like to use rpmforge because of updated (from CentOS5 repos) > spamassassin and clamav and am quite happy to update manually. With the > repo turned off this works: > > yum --enablerepo=rpmforge -y install clamav spamassassin > > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin && sa-update > > There's probably a way to tell yum to update only these packages from > rpmforge automatically but I have bothered with that. It does annoy me > that the rpmforge and centos repos clash on perl but meh - what can you > do and would you bother? > > > Marc > > Lance Haig wrote: > > This is one of the key reason I love this list. > > > > Thanks for all the informed help and suggestions > > > > Lance > > > > On 07/04/2010 06:07, Iulian L Dragomir wrote: > >> For one time occurrence use > >> > >> yum --exclude=package* update > >> > >> In your case if you want to exclude only those 6 packages : > >> > >> yum --exclude=perl-bignum --exclude=perl-File-Temp > >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > >> > >> This 6 packages are for now the only packages that have older versions > >> in mailscanner installation comparing to the rpmforge repo. In the > >> future this list will not remain constant. > >> > >> If you want to exclude all perl packages use for one time update > >> > >> yum --exclude=perl* update > >> > >> If you need a more permanent solution use Craig's solution or look in > >> to yum-protect-packages plug-in or use a more drastic solution > >> (Michael's solution will disable rpmforge all together ) Other > >> solutions are documented in the archive. > >> > >> Fore MailScanner updates use "./install.sh reinstall". More info on > >> this subject here > >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > >> > >> > >> > >> Iulian L.D. > >> > > > > > > -- > > This message was scanned by Better Hosted and is believed to be clean. > > http://www.betterhosted.com > > ------------------------------ Message: 10 Date: Wed, 07 Apr 2010 21:31:34 +0200 From: Kai Schaetzl Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin no, you don't. > There's probably a way to tell yum to update only these packages from > rpmforge There are rumours that "yum update" is for this ... > It does annoy me > that the rpmforge and centos repos clash on perl but meh There is no clash. I suggest you try to understand how rpm, how yum and how RHEL/CentOS works. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 11 Date: Wed, 7 Apr 2010 22:31:47 -0700 (PDT) From: Michael Mansour Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <828365.44461.qm@web33307.mail.mud.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Hi, --- On Wed, 7/4/10, Iulian L Dragomir wrote: > From: Iulian L Dragomir > Subject: Re: CentOS perl issues > To: "MailScanner discussion" > Received: Wednesday, 7 April, 2010, 3:07 PM > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages > : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple > update > > This 6 packages are for now the only packages that have > older versions > in mailscanner installation comparing to the rpmforge repo. > In the > future this list will not remain constant. > > If you want to exclude all perl packages? use for one > time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution > or look in > to yum-protect-packages plug-in or use a more drastic > solution > (Michael's solution will disable rpmforge all together ) I typically disable all 3rd party repo's and pick and choose what I want from them. So if there's certain RPMforge packages I want I simply do: # yum --enablerepo=rpmforge -y update blah.rpm This also allows me to list updated packages per repo by enabling what I want and checking against a pre-defined installation list. Been using this technique for years (before yum plugins were available) and it's worked well, so haven't bothered changing the way I do things. Regards, Michael. > Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh > reinstall".? More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > ------------------------------ Message: 12 Date: Thu, 8 Apr 2010 04:16:41 -0400 From: "jeffrey@nikoletich.com" Subject: Issues with store and store-spam To: mailscanner@lists.mailscanner.info Message-ID: <380-2201044881641807@M2W111.mail2web.com> Content-Type: text/plain; charset=iso-8859-1 Hello All, I am having an issue with mailscanner an its quarantine. I currently have mailscanner to store spam and high spam messages in the quarantine and to deliver clean non spam messages to the user. The issues I am having is that mailscanner seems to be storing clean non spam messages as well. I have check my configuration and the conf is correct. It doesnt store every clean message, it seems to be random, so I am kinda lost with is now. Any help is appreciated. Thanks and advance, Jeff N. -------------------------------------------------------------------- mail2web.com ? Enhanced email for the mobile individual based on Microsoft? Exchange - http://link.mail2web.com/Personal/EnhancedEmail ------------------------------ Message: 13 Date: Thu, 08 Apr 2010 11:31:17 +0200 From: Kai Schaetzl Subject: Re: Issues with store and store-spam To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Jeffrey@nikoletich.com wrote on Thu, 8 Apr 2010 04:16:41 -0400: > The issues I am having is that mailscanner seems to be storing clean non > spam messages as well. I have check my configuration and the conf is > correct. And the proof is where? > It doesnt store every clean message, it seems to be random, so I am kinda > lost with is now. Again, where is the proof? I mean, how do you know that and how do you know that the configuration is correct? Obviously it *cannot* be correct. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 14 Date: Thu, 08 Apr 2010 20:09:56 +1000 From: Marc Lucke Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBDAB74.4030106@marcsnet.com> Content-Type: text/plain; charset="iso-8859-1" Thank you Kai for your abrasive and unhelpful response. Very productive. Kai Schaetzl wrote: > Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > > >> Of course you need to update the perl module with something like >> >> cpan Mail::SpamAssassin >> > > no, you don't. > > >> There's probably a way to tell yum to update only these packages from >> rpmforge >> > > There are rumours that "yum update" is for this ... > > >> It does annoy me >> that the rpmforge and centos repos clash on perl but meh >> > > There is no clash. I suggest you try to understand how rpm, how yum and > how RHEL/CentOS works. > > > Kai > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/909819e1/attachment-0001.html ------------------------------ Message: 15 Date: Thu, 8 Apr 2010 10:48:43 +0000 From: "Alex Neuman van der Hans" Subject: Re: CentOS perl issues To: "MailScanner discussion" Message-ID: <1784902539-1270723748-cardhu_decombobulator_blackberry.rim.net-1657107426-@bda942.bisx.prod.on.blackberry> Content-Type: text/plain I don't mean to be rude but no evidence has been provided to support your statements. One thing that might be happening might be that "clean" messages being stored might be whitelisted messages that really aren't "clean". But, again, no evidence of a "correct" configuration is provided, so assuming a "correct" configuration is not very helpful or productive on anyone's part either. I'm not defending or condoning Kai's tone, but simply trying to point out that saying "I believe my configuration is correct so the program is doing something wrong" might also be construed as abrasive, specially from the point of view of someone who might have contributed to the program. Imagine a teacher saying "I know I told your child how to do this correctly, but he randomly does crazy things". Without proper evidence of the instructions and purported behaviour, the human mind can easily construe it as an ad-hominem attack on the child (which it isn't) instead of a legitimate (albeit incompletely documented) observation. Please try using pastebin to provide samples of your configuration and samples of both "correctly stored", "correctly not stored", "incorrectly stored" and, if possible, "incorrectly not stored" messages so that by careful examination we might be able to shed some light on the situation. Reading http://bit.ly/howtogethelpwiththat will also save you - and the rest of the list members some time and energy. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 BB PIN: 20EA17C5 -----Original Message----- From: Marc Lucke Date: Thu, 08 Apr 2010 20:09:56 To: MailScanner discussion Subject: Re: CentOS perl issues -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 52, Issue 8 ****************************************** From alex at rtpty.com Thu Apr 8 22:33:24 2010 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Thu Apr 8 22:33:39 2010 Subject: (no subject) In-Reply-To: <619229389-1270761932-cardhu_decombobulator_blackberry.rim.net-789613070-@bda602.bisx.prod.on.blackberry> References: <201004081102.o38B0OBW015659@safir.blacknight.ie><619229389-1270761932-cardhu_decombobulator_blackberry.rim.net-789613070-@bda602.bisx.prod.on.blackberry> Message-ID: <328460597-1270762406-cardhu_decombobulator_blackberry.rim.net-2020148866-@bda942.bisx.prod.on.blackberry> Perhaps the appropriate log entries would provide place to start looking. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 BB PIN: 20EA17C5 -----Original Message----- From: "Jeffrey Nikoletich" Date: Thu, 8 Apr 2010 21:25:33 To: Subject: (no subject) Kai, What proof do you need? I can see the clean messages in the quarantine folder. Config is a basic config with nothing special with only deliver for clean messages. -- Jeffrey Nikoletich -----Original Message----- From: mailscanner-request@lists.mailscanner.info Date: Thu, 8 Apr 2010 12:02:04 To: Subject: MailScanner Digest, Vol 52, Issue 8 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: CentOS perl issues (Lance Haig) 2. Re: CentOS perl issues (Lance Haig) 3. Re: bayes mysql performance (Lance Haig) 4. OT: Julian (John Wilcock) 5. Re: CentOS perl issues (Kai Schaetzl) 6. Re: OT: Julian (--[ UxBoD ]--) 7. RE: OT: Julian (Hostmaster) 8. Re: CentOS perl issues (Marc Lucke) 9. Re: CentOS perl issues (Phil Hale) 10. Re: CentOS perl issues (Kai Schaetzl) 11. Re: CentOS perl issues (Michael Mansour) 12. Issues with store and store-spam (jeffrey@nikoletich.com) 13. Re: Issues with store and store-spam (Kai Schaetzl) 14. Re: CentOS perl issues (Marc Lucke) 15. Re: CentOS perl issues (Alex Neuman van der Hans) ---------------------------------------------------------------------- Message: 1 Date: Wed, 07 Apr 2010 15:20:45 +0100 From: Lance Haig Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBC94BD.7000204@haigmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Thanks Michael, I will have a look Lance On 07/04/2010 04:17, Michael Mansour wrote: > Hi, > > In your /etc/yum.repos.d/rpmforge.repo file change: > > enabled=1 > > to: > > enabled=0 > > so that RPMforge isn't automatically enabled. Be selective with your perl modules. > > Regards, > > Michael. > > --- On Tue, 6/4/10, Lance Haig wrote: > > >> From: Lance Haig >> Subject: CentOS perl issues >> To: "MailScanner discussion" >> Received: Tuesday, 6 April, 2010, 6:57 PM >> Hi, >> >> I am running CentOS 5 with MailScanner 4.78.17 >> >> I am trying to run yum update and I get the error below. >> Does anyone have suggestions as to how I can get past this? >> >> Thanks >> >> Lance >> >> Transaction Check Error: >> file /usr/share/man/man3/Math::BigRat.3pm.gz from >> install of perl-Math-BigRat-0.24-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/File::Temp.3pm.gz from >> install of perl-File-Temp-0.22-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/bin/prove from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man1/prove.1.gz from install of >> perl-Test-Harness-3.21-1.el5.rf.noarch conflicts with file >> from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Harness.3pm.gz from >> install of perl-Test-Harness-3.21-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Sys::Syslog.3pm.gz from >> install of perl-Sys-Syslog-0.27-1.el5.rf.i386 conflicts with >> file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Builder.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Module.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file >> /usr/share/man/man3/Test::Builder::Tester::Color.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::More.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Simple.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/Test::Tutorial.3pm.gz from >> install of perl-Test-Simple-0.94-1.el5.rf.noarch conflicts >> with file from package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigint.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bignum.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> file /usr/share/man/man3/bigrat.3pm.gz from install >> of perl-bignum-0.23-1.el5.rf.noarch conflicts with file from >> package perl-5.8.8-27.el5.i386 >> >> >> -- >> This message was scanned by Better Hosted and is believed >> to be clean. >> http://www.betterhosted.com >> >> -- MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the >> website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam. > http://mx1.betterhosted.com/cgi-bin/learn-msg.cgi?id=972909F82E.A23B2 > > > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com ------------------------------ Message: 2 Date: Wed, 07 Apr 2010 15:28:50 +0100 From: Lance Haig Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: <4BBC96A2.6030309@haigmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is one of the key reason I love this list. Thanks for all the informed help and suggestions Lance On 07/04/2010 06:07, Iulian L Dragomir wrote: > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > > This 6 packages are for now the only packages that have older versions > in mailscanner installation comparing to the rpmforge repo. In the > future this list will not remain constant. > > If you want to exclude all perl packages use for one time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution or look in > to yum-protect-packages plug-in or use a more drastic solution > (Michael's solution will disable rpmforge all together ) Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh reinstall". More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com ------------------------------ Message: 3 Date: Wed, 07 Apr 2010 15:29:46 +0100 From: Lance Haig Subject: Re: bayes mysql performance To: mailscanner@lists.mailscanner.info Message-ID: <4BBC96DA.7090601@haigmail.com> Content-Type: text/plain; charset="iso-8859-1" And Just when I am about to cluster my DB backend Thanks for the great tip. Lance On 07/04/2010 09:38, Jason Ede wrote: > > For information I finally tracked down the performance problems I was > having with using bayes in mysql. > > It seems that the inserts were taking an age to run and with multiple > parallel inserts (i.e. multiple MS children) then the locks were > slowing it down further. Changing the table types of all of the bayes > tables from MyISAM to InnoDB using > > ALTER TABLE bayes_seen ENGINE = innodb; > > and repeating for each table seem to make a massive performance > difference. > > Jason > > > -- > This message was scanned by Better Hosted and is believed to be clean. > Click here to report this message as spam > -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100407/a69e8e38/attachment-0001.html ------------------------------ Message: 4 Date: Wed, 07 Apr 2010 16:39:25 +0200 From: John Wilcock Subject: OT: Julian To: MailScanner discussion Message-ID: <4BBC991D.2000300@tradoc.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I see that Julian hasn't posted to this list since his 10th anniversary message almost a month ago, nor has he replied to a couple of recent offlist messages of mine. Has anyone here heard from him recently? I do hope his health problems haven't reared their ugly head again... John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr ------------------------------ Message: 5 Date: Wed, 07 Apr 2010 16:44:35 +0200 From: Kai Schaetzl Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Mark McIntosh Infowall wrote on Tue, 06 Apr 2010 23:31:18 -0400: > There is a bug > upstream that causes perl to act badly it is documented if you search on > google. If you overwrite Perl modules that other modules or Perl itself depend on it is to be expected that you run into problems. This is not a bug. Use modules that have been built for this Perl and all is well. I later redid my perl via non rpm centos repositories and all > went fine. I agree disable rpmforge and use a different repository Nonsense. The mistake you and Lance and others make is that you install the Perl packages that come with MailScanner. I've told it several times in the past on this list that doing it that way asks for trouble (on any OS with a package system for updates). You do not need a single Perl module from the MS package. All these modules are available from rpmforge and these work fine with MS. So, you simply install them and then you install only the mailscanner*.rpm from within the MS tarball. That's all and also much faster. > I later redid my perl via non rpm centos repositories and all > went fine. I wish you good luck the next time you get a perl update. Doing it that way also eliminates one of the advantages of CentOS. Maybe you should use a different OS. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 6 Date: Wed, 7 Apr 2010 16:05:57 +0100 (BST) From: "--[ UxBoD ]--" Subject: Re: OT: Julian To: MailScanner discussion Message-ID: <33304282.128.1270652757989.JavaMail.root@office.splatnix.net> Content-Type: text/plain; charset=utf-8 ----- Original Message ----- > I see that Julian hasn't posted to this list since his 10th > anniversary message almost a month ago, nor has he replied to a couple > of recent > offlist messages of mine. > > Has anyone here heard from him recently? I do hope his health problems > haven't reared their ugly head again... > > John. > > -- > -- Over 4000 webcams from ski resorts around the world - > www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr > -- MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Thanks, Phil ------------------------------ Message: 7 Date: Wed, 7 Apr 2010 16:17:51 +0100 From: "Hostmaster" Subject: RE: OT: Julian To: "MailScanner discussion" Message-ID: <3D9C92F3075F5144B46AA2C590F48E2AE69278@commssrv01.computerservicecentre.com> Content-Type: text/plain; charset="utf-8" -----Original Message----- 25th March was his last blog update on his website; and by the sounds of it I reckon he is snowed under at work at present. (Though like you I do hope it is nothing else!) -- Please bear in mind that most UK universities are currently on their Easter break, so with a bit of luck he is spending some quality time with family and friends. -- Richard All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. ------------------------------ Message: 8 Date: Thu, 08 Apr 2010 04:08:40 +1000 From: Marc Lucke Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBCCA28.6060008@marcsnet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I like to use rpmforge because of updated (from CentOS5 repos) spamassassin and clamav and am quite happy to update manually. With the repo turned off this works: yum --enablerepo=rpmforge -y install clamav spamassassin Of course you need to update the perl module with something like cpan Mail::SpamAssassin && sa-update There's probably a way to tell yum to update only these packages from rpmforge automatically but I have bothered with that. It does annoy me that the rpmforge and centos repos clash on perl but meh - what can you do and would you bother? Marc Lance Haig wrote: > This is one of the key reason I love this list. > > Thanks for all the informed help and suggestions > > Lance > > On 07/04/2010 06:07, Iulian L Dragomir wrote: >> For one time occurrence use >> >> yum --exclude=package* update >> >> In your case if you want to exclude only those 6 packages : >> >> yum --exclude=perl-bignum --exclude=perl-File-Temp >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update >> >> This 6 packages are for now the only packages that have older versions >> in mailscanner installation comparing to the rpmforge repo. In the >> future this list will not remain constant. >> >> If you want to exclude all perl packages use for one time update >> >> yum --exclude=perl* update >> >> If you need a more permanent solution use Craig's solution or look in >> to yum-protect-packages plug-in or use a more drastic solution >> (Michael's solution will disable rpmforge all together ) Other >> solutions are documented in the archive. >> >> Fore MailScanner updates use "./install.sh reinstall". More info on >> this subject here >> >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html >> >> >> >> Iulian L.D. >> > > > -- > This message was scanned by Better Hosted and is believed to be clean. > http://www.betterhosted.com > ------------------------------ Message: 9 Date: Wed, 07 Apr 2010 14:00:45 -0500 From: Phil Hale Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <1270666845.15782.30.camel@zues> Content-Type: text/plain; charset="UTF-8" Hello List, I'd recommend looking at using the yum Priorities and ProtectBase plugins as described here: http://wiki.centos.org/PackageManagement/Yum/Priorities http://wiki.centos.org/PackageManagement/Yum/ProtectBase CentOS discusses their use with 3rd party repositories on the following page under the heading "3rd Party Repositories" http://wiki.centos.org/AdditionalResources/Repositories Basically you set your CentOS repositories to be higher priority than rpmforge or epel and then packages from those repositories will not replace packages found in the base CentOS repositories. Phil Hale On Thu, 2010-04-08 at 04:08 +1000, Marc Lucke wrote: > I like to use rpmforge because of updated (from CentOS5 repos) > spamassassin and clamav and am quite happy to update manually. With the > repo turned off this works: > > yum --enablerepo=rpmforge -y install clamav spamassassin > > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin && sa-update > > There's probably a way to tell yum to update only these packages from > rpmforge automatically but I have bothered with that. It does annoy me > that the rpmforge and centos repos clash on perl but meh - what can you > do and would you bother? > > > Marc > > Lance Haig wrote: > > This is one of the key reason I love this list. > > > > Thanks for all the informed help and suggestions > > > > Lance > > > > On 07/04/2010 06:07, Iulian L Dragomir wrote: > >> For one time occurrence use > >> > >> yum --exclude=package* update > >> > >> In your case if you want to exclude only those 6 packages : > >> > >> yum --exclude=perl-bignum --exclude=perl-File-Temp > >> --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > >> --exclude=perl-Test-Harness --exclude=perl-Test-Simple update > >> > >> This 6 packages are for now the only packages that have older versions > >> in mailscanner installation comparing to the rpmforge repo. In the > >> future this list will not remain constant. > >> > >> If you want to exclude all perl packages use for one time update > >> > >> yum --exclude=perl* update > >> > >> If you need a more permanent solution use Craig's solution or look in > >> to yum-protect-packages plug-in or use a more drastic solution > >> (Michael's solution will disable rpmforge all together ) Other > >> solutions are documented in the archive. > >> > >> Fore MailScanner updates use "./install.sh reinstall". More info on > >> this subject here > >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > >> > >> > >> > >> Iulian L.D. > >> > > > > > > -- > > This message was scanned by Better Hosted and is believed to be clean. > > http://www.betterhosted.com > > ------------------------------ Message: 10 Date: Wed, 07 Apr 2010 21:31:34 +0200 From: Kai Schaetzl Subject: Re: CentOS perl issues To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > Of course you need to update the perl module with something like > > cpan Mail::SpamAssassin no, you don't. > There's probably a way to tell yum to update only these packages from > rpmforge There are rumours that "yum update" is for this ... > It does annoy me > that the rpmforge and centos repos clash on perl but meh There is no clash. I suggest you try to understand how rpm, how yum and how RHEL/CentOS works. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 11 Date: Wed, 7 Apr 2010 22:31:47 -0700 (PDT) From: Michael Mansour Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <828365.44461.qm@web33307.mail.mud.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Hi, --- On Wed, 7/4/10, Iulian L Dragomir wrote: > From: Iulian L Dragomir > Subject: Re: CentOS perl issues > To: "MailScanner discussion" > Received: Wednesday, 7 April, 2010, 3:07 PM > For one time occurrence use > > yum --exclude=package* update > > In your case if you want to exclude only those 6 packages > : > > yum --exclude=perl-bignum --exclude=perl-File-Temp > --exclude=perl-Math-BigRat --exclude=perl-Sys-Syslog > --exclude=perl-Test-Harness --exclude=perl-Test-Simple > update > > This 6 packages are for now the only packages that have > older versions > in mailscanner installation comparing to the rpmforge repo. > In the > future this list will not remain constant. > > If you want to exclude all perl packages? use for one > time update > > yum --exclude=perl* update > > If you need a more permanent solution use Craig's solution > or look in > to yum-protect-packages plug-in or use a more drastic > solution > (Michael's solution will disable rpmforge all together ) I typically disable all 3rd party repo's and pick and choose what I want from them. So if there's certain RPMforge packages I want I simply do: # yum --enablerepo=rpmforge -y update blah.rpm This also allows me to list updated packages per repo by enabling what I want and checking against a pre-defined installation list. Been using this technique for years (before yum plugins were available) and it's worked well, so haven't bothered changing the way I do things. Regards, Michael. > Other > solutions are documented in the archive. > > Fore MailScanner updates use "./install.sh > reinstall".? More info on > this subject here > > http://lists.mailscanner.info/pipermail/mailscanner/2009-April/090861.html > > > Iulian L.D. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > ------------------------------ Message: 12 Date: Thu, 8 Apr 2010 04:16:41 -0400 From: "jeffrey@nikoletich.com" Subject: Issues with store and store-spam To: mailscanner@lists.mailscanner.info Message-ID: <380-2201044881641807@M2W111.mail2web.com> Content-Type: text/plain; charset=iso-8859-1 Hello All, I am having an issue with mailscanner an its quarantine. I currently have mailscanner to store spam and high spam messages in the quarantine and to deliver clean non spam messages to the user. The issues I am having is that mailscanner seems to be storing clean non spam messages as well. I have check my configuration and the conf is correct. It doesnt store every clean message, it seems to be random, so I am kinda lost with is now. Any help is appreciated. Thanks and advance, Jeff N. -------------------------------------------------------------------- mail2web.com ? Enhanced email for the mobile individual based on Microsoft? Exchange - http://link.mail2web.com/Personal/EnhancedEmail ------------------------------ Message: 13 Date: Thu, 08 Apr 2010 11:31:17 +0200 From: Kai Schaetzl Subject: Re: Issues with store and store-spam To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset=iso-8859-1 Jeffrey@nikoletich.com wrote on Thu, 8 Apr 2010 04:16:41 -0400: > The issues I am having is that mailscanner seems to be storing clean non > spam messages as well. I have check my configuration and the conf is > correct. And the proof is where? > It doesnt store every clean message, it seems to be random, so I am kinda > lost with is now. Again, where is the proof? I mean, how do you know that and how do you know that the configuration is correct? Obviously it *cannot* be correct. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com ------------------------------ Message: 14 Date: Thu, 08 Apr 2010 20:09:56 +1000 From: Marc Lucke Subject: Re: CentOS perl issues To: MailScanner discussion Message-ID: <4BBDAB74.4030106@marcsnet.com> Content-Type: text/plain; charset="iso-8859-1" Thank you Kai for your abrasive and unhelpful response. Very productive. Kai Schaetzl wrote: > Marc Lucke wrote on Thu, 08 Apr 2010 04:08:40 +1000: > > >> Of course you need to update the perl module with something like >> >> cpan Mail::SpamAssassin >> > > no, you don't. > > >> There's probably a way to tell yum to update only these packages from >> rpmforge >> > > There are rumours that "yum update" is for this ... > > >> It does annoy me >> that the rpmforge and centos repos clash on perl but meh >> > > There is no clash. I suggest you try to understand how rpm, how yum and > how RHEL/CentOS works. > > > Kai > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100408/909819e1/attachment-0001.html ------------------------------ Message: 15 Date: Thu, 8 Apr 2010 10:48:43 +0000 From: "Alex Neuman van der Hans" Subject: Re: CentOS perl issues To: "MailScanner discussion" Message-ID: <1784902539-1270723748-cardhu_decombobulator_blackberry.rim.net-1657107426-@bda942.bisx.prod.on.blackberry> Content-Type: text/plain I don't mean to be rude but no evidence has been provided to support your statements. One thing that might be happening might be that "clean" messages being stored might be whitelisted messages that really aren't "clean". But, again, no evidence of a "correct" configuration is provided, so assuming a "correct" configuration is not very helpful or productive on anyone's part either. I'm not defending or condoning Kai's tone, but simply trying to point out that saying "I believe my configuration is correct so the program is doing something wrong" might also be construed as abrasive, specially from the point of view of someone who might have contributed to the program. Imagine a teacher saying "I know I told your child how to do this correctly, but he randomly does crazy things". Without proper evidence of the instructions and purported behaviour, the human mind can easily construe it as an ad-hominem attack on the child (which it isn't) instead of a legitimate (albeit incompletely documented) observation. Please try using pastebin to provide samples of your configuration and samples of both "correctly stored", "correctly not stored", "incorrectly stored" and, if possible, "incorrectly not stored" messages so that by careful examination we might be able to shed some light on the situation. Reading http://bit.ly/howtogethelpwiththat will also save you - and the rest of the list members some time and energy. -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 BB PIN: 20EA17C5 -----Original Message----- From: Marc Lucke Date: Thu, 08 Apr 2010 20:09:56 To: MailScanner discussion Subject: Re: CentOS perl issues -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 52, Issue 8 ****************************************** From chris at techquility.net Fri Apr 9 02:10:46 2010 From: chris at techquility.net (Chris Barber) Date: Fri Apr 9 02:11:15 2010 Subject: Clamd error after upgrade to MailScanner 4.79.11-1 In-Reply-To: <328460597-1270762406-cardhu_decombobulator_blackberry.rim.net-2020148866-@bda942.bisx.prod.on.blackberry> References: <201004081102.o38B0OBW015659@safir.blacknight.ie><619229389-1270761932-cardhu_decombobulator_blackberry.rim.net-789613070-@bda602.bisx.prod.on.blackberry> <328460597-1270762406-cardhu_decombobulator_blackberry.rim.net-2020148866-@bda942.bisx.prod.on.blackberry> Message-ID: <43F62CA225017044BC84CFAF92B4333B11879F@sbsserver.Techquility.net> Hi All, I just upgraded to MailScanner 4.79.11-1 When running MailScanner --lint, I get the following error regarding Clamd: Virus and Content Scanning: Starting Clamd::ERROR:: UNKNOWN CLAMD RETURN ./MSlint4IfVq7/lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/4663 Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses I sent a couple of test emails through the system and they were detected properly. Is this anything to worry about? Thanks! Chris From prandal at herefordshire.gov.uk Fri Apr 9 09:39:57 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Apr 9 09:40:16 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net><4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net><4BB68959.9060008@msapiro.net> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk> Scott Silva wrote: > on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >> >>> Changed >>> incoming work user to clamav and changed incoming work group to >>> blank... >> >> Thanks for the suggestion, but this doesn't work for me. I changed to >> user = clamav and then also removed the group as you did. >> >> The result of that (in both cases) is that the owner of the directory >> is now postfix and the error already happens in MS. >> >> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >> writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >> 1211 >> >> As I said I think there is something wrong about the group ownership >> or permissions only in the lint code that wasn't a problem before >> 0.96 but now is. Maybe clamav used ftstat before which doesn't need >> execute permission. >> >> Kai >> > I guess I should have been more specific. I am using sendmail. Maybe > Julian will see this thread when he is free and something will pop in > his head. I am also having some problems with the new spamassassin, > but I downgraded, as I don't have time to deal with that right now. It doesn't work for me with sendmail, either. The only workaround I have which works is to comment out user clamav in /etc/clamd.conf and restart clamd. I haven't had the time to dig into MailScanner's lint and virus scanning code, alas. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From mmlist at mjmm.org Fri Apr 9 10:06:15 2010 From: mmlist at mjmm.org (Michael Miller) Date: Fri Apr 9 10:06:44 2010 Subject: MailScanner on Ubuntu 6.06 - Compress::ZLib "with the XS version" error Message-ID: <4BBEEE07.3070100@mjmm.org> Hi, I have done a lab upgrade of one of our MailScanner servers which has run into a snag. The server is Ubuntu 6.06 with some packaged Perl modules and some manually installed modules (please don't ask for the list of which is which!!). The update of MailScanner went through fine, but when trying to start MailScanner I get: root@host:/opt/MailScanner/bin# ./MailScanner is only avaliable with the XS version at /usr/local/share/perl/5.8.7/Compress/Zlib.pm line 9 BEGIN failed--compilation aborted at /usr/local/share/perl/5.8.7/Compress/Zlib.pm line 9. Compilation failed in require at /opt/MailScanner/lib/MailScanner/SA.pm line 42. BEGIN failed--compilation aborted at /opt/MailScanner/lib/MailScanner/SA.pm line 42. Compilation failed in require at ./MailScanner.orig line 110. BEGIN failed--compilation aborted at ./MailScanner.orig line 110. root@host:/opt/MailScanner/bin# I have done some searching for help and have found some various references to this error but not directly related to MailScanner. The common fix appears to be to manually reinstall the Scalar::Util Perl module. However this did not fix the MailScanner problem. Using a test program I found on the Internet reveals that the XS support is indeed present. Digging further I found that adding the following line to line 38 (just after "require 5.005;") of the MailScanner script resolves the problem: use Scalar::Util qw(dualvar); This seems to be related to the BEGIN block which appears to alter the library load/search order. Not sure if this is useful or not or if anyone else has come across this problem. Regards, Mike From mmlist at mjmm.org Fri Apr 9 10:08:55 2010 From: mmlist at mjmm.org (Michael Miller) Date: Fri Apr 9 10:09:22 2010 Subject: McAfee uvscan 6.0.0 Message-ID: <4BBEEEA7.8080805@mjmm.org> Hi I was wondering if there was a date when we can expect MailScanner to natively support the updated McAfee uvscan anti virus scanner? uvscan v5.3 is now EoL as DATs are no longer being released. I see a few patches were posted a few months back but they don't appear to have been merged into MailScanner itself. Does anyone have any more recent patches for uvscan 6.0.0? If there is interest in this, I can set about testing the patches and consolidating the parsing and the updating patches and reposting if they will be useful. Regards, Mike From prandal at herefordshire.gov.uk Fri Apr 9 10:18:40 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Apr 9 10:18:52 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <4BBEEEA7.8080805@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> Mike, When I tested it, the Virusscan V6.0 commandline Linux scanner was so slow at startup to make it unusable in a MailScanner environment, IMHO. I believe others reported similar slowness. But good catch, users of older versions of uvscan are no longer supported, and should uninstall (or disable the updater). Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Miller Sent: 09 April 2010 10:09 To: mailscanner@lists.mailscanner.info Subject: McAfee uvscan 6.0.0 Hi I was wondering if there was a date when we can expect MailScanner to natively support the updated McAfee uvscan anti virus scanner? uvscan v5.3 is now EoL as DATs are no longer being released. I see a few patches were posted a few months back but they don't appear to have been merged into MailScanner itself. Does anyone have any more recent patches for uvscan 6.0.0? If there is interest in this, I can set about testing the patches and consolidating the parsing and the updating patches and reposting if they will be useful. Regards, Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From maillists at conactive.com Fri Apr 9 10:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 9 10:31:30 2010 Subject: Clamd error after upgrade to MailScanner 4.79.11-1 In-Reply-To: <43F62CA225017044BC84CFAF92B4333B11879F@sbsserver.Techquility.net> References: <201004081102.o38B0OBW015659@safir.blacknight.ie> <619229389-1270761932-cardhu_decombobulator_blackberry.rim.net-789613070-@bda602.bisx.prod.on.blackberry> <328460597-1270762406-cardhu_decombobulator_blackberry.rim.net-2020148866-@bda942.bisx.prod.on.blackberry> <43F62CA225017044BC84CFAF92B4333B11879F@sbsserver.Techquility.net> Message-ID: Chris Barber wrote on Thu, 8 Apr 2010 21:10:46 -0400: > Is this anything to worry about? What about reading the list archive? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From mmlist at mjmm.org Fri Apr 9 11:29:16 2010 From: mmlist at mjmm.org (Michael Miller) Date: Fri Apr 9 11:29:40 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> References: <4BBEEEA7.8080805@mjmm.org> <76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> Message-ID: <4BBF017C.6000308@mjmm.org> Hi, I have seen the slow startup time too but have you considered the use of the "--decompress" option. As per McAfee articles: https://kc.mcafee.com/corporate/index?page=content&id=KB68023 https://kc.mcafee.com/corporate/index?page=content&id=KB67513 My startup times (for --version, so no scanning) have improved as a result: uvscan 5.3: 3.9s uvscan 6.0 (without prior --decompress): 14.4s uvscan 6.0 (with prior --decompress): 3.89s To me, uvscan 6.0 still seems like a viable scanner as it appears (with using the --decompress after DAT updates) to be no worse than uvscan 5.3. See below for detailed timings. user@mailserver:~/uvscan600$ time uvscan --version Virus Scan for Linux v5.30.0 Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jun 16 2008 Scan engine v5.3.00 for Linux. Virus data file v5937 created Mar 31 2010 Scanning for 604710 viruses, trojans and variants. real 0m3.913s user 0m3.100s sys 0m0.820s user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. real 0m14.420s user 0m13.100s sys 0m1.270s user@mailserver:~/uvscan600$ time ./uvscan --decompress McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. Time: 00:00.00 real 0m22.070s user 0m18.240s sys 0m2.240s user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. real 0m3.891s user 0m3.190s sys 0m0.700s user@mailserver:~/uvscan600$ Randal, Phil wrote: > Mike, > > When I tested it, the Virusscan V6.0 commandline Linux scanner was so > slow at startup to make it unusable in a MailScanner environment, IMHO. > > I believe others reported similar slowness. > > But good catch, users of older versions of uvscan are no longer > supported, and should uninstall (or disable the updater). > > Cheers, > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael > Miller > Sent: 09 April 2010 10:09 > To: mailscanner@lists.mailscanner.info > Subject: McAfee uvscan 6.0.0 > > Hi > > I was wondering if there was a date when we can expect MailScanner to > natively support the updated McAfee uvscan anti virus scanner? uvscan > v5.3 is now EoL as DATs are no longer being released. > > I see a few patches were posted a few months back but they don't appear > to have been merged into MailScanner itself. Does anyone have any more > recent patches for uvscan 6.0.0? > > If there is interest in this, I can set about testing the patches and > consolidating the parsing and the updating patches and reposting if they > will be useful. > > Regards, > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > From maillists at conactive.com Fri Apr 9 11:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 9 11:31:29 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: Scott Silva wrote on Thu, 08 Apr 2010 12:49:19 -0700: > I guess I should have been more specific. I am using sendmail. Well, I assume you also have slightly different permission settings for the chain of directories with the incoming path. Or you added postfix or clamav to each other's group or so. One can much around and either stumble upon the right setting or just try a lot and forget this one crucial setting that makes it work ;-) As it really seems to affect only the linting I won't much around. I had changed all the permission settings to what they were before the clamav update. Maybe Julian > will see this thread when he is free and something will pop in his head. I am > also having some problems with the new spamassassin, but I downgraded, as I > don't have time to deal with that right now. You are not on CentOS, are you? I haven't had any problems with 3.3.0 or 3.3.1. And in general it works better for scoring, there are quite a few new rules that weren't in the rule updates for 3.2.5. I heartily recommend it :-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From prandal at herefordshire.gov.uk Fri Apr 9 11:57:28 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Apr 9 11:57:42 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <4BBF017C.6000308@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org><76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> <4BBF017C.6000308@mjmm.org> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429AA9@HC-MBX01.herefordshire.gov.uk> Well spotted! No we need someone to figure out how to parse the output in MailScanner, and change the wrappers / whatever to make sure only V6 or later is used. Any offers, anyone? I'm not a perl person, alas. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Miller Sent: 09 April 2010 11:29 To: MailScanner discussion Subject: Re: McAfee uvscan 6.0.0 Hi, I have seen the slow startup time too but have you considered the use of the "--decompress" option. As per McAfee articles: https://kc.mcafee.com/corporate/index?page=content&id=KB68023 https://kc.mcafee.com/corporate/index?page=content&id=KB67513 My startup times (for --version, so no scanning) have improved as a result: uvscan 5.3: 3.9s uvscan 6.0 (without prior --decompress): 14.4s uvscan 6.0 (with prior --decompress): 3.89s To me, uvscan 6.0 still seems like a viable scanner as it appears (with using the --decompress after DAT updates) to be no worse than uvscan 5.3. See below for detailed timings. user@mailserver:~/uvscan600$ time uvscan --version Virus Scan for Linux v5.30.0 Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Jun 16 2008 Scan engine v5.3.00 for Linux. Virus data file v5937 created Mar 31 2010 Scanning for 604710 viruses, trojans and variants. real 0m3.913s user 0m3.100s sys 0m0.820s user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. real 0m14.420s user 0m13.100s sys 0m1.270s user@mailserver:~/uvscan600$ time ./uvscan --decompress McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. Time: 00:00.00 real 0m22.070s user 0m18.240s sys 0m2.240s user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, Inc. (408) 988-3832 LICENSED COPY - April 08 2010 AV Engine version: 5400.1158 for Linux32. Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, trojans and variants. real 0m3.891s user 0m3.190s sys 0m0.700s user@mailserver:~/uvscan600$ Randal, Phil wrote: > Mike, > > When I tested it, the Virusscan V6.0 commandline Linux scanner was so > slow at startup to make it unusable in a MailScanner environment, IMHO. > > I believe others reported similar slowness. > > But good catch, users of older versions of uvscan are no longer > supported, and should uninstall (or disable the updater). > > Cheers, > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, > Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Michael Miller > Sent: 09 April 2010 10:09 > To: mailscanner@lists.mailscanner.info > Subject: McAfee uvscan 6.0.0 > > Hi > > I was wondering if there was a date when we can expect MailScanner to > natively support the updated McAfee uvscan anti virus scanner? uvscan > v5.3 is now EoL as DATs are no longer being released. > > I see a few patches were posted a few months back but they don't > appear to have been merged into MailScanner itself. Does anyone have > any more recent patches for uvscan 6.0.0? > > If there is interest in this, I can set about testing the patches and > consolidating the parsing and the updating patches and reposting if > they will be useful. > > Regards, > Mike > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From mmlist at mjmm.org Fri Apr 9 12:02:33 2010 From: mmlist at mjmm.org (Michael Miller) Date: Fri Apr 9 12:03:09 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429AA9@HC-MBX01.herefordshire.gov.uk> References: <4BBEEEA7.8080805@mjmm.org><76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> <4BBF017C.6000308@mjmm.org> <76415AED4CCF214F80FD9B0DA9A9EE45429AA9@HC-MBX01.herefordshire.gov.uk> Message-ID: <4BBF0949.4090007@mjmm.org> Hi, Well since there doesn't appear to be much "official" movement with this I will take a stab at it over the weekend. If I get something useful I will post back to the list. The trouble with testing the update scripts is you only get a real test once a day :) Regards, Mike Randal, Phil wrote: > Well spotted! > > No we need someone to figure out how to parse the output in MailScanner, > and change the wrappers / whatever to make sure only V6 or later is > used. > > Any offers, anyone? > > I'm not a perl person, alas. > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of > the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely > for the use of the addressee. This communication may contain material > protected by law from being passed on. If you are not the intended > recipient and have received this e-mail in error, you are advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error please > contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael > Miller > Sent: 09 April 2010 11:29 > To: MailScanner discussion > Subject: Re: McAfee uvscan 6.0.0 > > Hi, > > I have seen the slow startup time too but have you considered the use of > the "--decompress" option. As per McAfee articles: > https://kc.mcafee.com/corporate/index?page=content&id=KB68023 > https://kc.mcafee.com/corporate/index?page=content&id=KB67513 > > My startup times (for --version, so no scanning) have improved as a > result: > uvscan 5.3: 3.9s > uvscan 6.0 (without prior --decompress): 14.4s uvscan 6.0 (with prior > --decompress): 3.89s > > To me, uvscan 6.0 still seems like a viable scanner as it appears (with > using the --decompress after DAT updates) to be no worse than uvscan > 5.3. > > See below for detailed timings. > > user@mailserver:~/uvscan600$ time uvscan --version Virus Scan for Linux > v5.30.0 Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. > (408) 988-3832 LICENSED COPY - Jun 16 2008 > > Scan engine v5.3.00 for Linux. > Virus data file v5937 created Mar 31 2010 Scanning for 604710 viruses, > trojans and variants. > > > real 0m3.913s > user 0m3.100s > sys 0m0.820s > user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan > Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, > Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > real 0m14.420s > user 0m13.100s > sys 0m1.270s > user@mailserver:~/uvscan600$ time ./uvscan --decompress McAfee VirusScan > Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, > Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > Time: 00:00.00 > > > real 0m22.070s > user 0m18.240s > sys 0m2.240s > user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan > Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, > Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > real 0m3.891s > user 0m3.190s > sys 0m0.700s > user@mailserver:~/uvscan600$ > > > > Randal, Phil wrote: > >> Mike, >> >> When I tested it, the Virusscan V6.0 commandline Linux scanner was so >> slow at startup to make it unusable in a MailScanner environment, >> > IMHO. > >> I believe others reported similar slowness. >> >> But good catch, users of older versions of uvscan are no longer >> supported, and should uninstall (or disable the updater). >> >> Cheers, >> >> Phil >> -- >> Phil Randal | Networks Engineer >> NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's >> Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, >> Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those >> of the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended >> solely for the use of the addressee. This communication may contain >> material protected by law from being passed on. If you are not the >> intended recipient and have received this e-mail in error, you are >> advised that any use, dissemination, forwarding, printing or copying >> of this e-mail is strictly prohibited. If you have received this >> e-mail in error please contact the sender immediately and destroy all >> > copies of it. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Michael Miller >> Sent: 09 April 2010 10:09 >> To: mailscanner@lists.mailscanner.info >> Subject: McAfee uvscan 6.0.0 >> >> Hi >> >> I was wondering if there was a date when we can expect MailScanner to >> natively support the updated McAfee uvscan anti virus scanner? uvscan >> v5.3 is now EoL as DATs are no longer being released. >> >> I see a few patches were posted a few months back but they don't >> appear to have been merged into MailScanner itself. Does anyone have >> any more recent patches for uvscan 6.0.0? >> >> If there is interest in this, I can set about testing the patches and >> consolidating the parsing and the updating patches and reposting if >> they will be useful. >> >> Regards, >> Mike >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Any opinion expressed in this e-mail or any attached files are those >> > of the individual and not necessarily those of Herefordshire Council. > >> You should be aware that Herefordshire Council monitors its email >> > service. > >> This e-mail and any attached files are confidential and intended >> > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying of > this e-mail is strictly prohibited. If you have received this e-mail in > error please contact the sender immediately and destroy all copies of > it. > >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > From prandal at herefordshire.gov.uk Fri Apr 9 12:18:59 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Apr 9 12:19:11 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <4BBF0949.4090007@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org><76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> <4BBF017C.6000308@mjmm.org><76415AED4CCF214F80FD9B0DA9A9EE45429AA9@HC-MBX01.herefordshire.gov.uk> <4BBF0949.4090007@mjmm.org> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429AB4@HC-MBX01.herefordshire.gov.uk> The amended update script which was posted here worked fine, it's more the MailScanner parsing of the output from uvscan and wrapper scripts which need tweaking. And a sane way of obsoleting older uvscan versions. Maybe a mcafeev6 line in virus.scanners.conf and a way to autodetect which version and do the right thing? Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Miller Sent: 09 April 2010 12:03 To: MailScanner discussion Subject: Re: McAfee uvscan 6.0.0 Hi, Well since there doesn't appear to be much "official" movement with this I will take a stab at it over the weekend. If I get something useful I will post back to the list. The trouble with testing the update scripts is you only get a real test once a day :) Regards, Mike Randal, Phil wrote: > Well spotted! > > No we need someone to figure out how to parse the output in > MailScanner, and change the wrappers / whatever to make sure only V6 > or later is used. > > Any offers, anyone? > > I'm not a perl person, alas. > > Phil > -- > Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, > Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Michael Miller > Sent: 09 April 2010 11:29 > To: MailScanner discussion > Subject: Re: McAfee uvscan 6.0.0 > > Hi, > > I have seen the slow startup time too but have you considered the use > of the "--decompress" option. As per McAfee articles: > https://kc.mcafee.com/corporate/index?page=content&id=KB68023 > https://kc.mcafee.com/corporate/index?page=content&id=KB67513 > > My startup times (for --version, so no scanning) have improved as a > result: > uvscan 5.3: 3.9s > uvscan 6.0 (without prior --decompress): 14.4s uvscan 6.0 (with prior > --decompress): 3.89s > > To me, uvscan 6.0 still seems like a viable scanner as it appears > (with using the --decompress after DAT updates) to be no worse than > uvscan 5.3. > > See below for detailed timings. > > user@mailserver:~/uvscan600$ time uvscan --version Virus Scan for > Linux v5.30.0 Copyright (c) 1992-2008 McAfee, Inc. All rights reserved. > (408) 988-3832 LICENSED COPY - Jun 16 2008 > > Scan engine v5.3.00 for Linux. > Virus data file v5937 created Mar 31 2010 Scanning for 604710 viruses, > trojans and variants. > > > real 0m3.913s > user 0m3.100s > sys 0m0.820s > user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan > Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, > Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > real 0m14.420s > user 0m13.100s > sys 0m1.270s > user@mailserver:~/uvscan600$ time ./uvscan --decompress McAfee > VirusScan Command Line for Linux32 Version: 6.0.0.309 Copyright (C) > 2009 McAfee, Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > Time: 00:00.00 > > > real 0m22.070s > user 0m18.240s > sys 0m2.240s > user@mailserver:~/uvscan600$ time ./uvscan --version McAfee VirusScan > Command Line for Linux32 Version: 6.0.0.309 Copyright (C) 2009 McAfee, > Inc. > (408) 988-3832 LICENSED COPY - April 08 2010 > > AV Engine version: 5400.1158 for Linux32. > Dat set version: 5944 created Apr 7 2010 Scanning for 611987 viruses, > trojans and variants. > > > real 0m3.891s > user 0m3.190s > sys 0m0.700s > user@mailserver:~/uvscan600$ > > > > Randal, Phil wrote: > >> Mike, >> >> When I tested it, the Virusscan V6.0 commandline Linux scanner was so >> slow at startup to make it unusable in a MailScanner environment, >> > IMHO. > >> I believe others reported similar slowness. >> >> But good catch, users of older versions of uvscan are no longer >> supported, and should uninstall (or disable the updater). >> >> Cheers, >> >> Phil >> -- >> Phil Randal | Networks Engineer >> NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's >> Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, >> Hereford, HR2 6JT >> Tel: 01432 260160 >> email: prandal@herefordshire.gov.uk >> >> Any opinion expressed in this e-mail or any attached files are those >> of the individual and not necessarily those of Herefordshire Council. >> >> This e-mail and any attached files are confidential and intended >> solely for the use of the addressee. This communication may contain >> material protected by law from being passed on. If you are not the >> intended recipient and have received this e-mail in error, you are >> advised that any use, dissemination, forwarding, printing or copying >> of this e-mail is strictly prohibited. If you have received this >> e-mail in error please contact the sender immediately and destroy all >> > copies of it. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Michael Miller >> Sent: 09 April 2010 10:09 >> To: mailscanner@lists.mailscanner.info >> Subject: McAfee uvscan 6.0.0 >> >> Hi >> >> I was wondering if there was a date when we can expect MailScanner to >> natively support the updated McAfee uvscan anti virus scanner? uvscan >> v5.3 is now EoL as DATs are no longer being released. >> >> I see a few patches were posted a few months back but they don't >> appear to have been merged into MailScanner itself. Does anyone have >> any more recent patches for uvscan 6.0.0? >> >> If there is interest in this, I can set about testing the patches and >> consolidating the parsing and the updating patches and reposting if >> they will be useful. >> >> Regards, >> Mike >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Any opinion expressed in this e-mail or any attached files are those >> > of the individual and not necessarily those of Herefordshire Council. > >> You should be aware that Herefordshire Council monitors its email >> > service. > >> This e-mail and any attached files are confidential and intended >> > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that any use, dissemination, forwarding, printing or copying > of this e-mail is strictly prohibited. If you have received this > e-mail in error please contact the sender immediately and destroy all > copies of it. > >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From davejones70 at gmail.com Fri Apr 9 13:03:32 2010 From: davejones70 at gmail.com (Dave Jones) Date: Fri Apr 9 13:03:42 2010 Subject: ClamAv 0.96 is out Message-ID: >on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >> >>> Changed >>> incoming work user to clamav and changed incoming work group to blank... >> >> Thanks for the suggestion, but this doesn't work for me. I changed to user >> = clamav and then also removed the group as you did. >> >> The result of that (in both cases) is that the owner of the directory is >> now postfix and the error already happens in MS. >> >> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >> writable >> at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1211 >> >> As I said I think there is something wrong about the group ownership or >> permissions only in the lint code that wasn't a problem before 0.96 but >> now is. Maybe clamav used ftstat before which doesn't need execute >> permission. >> >> Kai >> >I guess I should have been more specific. I am using sendmail. Maybe Julian >will see this thread when he is free and something will pop in his head. I am >also having some problems with the new spamassassin, but I downgraded, as I >don't have time to deal with that right now. We will have to deal with it soon since ClamAV sigs will be disabled for 0.95.3 in less than 6 days on April 15th. I am using sendmail too and I tried Scott Silva's suggestion with no luck. Permissions were good all the way down the tree to /var/spool/MailScanner/incoming. Something must have changed with the ClamAV code to throw off MailScanner. Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100409/6c1ceef1/attachment.html From bonivart at opencsw.org Fri Apr 9 13:20:59 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Fri Apr 9 13:21:29 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: On Fri, Apr 9, 2010 at 2:03 PM, Dave Jones wrote: > We will have to deal with it soon since ClamAV sigs will be disabled for > 0.95.3 in less than 6 days on April 15th. No, it's versions _older_ than 0.95 that will be disabled: http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ -- /peter From jakari at bithose.com Fri Apr 9 13:44:01 2010 From: jakari at bithose.com (Jameel Akari) Date: Fri Apr 9 13:44:44 2010 Subject: McAfee uvscan 6.0.0 In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> References: <4BBEEEA7.8080805@mjmm.org> <76415AED4CCF214F80FD9B0DA9A9EE45429A77@HC-MBX01.herefordshire.gov.uk> Message-ID: On Fri, 9 Apr 2010, Randal, Phil wrote: > Mike, > > When I tested it, the Virusscan V6.0 commandline Linux scanner was so > slow at startup to make it unusable in a MailScanner environment, IMHO. > > I believe others reported similar slowness. Indeed, I tried it a few months ago, and between the speed (lack thereof) and the memory consumption, it's just about useless. Like, 5-10x slower than the already pokey 5.x series. Unless there's some magic combination of CPU and Linux libraries that make it at least on-par, it's probably not worth implementing at all. So are there any other commercial AV engines that work especially well with MailScanner? I've tried to use Trend since we have a site license, but the command-line scanner used in the MS scripts doesn't seem to be available anymore. A call into Trend resulted in crickets chirping, and "Yeah we don't really do that... anymore..." as the eventual response. -- Jameel Akari From jvoorhees1 at gmail.com Fri Apr 9 14:50:03 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Apr 9 14:50:13 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: So, finally there isn't another solution to solve this "lstat() failed: Permission denied" error than?: 1. Running clamd as root 2. Running clamd as the same user MailScanner runs ("Run As User" directive) I even tried to assign defaults ACLs to /var/spool/MailScanner/incoming to clamav user as rwx, but the same problem occurs. In my case the option 2 worked for me, but I do not feel so comfortable running clamd as an user that isn't clamav. Any other better solution? From bonivart at opencsw.org Fri Apr 9 15:20:17 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Fri Apr 9 15:20:46 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: On Fri, Apr 9, 2010 at 3:50 PM, Jason Voorhees wrote: > In my case the option 2 worked for me, but I do not feel so > comfortable running clamd as an user that isn't clamav. Why is there such interest in solving this, even by making your own system less secure? If I understand the matter correctly, this only affects the lint, not the actual mail processing so this can only be solved properly by Julian. Even the lint works (detecting eicar) even though you get that complaint. I say, let Julian take a look at it. :-) -- /peter From maillists at conactive.com Fri Apr 9 15:31:16 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 9 15:31:30 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: Again, it is *only* --lint. You can safely use 0.96 with MS. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From rcooper at dwford.com Fri Apr 9 16:24:08 2010 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 9 16:24:24 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: <7D5FFDAFCA27434E80D012CE6A14063F@SAHOMELT> ----Original Message---- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Voorhees Sent: Friday, April 09, 2010 9:50 AM To: MailScanner discussion Subject: Re: ClamAv 0.96 is out > So, finally there isn't another solution to solve this "lstat() > failed: Permission denied" error than?: > > 1. Running clamd as root > 2. Running clamd as the same user MailScanner runs ("Run As User" > directive) > > I even tried to assign defaults ACLs to > /var/spool/MailScanner/incoming to clamav user as rwx, but the same > problem occurs. > > In my case the option 2 worked for me, but I do not feel so > comfortable running clamd as an user that isn't clamav. > > Any other better solution? > -- What happens when you run --lint as root, or are you already running MailScanner --lint as root Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jvoorhees1 at gmail.com Fri Apr 9 17:18:48 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Apr 9 17:18:56 2010 Subject: ClamAv 0.96 is out In-Reply-To: <7D5FFDAFCA27434E80D012CE6A14063F@SAHOMELT> References: <7D5FFDAFCA27434E80D012CE6A14063F@SAHOMELT> Message-ID: > > What happens when you run --lint as root, or are you already running > MailScanner --lint as root > > Rick > I always run "MailScanner --lint" as root. But finally I decided to run clamd as clamav, and ignore the error message generated by "--lint" because MailScanner still is able to scan messages trough clamd without problems (thanks to Kai's suggestion) From ssilva at sgvwater.com Fri Apr 9 22:51:36 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 9 22:52:00 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net> <4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net> <4BB68959.9060008@msapiro.net> Message-ID: on 4-9-2010 3:31 AM Kai Schaetzl spake the following: > Scott Silva wrote on Thu, 08 Apr 2010 12:49:19 -0700: > >> I guess I should have been more specific. I am using sendmail. > > Well, I assume you also have slightly different permission settings for the > chain of directories with the incoming path. Or you added postfix or clamav to > each other's group or so. One can much around and either stumble upon the right > setting or just try a lot and forget this one crucial setting that makes it > work ;-) As it really seems to affect only the linting I won't much around. I > had changed all the permission settings to what they were before the clamav > update. > > Maybe Julian >> will see this thread when he is free and something will pop in his head. I am >> also having some problems with the new spamassassin, but I downgraded, as I >> don't have time to deal with that right now. > > You are not on CentOS, are you? I haven't had any problems with 3.3.0 or 3.3.1. > And in general it works better for scoring, there are quite a few new rules > that weren't in the rule updates for 3.2.5. I heartily recommend it :-) > > Kai > I upgraded spamassassin on one of my lower yeild servers and sa-updated... Lints fine, but let through a ton of spam... Had to back peddle until I have more time... Maybe i'll try again monday From ssilva at sgvwater.com Fri Apr 9 22:54:31 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 9 22:55:15 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: on 4-9-2010 7:20 AM Peter Bonivart spake the following: > On Fri, Apr 9, 2010 at 3:50 PM, Jason Voorhees wrote: >> In my case the option 2 worked for me, but I do not feel so >> comfortable running clamd as an user that isn't clamav. > > Why is there such interest in solving this, even by making your own > system less secure? > > If I understand the matter correctly, this only affects the lint, not > the actual mail processing so this can only be solved properly by > Julian. Even the lint works (detecting eicar) even though you get that > complaint. > > I say, let Julian take a look at it. :-) > For me it seems to also affect the full message scan, as it fails there... It looks at the unpacked files, which is probably good enough... From doctor at doctor.nl2k.ab.ca Sat Apr 10 04:10:03 2010 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sat Apr 10 04:10:13 2010 Subject: Error using PErl 5.10.1 Message-ID: <20100410031002.GA28570@doctor.nl2k.ab.ca> Anyone knows why I am getting Starting MailScanner...setrgid() not implemented at /opt/MailScanner/bin/MailScanner line 1529. ?? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee UK Tim for a Common Sense change vote Liberal Democrat / Alliance From lists at elasticmind.net Sat Apr 10 13:57:22 2010 From: lists at elasticmind.net (mog) Date: Sat Apr 10 13:57:50 2010 Subject: FreeBSD MailScanner port Message-ID: <4BC075B2.1060308@elasticmind.net> Hi all, Just wondering if anyone knows anything regarding the current status of the FreeBSD MailScanner port? Like are there currently any more taint mode or other problems that anyone is aware of? With thanks, mog From mikael at syska.dk Sat Apr 10 14:28:25 2010 From: mikael at syska.dk (Mikael Syska) Date: Sat Apr 10 14:28:38 2010 Subject: FreeBSD MailScanner port In-Reply-To: <4BC075B2.1060308@elasticmind.net> References: <4BC075B2.1060308@elasticmind.net> Message-ID: Hi, On Sat, Apr 10, 2010 at 2:57 PM, mog wrote: > Hi all, > > Just wondering if anyone knows anything regarding the current status of the > FreeBSD MailScanner port? Like are there currently any more taint mode or > other problems that anyone is aware of? No > > With thanks, > mog > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikael at syska.dk Sat Apr 10 15:24:54 2010 From: mikael at syska.dk (Mikael Syska) Date: Sat Apr 10 15:25:07 2010 Subject: Error using PErl 5.10.1 In-Reply-To: <20100410031002.GA28570@doctor.nl2k.ab.ca> References: <20100410031002.GA28570@doctor.nl2k.ab.ca> Message-ID: Hi, On Sat, Apr 10, 2010 at 5:10 AM, The Doctor wrote: > Anyone knows why I am getting > > Starting MailScanner...setrgid() not implemented at /opt/MailScanner/bin/MailScanner line 1529. Yes, something is wrong. We need more information ... thanks. > > ?? > -- > Member - Liberal International ?This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca > God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! > http://twitter.com/rootnl2k http://www.facebook.com/dyadallee > UK Tim for a Common Sense change vote Liberal Democrat / Alliance > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From nick at inticon.net.au Sun Apr 11 07:47:15 2010 From: nick at inticon.net.au (Nick Brown) Date: Sun Apr 11 07:47:44 2010 Subject: List Caching Message-ID: <00b901cad942$d4840050$7d8c00f0$@net.au> Afternoon All, I am wanting to get some clarification on how Mailscanner handles the White / Black lists in terms of caching. We have been using the Mailwatch SQLBlacklist perl script for years without issue however trying to currently diagnose a problem, can anyone let me know at what point the white / black lists are loaded? I always assumed the 'custom function' was run per message, however now I'm guessing its per batch. Our issue suggests that its taking longer than this. I have asked a colleague to give me some query logging which should also shed some light on it. Cheers Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100411/5fc0f18a/attachment.html From J.Ede at birchenallhowden.co.uk Sun Apr 11 14:10:01 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Apr 11 14:10:22 2010 Subject: Watermarking Message-ID: <1213490F1F316842A544A850422BFA9635C5C71A50@BHLSBS.bhl.local> Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It's easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can't see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100411/96e26aed/attachment.html From jonas at vrt.dk Mon Apr 12 08:38:25 2010 From: jonas at vrt.dk (Jonas) Date: Mon Apr 12 08:38:34 2010 Subject: List Caching In-Reply-To: <00b901cad942$d4840050$7d8c00f0$@net.au> References: <00b901cad942$d4840050$7d8c00f0$@net.au> Message-ID: <09F23668E315FD4597C13D73E5123ADF3F2E0E@SCTSBS.sct.dk> In the Mailwatch SQLBlackWhiteList.pm one of the first lines you have: my($refresh_time) = 15; # Time in minutes before lists are refreshed That would appear to be what you are looking for. Although I seem to recall it was controlled by the: Restart Every = 14400 in mailscanner.conf But I would start by trying to change the first var. Good luck Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nick Brown Sent: 11. april 2010 08:47 To: mailscanner@lists.mailscanner.info Subject: List Caching Afternoon All, I am wanting to get some clarification on how Mailscanner handles the White / Black lists in terms of caching. We have been using the Mailwatch SQLBlacklist perl script for years without issue however trying to currently diagnose a problem, can anyone let me know at what point the white / black lists are loaded? I always assumed the 'custom function' was run per message, however now I'm guessing its per batch. Our issue suggests that its taking longer than this. I have asked a colleague to give me some query logging which should also shed some light on it. Cheers Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100412/e6a606a7/attachment.html From roland at inbox4u.de Mon Apr 12 11:30:22 2010 From: roland at inbox4u.de (Ehle, Roland) Date: Mon Apr 12 11:30:36 2010 Subject: AW: Watermarking In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71A50@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C71A50@BHLSBS.bhl.local> Message-ID: <421A1DB68F0A9B4984D56913C4DFDE2202D187D1@ts-dc3.ts-webarts.local> Jason, you could set "Treat Invalid Watermarks With No Sender as Spam = nothing" and then have a custom function dealing with it. Regards, Roland ________________________________ Von: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info]" im Auftrag von "Jason Ede [J.Ede@birchenallhowden.co.uk] Gesendet: Sonntag, 11. April 2010 15:10 An: MailScanner discussion Betreff: Watermarking Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It?s easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can?t see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100412/6549a917/attachment.html From uxbod at splatnix.net Mon Apr 12 14:54:46 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Apr 12 14:55:00 2010 Subject: Watermarking In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71A50@BHLSBS.bhl.local> Message-ID: <28313417.151.1271080486521.JavaMail.root@office.splatnix.net> Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It?s easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can?t see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason Why would you wish to add 3 points to the score ? I thought that watermarking was to prevent backscatter plus the ability to bypass spam checks if the email originated from your server. Would you not wish to reduce the score by 3 points if the watermark was valid; unless I am missing something ? -- Thanks - Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100412/1fcae0eb/attachment.html From J.Ede at birchenallhowden.co.uk Mon Apr 12 15:23:51 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Apr 12 15:24:14 2010 Subject: Watermarking In-Reply-To: <28313417.151.1271080486521.JavaMail.root@office.splatnix.net> References: <1213490F1F316842A544A850422BFA9635C5C71A50@BHLSBS.bhl.local> <28313417.151.1271080486521.JavaMail.root@office.splatnix.net> Message-ID: <1213490F1F316842A544A850422BFA9635C5C71A91@BHLSBS.bhl.local> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 April 2010 14:55 To: MailScanner discussion Subject: Re: Watermarking Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It?s easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can?t see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason Why would you wish to add 3 points to the score ? I thought that watermarking was to prevent backscatter plus the ability to bypass spam checks if the email originated from your server. Would you not wish to reduce the score by 3 points if the watermark was valid; unless I am missing something ? -- Thanks ? Phil Currently we don?t outright reject emails without a watermark as some of our users still send email via other means and we don?t have a way of preventing that at the moment. I could exclude their domains from watermark checking, but until then its easier to add a few points to the spam score and let that and the other SA ratings take care of it. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100412/445c1aae/attachment.html From ka at pacific.net Mon Apr 12 15:28:34 2010 From: ka at pacific.net (Ken A) Date: Mon Apr 12 15:28:57 2010 Subject: List Caching In-Reply-To: <09F23668E315FD4597C13D73E5123ADF3F2E0E@SCTSBS.sct.dk> References: <00b901cad942$d4840050$7d8c00f0$@net.au> <09F23668E315FD4597C13D73E5123ADF3F2E0E@SCTSBS.sct.dk> Message-ID: <4BC32E12.7060007@pacific.net> $refresh_time is a reload rather than a full restart. 'reload' is all that is needed to reload the white/blacklists. Custom functions are run on each message, but messages are scanned in batches. Also, keep in mind that if you are not splitting recipients, so that each message only has one recipient, you may have some white/blacklist entries applied to the extra recipients. Ken On 4/12/2010 2:38 AM, Jonas wrote: > In the Mailwatch SQLBlackWhiteList.pm one of the first lines you have: my($refresh_time) = 15; # Time in minutes before lists are refreshed > > > > That would appear to be what you are looking for. > > > > Although I seem to recall it was controlled by the: Restart Every = 14400 > > in mailscanner.conf > > > > But I would start by trying to change the first var. > > > > Good luck > > > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 3336 9974 > > Mobile: 5120 1096 > > Fax: 7020 0978 > > Web: www.techbiz.dk > > > > > > > > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nick Brown > Sent: 11. april 2010 08:47 > To: mailscanner@lists.mailscanner.info > Subject: List Caching > > > > Afternoon All, > > > > I am wanting to get some clarification on how Mailscanner handles the White / Black lists in terms of caching. We have been using the Mailwatch SQLBlacklist perl script for years without issue however trying to currently diagnose a problem, can anyone let me know at what point the white / black lists are loaded? > > > > I always assumed the 'custom function' was run per message, however now I'm guessing its per batch. Our issue suggests that its taking longer than this. I have asked a colleague to give me some query logging which should also shed some light on it. > > > > Cheers > > Nick. > > > -- Ken Anderson Pacific Internet - http://www.pacific.net From uxbod at splatnix.net Mon Apr 12 16:11:40 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Apr 12 16:11:55 2010 Subject: Watermarking In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71A91@BHLSBS.bhl.local> Message-ID: <6407072.162.1271085100834.JavaMail.root@office.splatnix.net> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 April 2010 14:55 To: MailScanner discussion Subject: Re: Watermarking Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It?s easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can?t see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason Why would you wish to add 3 points to the score ? I thought that watermarking was to prevent backscatter plus the ability to bypass spam checks if the email originated from your server. Would you not wish to reduce the score by 3 points if the watermark was valid; unless I am missing something ? -- Thanks ? Phil Currently we don?t outright reject emails without a watermark as some of our users still send email via other means and we don?t have a way of preventing that at the moment. I could exclude their domains from watermark checking, but until then its easier to add a few points to the spam score and let that and the other SA ratings take care of it. Jason Jason, I see where you are coming from now ... Looking at the code I do not think it would be that difficult to add this in; similar to the way SaneSecurity sigs etc are handled. Let me perform a bit more research and will see if I can get a patch together. Thanks, Phil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100412/10d72368/attachment.html From doctor at doctor.nl2k.ab.ca Mon Apr 12 20:08:13 2010 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon Apr 12 20:08:23 2010 Subject: Exim Message-ID: <20100412190812.GB27222@doctor.nl2k.ab.ca> Julian mate how are you? As for the Exim Users, I have 2 configure files and placed process_log_path , queue_only, queue_only_override, and defer_router in both. Suddenly mail was not sending. Did I misread something? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee UK Time for a Common Sense change vote Liberal Democrat / Alliance From holger-lists at noefer.org Mon Apr 12 20:34:52 2010 From: holger-lists at noefer.org (Holger =?iso-8859-1?b?TvZmZXI=?=) Date: Mon Apr 12 20:35:05 2010 Subject: ClamAv 0.96 is out Message-ID: <20100412213452.15685j9ck59yp0po@www.noefer.org> Am 09.04.2010 23:54, schrieb Scott Silva: > on 4-9-2010 7:20 AM Peter Bonivart spake the following: >> On Fri, Apr 9, 2010 at 3:50 PM, Jason Voorhees wrote: >>> In my case the option 2 worked for me, but I do not feel so >>> comfortable running clamd as an user that isn't clamav. >> >> Why is there such interest in solving this, even by making your own >> system less secure? >> >> If I understand the matter correctly, this only affects the lint, not >> the actual mail processing so this can only be solved properly by >> Julian. Even the lint works (detecting eicar) even though you get that >> complaint. >> >> I say, let Julian take a look at it. :-) >> > For me it seems to also affect the full message scan, as it fails there... It > looks at the unpacked files, which is probably good enough... > Hi everybody, the following line in lib/MailScanner/MessageBatch.pm worked for me. chmod 0770, $MessageDir; My code looks this way. # Create and write the header file # Message number = 1 # Path = irrelevant as we're not actually reading anything # It's a fake that we simulate ==> 1 my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); chmod 0770, $MessageDir; Can somebody please check if I'm right and I did not create a "security hole". Regards, Holger From maillists at conactive.com Tue Apr 13 16:31:19 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Apr 13 16:31:28 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: Message-ID: Scott Silva wrote on Fri, 09 Apr 2010 14:54:31 -0700: > For me it seems to also affect the full message scan, as it fails there... It > looks at the unpacked files, which is probably good enough... Look in your warn logs. You'll get a warning each time you run --lint about this. No other warnings. That's a clear sign to me that it affects only --lint. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Tue Apr 13 16:31:19 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Apr 13 16:31:29 2010 Subject: ClamAv 0.96 is out In-Reply-To: <20100412213452.15685j9ck59yp0po@www.noefer.org> References: <20100412213452.15685j9ck59yp0po@www.noefer.org> Message-ID: Holger N?fer wrote on Mon, 12 Apr 2010 21:34:52 +0200: Thanks for searching for it ;-) > my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); > chmod 0770, $MessageDir; > > Can somebody please check if I'm right and I did not create > a "security hole". That looks like the right location. I don't see a security problem with this. There should be an option to tell the tempdir function a umask, though, I guess. This line gets a umask, but I think it's for the file (written with WriteHeaderFile) and not for tempdir. my $headerfileumask = $global::MS->{work}->{fileumask}; if it is used by both, that could explain the problem. I don't know what umask it gets, but it's probably without execution permissions at all as it is intended for a file. Oh, I applied the change and I'm still getting the error after a restart. You must have set some other "higher" permission differently, too. Anyway, as it happens only in lint I don't mind for now. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From mrm at medicine.wisc.edu Tue Apr 13 18:36:14 2010 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Apr 13 18:36:34 2010 Subject: Filename Blocking Issue In-Reply-To: References: Message-ID: <4BC4653E0200003E00005C27@gwmail.medicine.wisc.edu> >>> On 4/8/2010 at 8:19 AM, in message , "Gottschalk, David" wrote: > Anyone have a answer to this question? > > This is a pretty serious problem for me. > > Thanks. > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > I seem to remember something about the capability of having separate filename rules for archived files. You might want to check into this. -Mike From dgottsc at emory.edu Tue Apr 13 19:42:45 2010 From: dgottsc at emory.edu (Gottschalk, David) Date: Tue Apr 13 19:43:03 2010 Subject: Filename Blocking Issue In-Reply-To: References: Message-ID: Anyone? I hate to keep spamming the list, but I really could use some assistance with this. Thanks. David Gottschalk UTS Messaging Team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Thursday, April 08, 2010 9:19 AM To: MailScanner discussion Subject: RE: Filename Blocking Issue Anyone have a answer to this question? This is a pretty serious problem for me. Thanks. David Gottschalk UTS Email team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Tuesday, April 06, 2010 4:45 PM To: MailScanner discussion Subject: Filename Blocking Issue I have a strange issue with filenames being blocked that I have disabled. It appears that double file extensions are being blocked within .zip files, but not if they are not in a zip archive. I've disabled them in the filename.rules.conf with: # Deny all other double file extensions. This catches any hidden filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension I changed this to allow, but the same issue occurred. Is this a bug, or am I missing something obvious? I couldn't find anything regarding this issue on the list. Here is a example of a message being blocked. Apr 1 15:08:00 [mail.info] o31J7xJu028562: from=, size=219934, class=0, nrcpts=1, msgid=, proto=ESMTP, daemon=SMTP_TLSAUTH, relay=removed Apr 1 15:08:00 MailScanner: [mail.info] Filename Checks: Found possible filename hiding (o31J7xJu028562 rdf.tex.bak) Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.tex.bak" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.zip" to /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 15:08:01 MailScanner: [mail.info] Message o31J7xJu028562 from removed (removed) to emory.edu is too big for spam checks (220506 > 150000 bytes) Thanks for any help that can be provided. David Gottschalk UTS Email team david.gottschalk@emory.edu This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Tue Apr 13 19:55:14 2010 From: dgottsc at emory.edu (Gottschalk, David) Date: Tue Apr 13 19:55:32 2010 Subject: Filename Blocking Issue In-Reply-To: <4BC4653E0200003E00005C27@gwmail.medicine.wisc.edu> References: <4BC4653E0200003E00005C27@gwmail.medicine.wisc.edu> Message-ID: Hmmm, I can't seem to find anything on this after searching. Any ideas where I would find info on this? Thanks for the help. David Gottschalk UTS Messaging Team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Masse Sent: Tuesday, April 13, 2010 1:36 PM To: MailScanner discussion Subject: RE: Filename Blocking Issue >>> On 4/8/2010 at 8:19 AM, in message , "Gottschalk, David" wrote: > Anyone have a answer to this question? > > This is a pretty serious problem for me. > > Thanks. > > David Gottschalk > UTS Email team > david.gottschalk@emory.edu > I seem to remember something about the capability of having separate filename rules for archived files. You might want to check into this. -Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From ka at pacific.net Tue Apr 13 20:34:00 2010 From: ka at pacific.net (Ken A) Date: Tue Apr 13 20:34:24 2010 Subject: Filename Blocking Issue In-Reply-To: References: Message-ID: <4BC4C728.2020708@pacific.net> See the changelog for version 4.76 Ken On 4/13/2010 1:42 PM, Gottschalk, David wrote: > Anyone? I hate to keep spamming the list, but I really could use some > assistance with this. > > Thanks. > > David Gottschalk UTS Messaging Team david.gottschalk@emory.edu > > > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David Sent: Thursday, April 08, 2010 9:19 AM To: > MailScanner discussion Subject: RE: Filename Blocking Issue > > Anyone have a answer to this question? > > This is a pretty serious problem for me. > > Thanks. > > David Gottschalk UTS Email team david.gottschalk@emory.edu > > > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David Sent: Tuesday, April 06, 2010 4:45 PM To: > MailScanner discussion Subject: Filename Blocking Issue > > I have a strange issue with filenames being blocked that I have > disabled. > > It appears that double file extensions are being blocked within .zip > files, but not if they are not in a zip archive. I've disabled them > in the filename.rules.conf with: > > # Deny all other double file extensions. This catches any hidden > filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found > possible filename hiding Attempt to hide > real filename extension > > I changed this to allow, but the same issue occurred. Is this a bug, > or am I missing something obvious? I couldn't find anything regarding > this issue on the list. > > Here is a example of a message being blocked. > > Apr 1 15:08:00 [mail.info] o31J7xJu028562: from=, > size=219934, class=0, nrcpts=1, msgid=, proto=ESMTP, > daemon=SMTP_TLSAUTH, relay=removed Apr 1 15:08:00 MailScanner: > [mail.info] Filename Checks: Found possible filename hiding > (o31J7xJu028562 rdf.tex.bak) Apr 1 15:08:01 MailScanner: > [mail.notice] Saved infected "rdf.tex.bak" to > /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 > 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.zip" to > /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 > 15:08:01 MailScanner: [mail.info] Message o31J7xJu028562 from removed > (removed) to emory.edu is too big for spam checks (220506> 150000 > bytes) > > Thanks for any help that can be provided. > > David Gottschalk UTS Email team david.gottschalk@emory.edu > > > > This e-mail message (including any attachments) is for the sole use > of the intended recipient(s) and may contain confidential and > privileged information. If the reader of this message is not the > intended recipient, you are hereby notified that any dissemination, > distribution or copying of this message (including any attachments) > is strictly prohibited. > > If you have received this message in error, please contact the sender > by reply e-mail message and destroy all copies of the original > message (including attachments). -- Ken Anderson Pacific Internet - http://www.pacific.net From dgottsc at emory.edu Tue Apr 13 21:07:10 2010 From: dgottsc at emory.edu (Gottschalk, David) Date: Tue Apr 13 21:07:26 2010 Subject: Filename Blocking Issue In-Reply-To: <4BC4C728.2020708@pacific.net> References: <4BC4C728.2020708@pacific.net> Message-ID: Found it. Thanks for pointing me in the right direction. For those not aware: 12/5/2009 New in Version 4.76.25-1 ================================== * New Features and Improvements * 1 Added the ability to have totally different filename and filetype checks for files which are attachments and files which are members of attached archives. You even get to define what you consider to be an archive and what is not. New Configuration options in MailScanner.conf are Archives Are = Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = David Gottschalk UTS Messaging Team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Tuesday, April 13, 2010 3:34 PM To: mailscanner@lists.mailscanner.info Subject: Re: Filename Blocking Issue See the changelog for version 4.76 Ken On 4/13/2010 1:42 PM, Gottschalk, David wrote: > Anyone? I hate to keep spamming the list, but I really could use some > assistance with this. > > Thanks. > > David Gottschalk UTS Messaging Team david.gottschalk@emory.edu > > > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David Sent: Thursday, April 08, 2010 9:19 AM To: > MailScanner discussion Subject: RE: Filename Blocking Issue > > Anyone have a answer to this question? > > This is a pretty serious problem for me. > > Thanks. > > David Gottschalk UTS Email team david.gottschalk@emory.edu > > > -----Original Message----- From: > mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David Sent: Tuesday, April 06, 2010 4:45 PM To: > MailScanner discussion Subject: Filename Blocking Issue > > I have a strange issue with filenames being blocked that I have > disabled. > > It appears that double file extensions are being blocked within .zip > files, but not if they are not in a zip archive. I've disabled them > in the filename.rules.conf with: > > # Deny all other double file extensions. This catches any hidden > filenames. #deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found > possible filename hiding Attempt to hide > real filename extension > > I changed this to allow, but the same issue occurred. Is this a bug, > or am I missing something obvious? I couldn't find anything regarding > this issue on the list. > > Here is a example of a message being blocked. > > Apr 1 15:08:00 [mail.info] o31J7xJu028562: from=, > size=219934, class=0, nrcpts=1, msgid=, proto=ESMTP, > daemon=SMTP_TLSAUTH, relay=removed Apr 1 15:08:00 MailScanner: > [mail.info] Filename Checks: Found possible filename hiding > (o31J7xJu028562 rdf.tex.bak) Apr 1 15:08:01 MailScanner: > [mail.notice] Saved infected "rdf.tex.bak" to > /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 > 15:08:01 MailScanner: [mail.notice] Saved infected "rdf.zip" to > /mailscanner/MailScanner/quarantine/20100401/o31J7xJu028562 Apr 1 > 15:08:01 MailScanner: [mail.info] Message o31J7xJu028562 from removed > (removed) to emory.edu is too big for spam checks (220506> 150000 > bytes) > > Thanks for any help that can be provided. > > David Gottschalk UTS Email team david.gottschalk@emory.edu > > > > This e-mail message (including any attachments) is for the sole use > of the intended recipient(s) and may contain confidential and > privileged information. If the reader of this message is not the > intended recipient, you are hereby notified that any dissemination, > distribution or copying of this message (including any attachments) > is strictly prohibited. > > If you have received this message in error, please contact the sender > by reply e-mail message and destroy all copies of the original > message (including attachments). -- Ken Anderson Pacific Internet - http://www.pacific.net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From Jeff.Mills at sydneytech.com.au Wed Apr 14 04:13:11 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Wed Apr 14 04:13:26 2010 Subject: MailScanner: compressing attachments when set to no Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50DF2ED0D20@SERVER01.sts.local> I have an issue where MailScanner seems to get hanging at compressing attachments, even though I have that option set to no in the config file. When I run mailscanner in debug mode, I see many of these messages, then nothing: max message size is '100000' If I also debug spamassassin, this is the last of the messages in debug: 13:05:20 Apr 14 13:05:20.322 [23549] dbg: timing: total 16334 ms - read_scoreonly_config: 0.79 (0.0%), init: 11 (0.1%), parse: 3 (0.0%), extract_message_metadata: 22 (0.1%), get_uri_detail_list: 3 (0.0%), tests_pri_0: 4 (0.0%), compile_gen: 0.93 (0.0%) If I do ps ax I see the following: ps ax |grep -i mailscanner 23034 ? Ss 0:00 /bin/sh -c /opt/MailScanner/bin/check_mailscanner 1> /dev/null 2> /dev/null 23035 ? S 0:00 /bin/sh /opt/MailScanner/bin/check_mailscanner 23049 ? S 0:02 MailScanner: compressing attachments 23446 pts/1 S+ 0:04 MailScanner: compressing attachments Zip Attachments = no Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100414/4faeaa53/attachment.html From vincent at zijnemail.nl Wed Apr 14 12:35:25 2010 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Wed Apr 14 12:35:38 2010 Subject: Auto reply to clean email for a certain domain? Message-ID: <4BC5A87D.3000002@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5162 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100414/07bc3ccf/smime.bin From alex at rtpty.com Wed Apr 14 14:10:23 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Apr 14 14:10:40 2010 Subject: Auto reply to clean email for a certain domain? In-Reply-To: <4BC5A87D.3000002@zijnemail.nl> References: <4BC5A87D.3000002@zijnemail.nl> Message-ID: <465F6BA8-7C62-4A95-BAD5-A59B1522DE76@rtpty.com> Not a good idea. A better idea would be to issue a 4xx temporary error at your MTA so that the sender can decide to queue it and notify the sender itself, or bounce it with your message so the sender knows that the message must be resent. If it were done the way you mention, someone could send 1,000,000 messages "from" Vincent Verhagen and "to:" any one of your recipients, and you'd get 1,000,000 bounces saying "retry later". Worse yet, someone could set "from:" and "to:" the same user @ your servers and fill your hard drive with a "clean" message. On Apr 14, 2010, at 6:35 AM, Vincent Verhagen wrote: > Would it be possible (and if so, how?) to have MailScanner notify the sender of clean mail for a certain domain with a pre-defined message, saying that it has been received but will not be read for a while? > Thanks in advance! From vincent at zijnemail.nl Wed Apr 14 14:59:26 2010 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Wed Apr 14 14:59:41 2010 Subject: Auto reply to clean email for a certain domain? In-Reply-To: <465F6BA8-7C62-4A95-BAD5-A59B1522DE76@rtpty.com> References: <4BC5A87D.3000002@zijnemail.nl> <465F6BA8-7C62-4A95-BAD5-A59B1522DE76@rtpty.com> Message-ID: <4BC5CA3E.2040802@zijnemail.nl> You're right. I'll try and convince the marketing guys and selectively defer mail for the domain under maintenance with a 450 or the like. The other way would be to create a custom function with a sort of vacation responder, I guess. Wouldn't like to go there. On 14-4-2010 15:10, Alex Neuman wrote: > Not a good idea. A better idea would be to issue a 4xx temporary error at your MTA so that the sender can decide to queue it and notify the sender itself, or bounce it with your message so the sender knows that the message must be resent. > > If it were done the way you mention, someone could send 1,000,000 messages "from" Vincent Verhagen and "to:" any one of your recipients, and you'd get 1,000,000 bounces saying "retry later". > > Worse yet, someone could set "from:" and "to:" the same user @ your servers and fill your hard drive with a "clean" message. > > On Apr 14, 2010, at 6:35 AM, Vincent Verhagen wrote: > > >> Would it be possible (and if so, how?) to have MailScanner notify the sender of clean mail for a certain domain with a pre-defined message, saying that it has been received but will not be read for a while? >> Thanks in advance! >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5162 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100414/4ddda209/smime.bin From jancarel.putter at gmail.com Wed Apr 14 18:18:38 2010 From: jancarel.putter at gmail.com (JC Putter) Date: Wed Apr 14 18:18:46 2010 Subject: MailScanner Quarantine Release Mail Message-ID: Hi, i'd like to know if it is possible to automate the process of releasing mail from the qurantine by providing a release link inside the spam notification message sent from mailscanner to release emails from quarantine? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100414/36e0963a/attachment.html From mmlist at mjmm.org Thu Apr 15 10:50:41 2010 From: mmlist at mjmm.org (Michael Miller) Date: Thu Apr 15 10:51:10 2010 Subject: McAfee uvscan 6.0.0 - patches provided In-Reply-To: <4BBEEEA7.8080805@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org> Message-ID: <4BC6E171.1000902@mjmm.org> Hi, Attached are a set of patches to add support for the McAfee uvscan v6.0.0 command line scanner. The v5 and v4 versions of uvscan are no longer receiving updates from McAfee and should be viewed as retired. During the testing Phil and I noticed that uvscan sometimes outputs "... Found " or "... Found: " when a virus is found - please be sure to test, at a minimum, with an eicar signature to ensure your copy of uvscan v6 is parsed correctly. I have updated the following files: etc/virus.scanners.conf lib/MailScanner/SweepViruses.pm lib/mcafee-autoupdate lib/mcafee-wrapper I have added the following files: lib/mcafee6-autoupdate lib/mcafee6-wrapper (Note that mcafee-autoupdate and mcafee6-autoupdate are identical, so after patching mcafee-autoupdate, you need to copy the resulting file to mcafee6-autoupdate) Thanks to Phil Randal for testing and troubleshooting my initial versions! If the patches don't come through correctly, please let me know and I can send as attachments. Regards, Mike Patches against MailScanner-4.79.11-1 below: ######################################################################### # diff -u etc/virus.scanners.conf.47911 etc/virus.scanners.conf --- etc/virus.scanners.conf.47911 2010-04-11 00:14:02.000000000 +0100 +++ etc/virus.scanners.conf 2010-04-15 10:36:18.000000000 +0100 @@ -37,6 +37,7 @@ kaspersky /opt/MailScanner/lib/kaspersky-wrapper /opt/AVP kavdaemonclient /opt/MailScanner/lib/kavdaemonclient-wrapper /usr/local mcafee /opt/MailScanner/lib/mcafee-wrapper /usr/local/uvscan +mcafee6 /opt/MailScanner/lib/mcafee6-wrapper /usr/local/uvscan # Now updated to handle nod32 2.01 and upwards #nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/local/nod32 nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/sbin # diff -u lib/MailScanner/SweepViruses.pm.47911 lib/MailScanner/SweepViruses.pm --- lib/MailScanner/SweepViruses.pm.47911 2010-04-10 23:26:06.000000000 +0100 +++ lib/MailScanner/SweepViruses.pm 2010-04-13 16:14:52.000000000 +0100 @@ -127,6 +127,18 @@ SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_SUPPORTED, }, + mcafee6 => { + Name => 'McAfee6', + Lock => 'mcafee6Busy.lock', + CommonOptions => '--recursive --ignore-links --analyze --mime ' . + '--secure --noboot', + DisinfectOptions => '--clean', + ScanOptions => '', + InitParser => \&InitMcAfee6Parser, + ProcessOutput => \&ProcessMcAfee6Output, + SupportScanning => $S_SUPPORTED, + SupportDisinfect => $S_SUPPORTED, + }, command => { Name => 'Command', Lock => 'commandBusy.lock', @@ -1379,6 +1391,11 @@ $currentline = ''; } +# Initialise any state variables the McAfee6 output parser uses +sub InitMcAfee6Parser { + ; +} + # Initialise any state variables the Command (CSAV) output parser uses sub InitCommandParser { ; @@ -1837,7 +1854,7 @@ $logout = $report; $logout =~ s/%/%%/g; $logout =~ s/\s{20,}/ /g; - # note: '$dot' does not become '.' + # note: '$dot' does not become '.', but blank for rootdir ($dot, $id, $part, @rest) = split(/\//, $lastline); my $notype = substr($part,1); $logout =~ s/\Q$part\E/$notype/; @@ -1858,6 +1875,64 @@ return 1; } +sub ProcessMcAfee6Output { + my($line, $infections, $types, $BaseDir, $Name) = @_; + + my($report, $dot, $id, $part, @rest); + my($logout); + my($filename, $virusname); + + chomp $line; + + #MailScanner::Log::InfoLog("McAfee6 said \"$line\""); + + # Should we worry about any warnings/errors? + return 0 unless $line =~ /Found/; + + # McAfee prints the whole path including + # ./message/part so make it the same + # eg: /var/spool/MailScanner/incoming/4118/./o3B07pUD004176/eicar.com + # + # strip off leading BaseDir + $line =~ s/^$BaseDir//; + # and then remaining /. (which may be removed in future as per v5 uvscan) + $line =~ s/^\/\.//; + # and put the leading . back in place + $line =~ s/^/\./; + + $filename = $line; + $filename =~ s/ \.\.\. Found.*$//; + + #get the virus name - not used currently + #$virusname = $line; + #$virusname =~ s/^.* \.\.\. Found.?//; + + $report = $line; + $logout = $line; + $logout =~ s/%/%%/g; + $logout =~ s/\s{20,}/ /g; + # note: '$dot' does become '.' + ($dot, $id, $part, @rest) = split(/\//, $filename); + my $notype = substr($part,1); + $logout =~ s/\Q$part\E/$notype/; + $report =~ s/\Q$part\E/$notype/; + $report =~ s/ \.\.\. Found/ Found/; + MailScanner::Log::InfoLog($logout); + + $report = $Name . ': ' . $report if $Name; + + # Infections found in the header must be handled specially here + if ($id =~ /\.(?:header|message)/) { + # The attachment name is "" ==> infection is whole messsage + $part = ""; + # Correct the message id by deleting all from .header onwards + $id =~ s/\.(?:header|message).*$//; + } + $infections->{"$id"}{"$part"} .= $report . "\n"; + $types->{"$id"}{"$part"} .= "v"; + return 1; +} + # This next function originally contributed in its entirety by # "Richard Brookhuis" # ######################################################################### # diff -u lib/mcafee-autoupdate.47911 lib/mcafee-autoupdate --- lib/mcafee-autoupdate.47911 2010-04-10 20:02:56.000000000 +0100 +++ lib/mcafee-autoupdate 2010-04-15 10:19:51.000000000 +0100 @@ -2,7 +2,15 @@ # # Update the McAfee data files. # +# As at 2010/04/10 the mcafee6-autoupdate and mcafee6-autoupdate scripts +# are identical. The logic to differentiate between versions is built in +# to the script to enable only one version of the script to be maintained. +# +# based on: +# # $Cambridge: hermes/conf/build/bin/uvscan-update,v 1.52 2004/08/18 19:12:02 fanf2 Exp $ +# and patch from: +# http://lists.mailscanner.info/pipermail/mailscanner/2009-November/094019.html # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run @@ -17,13 +25,36 @@ # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. +# + +# As of Apr 2010, McAfee is no longer publishing V1 DATs, and is only +# publishing V2 DATs: +# +# https://kc.mcafee.com/corporate/index?page=content&id=KB60404 +# https://kc.mcafee.com/corporate/index?page=content&id=KB60772 +# +# Version 6 of McAfee VirusScan Command Line Scanner for Unix uses V2 DATs. +# Version 5, which uses V1 DATs, is EoL and no longer receives DAT updates. +# +# If this script detects taht we are running VirusScan CLI version 6, we +# extract the DATs from the V2 DAT zip archive (avvdat-XXXX.zip). +# Otherwise, we log an error about EoL scanner and no available updates. +# +# As V1 DATs are no longer published, support for them has been removed +# from this update script. # defaults OPTS="-d" PREFIX=/opt/uvscan -FTPDIR=http://download.nai.com/products/datfiles/4.x/nai +FTPDIR=http://update.nai.com/products/commonupdater RETRIES=1 INTERVAL=300 +CLIVERSION=6 + +wgetverbosity="--no-verbose" +tarverbosity="" +unzipverbosity="-q" +unzipopts="-o" # handle the command line usage () { @@ -61,7 +92,7 @@ ;; /*) PREFIX=$arg ;; - http:) ftp_proxy=$arg + http://*) ftp_proxy=$arg http_proxy=$arg export ftp_proxy export http_proxy @@ -90,20 +121,32 @@ option v VERBOSE case $FORCE in yes) VERBOSE=yes + wgetverbosity="" + tarverbosity="v" + unzipverbosity="" esac -# look for binaries and libraris in plausible places +# look for binaries and libraries in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX export PATH LD_LIBRARY_PATH +#setup sane umask, just in case... +umask 022 + # where this script finds things DATDIR=$PREFIX/datfiles -DATFILES="clean.dat extra.dat internet.dat names.dat scan.dat" + +# These are for CLI v6+: +# Note that runtime.dat is not distributed; it is generated by uvscan the +# first time it runs (including with "uvscan --version"). +DATFILES6="avvclean.dat avvnames.dat avvscan.dat runtime.dat extra.dat" + LINKNAME=current LINKREL=datfiles/$LINKNAME + # wrapper functions for echo etc. timestamp () { case $TIME in @@ -143,7 +186,11 @@ say PREFIX=$PREFIX # check directory setup is correct -for link in $LINKREL $DATFILES +# At this point we do not know whether this is a CLI version 6 or version 5 +# installation, and more particularly what the filenames for the DAT files +# are. +#for link in $LINKREL $DATFILES +for link in $LINKREL do if ! is -h $PREFIX/$link then @@ -181,12 +228,59 @@ run rm -f $out $err } +#this parses an ini file for the occurence of a value in the specified section +#parseini INIFILE SECTION ITEM +parseini () { + myINIFILE="$1" + mySECTION="$2" + myITEM="$3" + if [ ! -s "${myINIFILE}" ] + then + echo "UNKNOWN" + return 1 + fi + + myINSEC="no" + while read line + do + #just incase input is in DOS format... (Is the case for avvdat.ini) + line="`echo $line|sed 's/\r//'`" + + if [ "${line}" = "[${mySECTION}]" ] + then + myINSEC="yes" + continue + fi + if [ "`echo ${line}|cut -c1`" = "[" ] + then + myINSEC="no" + continue + fi + [ "${myINSEC}" = "yes" ] || continue + if [ "`echo ${line}|cut -d= -f1`" = "${myITEM}" ] + then + echo "`echo ${line}|sed 's/^'"${myITEM}="'//'`" + return 0 + fi + done < ${myINIFILE} + echo "UNKNOWN" + return 1 +} + # work out latest dat version try=$RETRIES while : -do getver "wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/update.ini" update.ini "DATVersion=" - VERSION=$VER - case $VERSION in +do + rm -f avvdat.ini + if is $? != 0 + then + say "Error deleting avvdat.init... update may not be successful." + fi + + run wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/avvdat.ini + NEWVER=`parseini avvdat.ini AVV-ZIP DATVersion` +say New version is $NEWVER + case $NEWVER in UNKNOWN) if ! try=`expr $try - 1` then break @@ -201,40 +295,75 @@ done # work out installed dat version -getver "uvscan --version" version.err "Virus data file v" +# CLI v5 is EoL so no point in checking for it first, +# as no one should still be using it +getver "uvscan --version" version.err "Dat set version: " +if is $VER = UNKNOWN +then + # Might be CLI pre-v6: + getver "uvscan --version" version.err "Virus data file v" + if is $VER != UNKNOWN + then + VERBOSE=yes + say "uvscan earlier than v6 found. No DATs available. ABORTING." + say "Please upgrade uvscan to at least v6.0.0" + if is $VER != 5937 + then + say "" + say "You are not running the last released v1 DAT." + say "Please manually upgrade to DAT v5937 if possible." + fi + run exit 1 + fi +fi PREVIOUS=$VER case $FORCE in yes) say Forced update from $PREVIOUS PREVIOUS=0000 ;; -*) if is $VERSION -eq $PREVIOUS - then say Already have $VERSION +*) if is $NEWVER -eq $PREVIOUS + then say Already have $NEWVER run exit 0 fi esac +# select appropriate archive name and DAT filenames +# if this is CLI v6, we use V2 DAT archive +if is $CLIVERSION = 6 +then + DISTARC=avvdat-$NEWVER.zip + DATFILES="$DATFILES6" +else + say "Fatal Error. Unsupported CLI version found..." + exit 1 +fi + VERBOSE=yes +# We are performing an update, so be chatty (as opposed to explicitly +# verbose as requested) +CHATTY=yes + say Installed dat file is $PREVIOUS -say Latest dat file is $VERSION +say Latest dat file is $NEWVER -if is $VERSION = UNKNOWN +if is $NEWVER = UNKNOWN then say Problem with McAfee datfile update from $FTPDIR run exit 1 -elif is $VERSION -lt $PREVIOUS +elif is $NEWVER -lt $PREVIOUS then say Remote version $VERSION older than installed version $PREVIOUS run exit 1 -elif is -d $VERSION -then say Cleaning away $VERSION directory - run rm -rf $VERSION +elif is -d $NEWVER +then say Cleaning away $NEWVER directory + run rm -rf $NEWVER fi retry () { echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR - run rm -rf $VERSION + run rm -rf $NEWVER if ! try=`expr $try - 1` then say Giving up run exit 1 @@ -248,19 +377,25 @@ while : do # fetch and extract dat files - TARFILE=dat-$VERSION.tar - run mkdir $VERSION - run cd $VERSION + run mkdir $NEWVER + run cd $NEWVER run chmod 700 . - if ! run wget --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE + if ! run wget $wgetverbosity --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$DISTARC then retry fi - run tar xvf $TARFILE + if is ! $CLIVERSION 6 + then + run tar x${tarverbosity}f $DISTARC + else + run unzip $unzipverbosity $unzipopts $DISTARC + fi run chmod 644 * run chmod 755 . # verify the contents - CMD="uvscan --version --dat ." + # this will create runtime.dat too + # we use --decompress to speed up future runs... + CMD="uvscan --version --dat . --decompress" say "> $CMD" if ! OUT=`$CMD 2>&1` then retry @@ -280,21 +415,19 @@ s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap -run rm -f *.diz *.exe *.ini *.lst *.tar *.txt +run rm -f *.diz *.exe *.ini *.lst *.tar *.txt *.zip -# do remaining part of initial setup -case $INIT in -yes) for file in $DATFILES - do - run rm -f $PREFIX/$file - run ln -s $LINKREL/$file $PREFIX/$file - done -esac +# Make sure symlinks are in place +for file in $DATFILES +do + run rm -f $PREFIX/$file + run ln -s $LINKREL/$file $PREFIX/$file +done # update the current version link run cd $DATDIR -run ln -s $VERSION $VERSION/$LINKNAME -run mv $VERSION/$LINKNAME . +run ln -s $NEWVER $NEWVER/$LINKNAME +run mv $NEWVER/$LINKNAME . # maybe delete old dat files case $DELETE in ############################################################################## # diff -u lib/mcafee-wrapper.47911 lib/mcafee-wrapper --- lib/mcafee-wrapper.47911 2010-04-15 10:33:07.000000000 +0100 +++ lib/mcafee-wrapper 2010-04-10 23:23:36.000000000 +0100 @@ -33,6 +33,7 @@ # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script +# Modified by MJMM to exclude uvscan v6 (different output parsing required) PackageDir=$1 shift @@ -43,7 +44,14 @@ export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then - [ -x ${PackageDir}/$prog ] && exit 0 + + #first check if the excutable exists... + [ -x ${PackageDir}/$prog ] || exit 1 + + #second check if it is pre-v6 (using different output string) + ${PackageDir}/$prog --version | grep "Virus data file v" > /dev/null + [ $? = 0 ] && exit 0 + exit 1 fi ##################################################################################### New file: lib/mcafee6-wrapper # cat lib/mcafee6-wrapper #!/bin/sh # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script # # MJMM Copied as mcafee6-wrapper for handle uvscan v6.0+ # MJMM Updated to detect v6 (different output parsing required) PackageDir=$1 shift prog=uvscan # `basename $0` datDIR=$PackageDir LD_LIBRARY_PATH=$PackageDir export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then #first check if the excutable exists... [ -x ${PackageDir}/$prog ] || exit 1 #second check if it is v6 (using different output string) ${PackageDir}/$prog --version | grep "Dat set version: " > /dev/null [ $? = 0 ] && exit 0 exit 1 fi if [ -f ${PackageDir}/datfiles/current/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/datfiles/current/extra.dat "$@" else if [ -f ${PackageDir}/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/extra.dat "$@" fi exec ${PackageDir}/$prog -d $datDIR "$@" fi Michael Miller wrote: > Hi > > I was wondering if there was a date when we can expect MailScanner to > natively support the updated McAfee uvscan anti virus scanner? uvscan > v5.3 is now EoL as DATs are no longer being released. > > I see a few patches were posted a few months back but they don't appear > to have been merged into MailScanner itself. Does anyone have any more > recent patches for uvscan 6.0.0? > > If there is interest in this, I can set about testing the patches and > consolidating the parsing and the updating patches and reposting if they > will be useful. > > Regards, > Mike > > From maillists at conactive.com Thu Apr 15 11:31:18 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 15 11:31:29 2010 Subject: MailScanner Quarantine Release Mail In-Reply-To: References: Message-ID: Yes. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From prandal at herefordshire.gov.uk Thu Apr 15 11:31:11 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 15 11:31:34 2010 Subject: McAfee uvscan 6.0.0 - patches provided In-Reply-To: <4BC6E171.1000902@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org> <4BC6E171.1000902@mjmm.org> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45429EE1@HC-MBX01.herefordshire.gov.uk> Thanks very much for your good work producing these patches, Michael. MailWatch 1.0.4 / 1.0.5 users may need to update some files for that to work with mcafee6. I've attached a .zip file of the MailWatch files I've changed for MailWatch. Changed files are: functions.php mcafee.awk mcafee_status.php rep_viruses.php Please diff these against your working copies and make the appropriate changes. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Miller Sent: 15 April 2010 10:51 To: mailscanner@lists.mailscanner.info Subject: Re: McAfee uvscan 6.0.0 - patches provided Hi, Attached are a set of patches to add support for the McAfee uvscan v6.0.0 command line scanner. The v5 and v4 versions of uvscan are no longer receiving updates from McAfee and should be viewed as retired. During the testing Phil and I noticed that uvscan sometimes outputs "... Found " or "... Found: " when a virus is found - please be sure to test, at a minimum, with an eicar signature to ensure your copy of uvscan v6 is parsed correctly. I have updated the following files: etc/virus.scanners.conf lib/MailScanner/SweepViruses.pm lib/mcafee-autoupdate lib/mcafee-wrapper I have added the following files: lib/mcafee6-autoupdate lib/mcafee6-wrapper (Note that mcafee-autoupdate and mcafee6-autoupdate are identical, so after patching mcafee-autoupdate, you need to copy the resulting file to mcafee6-autoupdate) Thanks to Phil Randal for testing and troubleshooting my initial versions! If the patches don't come through correctly, please let me know and I can send as attachments. Regards, Mike Patches against MailScanner-4.79.11-1 below: ######################################################################## # # diff -u etc/virus.scanners.conf.47911 etc/virus.scanners.conf --- etc/virus.scanners.conf.47911 2010-04-11 00:14:02.000000000 +0100 +++ etc/virus.scanners.conf 2010-04-15 10:36:18.000000000 +0100 @@ -37,6 +37,7 @@ kaspersky /opt/MailScanner/lib/kaspersky-wrapper /opt/AVP kavdaemonclient /opt/MailScanner/lib/kavdaemonclient-wrapper /usr/local mcafee /opt/MailScanner/lib/mcafee-wrapper /usr/local/uvscan +mcafee6 /opt/MailScanner/lib/mcafee6-wrapper /usr/local/uvscan # Now updated to handle nod32 2.01 and upwards #nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/local/nod32 nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/sbin # diff -u lib/MailScanner/SweepViruses.pm.47911 lib/MailScanner/SweepViruses.pm --- lib/MailScanner/SweepViruses.pm.47911 2010-04-10 23:26:06.000000000 +0100 +++ lib/MailScanner/SweepViruses.pm 2010-04-13 16:14:52.000000000 +0100 @@ -127,6 +127,18 @@ SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_SUPPORTED, }, + mcafee6 => { + Name => 'McAfee6', + Lock => 'mcafee6Busy.lock', + CommonOptions => '--recursive --ignore-links --analyze --mime ' . + '--secure --noboot', + DisinfectOptions => '--clean', + ScanOptions => '', + InitParser => \&InitMcAfee6Parser, + ProcessOutput => \&ProcessMcAfee6Output, + SupportScanning => $S_SUPPORTED, + SupportDisinfect => $S_SUPPORTED, + }, command => { Name => 'Command', Lock => 'commandBusy.lock', @@ -1379,6 +1391,11 @@ $currentline = ''; } +# Initialise any state variables the McAfee6 output parser uses sub +InitMcAfee6Parser { + ; +} + # Initialise any state variables the Command (CSAV) output parser uses sub InitCommandParser { ; @@ -1837,7 +1854,7 @@ $logout = $report; $logout =~ s/%/%%/g; $logout =~ s/\s{20,}/ /g; - # note: '$dot' does not become '.' + # note: '$dot' does not become '.', but blank for rootdir ($dot, $id, $part, @rest) = split(/\//, $lastline); my $notype = substr($part,1); $logout =~ s/\Q$part\E/$notype/; @@ -1858,6 +1875,64 @@ return 1; } +sub ProcessMcAfee6Output { + my($line, $infections, $types, $BaseDir, $Name) = @_; + + my($report, $dot, $id, $part, @rest); my($logout); my($filename, + $virusname); + + chomp $line; + + #MailScanner::Log::InfoLog("McAfee6 said \"$line\""); + + # Should we worry about any warnings/errors? + return 0 unless $line =~ /Found/; + + # McAfee prints the whole path including # ./message/part so make it + the same # eg: + /var/spool/MailScanner/incoming/4118/./o3B07pUD004176/eicar.com + # + # strip off leading BaseDir + $line =~ s/^$BaseDir//; + # and then remaining /. (which may be removed in future as per v5 + uvscan) $line =~ s/^\/\.//; # and put the leading . back in place + $line =~ s/^/\./; + + $filename = $line; + $filename =~ s/ \.\.\. Found.*$//; + + #get the virus name - not used currently #$virusname = $line; + #$virusname =~ s/^.* \.\.\. Found.?//; + + $report = $line; + $logout = $line; + $logout =~ s/%/%%/g; + $logout =~ s/\s{20,}/ /g; + # note: '$dot' does become '.' + ($dot, $id, $part, @rest) = split(/\//, $filename); my $notype = + substr($part,1); $logout =~ s/\Q$part\E/$notype/; $report =~ + s/\Q$part\E/$notype/; $report =~ s/ \.\.\. Found/ Found/; + MailScanner::Log::InfoLog($logout); + + $report = $Name . ': ' . $report if $Name; + + # Infections found in the header must be handled specially here + if ($id =~ /\.(?:header|message)/) { + # The attachment name is "" ==> infection is whole messsage + $part = ""; + # Correct the message id by deleting all from .header onwards + $id =~ s/\.(?:header|message).*$//; + } + $infections->{"$id"}{"$part"} .= $report . "\n"; + $types->{"$id"}{"$part"} .= "v"; + return 1; +} + # This next function originally contributed in its entirety by # "Richard Brookhuis" # ######################################################################## # # diff -u lib/mcafee-autoupdate.47911 lib/mcafee-autoupdate --- lib/mcafee-autoupdate.47911 2010-04-10 20:02:56.000000000 +0100 +++ lib/mcafee-autoupdate 2010-04-15 10:19:51.000000000 +0100 @@ -2,7 +2,15 @@ # # Update the McAfee data files. # +# As at 2010/04/10 the mcafee6-autoupdate and mcafee6-autoupdate +scripts # are identical. The logic to differentiate between versions is +built in # to the script to enable only one version of the script to be maintained. +# +# based on: +# # $Cambridge: hermes/conf/build/bin/uvscan-update,v 1.52 2004/08/18 19:12:02 fanf2 Exp $ +# and patch from: +# http://lists.mailscanner.info/pipermail/mailscanner/2009-November/094019 .html # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run @@ -17,13 +25,36 @@ # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. +# + +# As of Apr 2010, McAfee is no longer publishing V1 DATs, and is only # +publishing V2 DATs: +# +# https://kc.mcafee.com/corporate/index?page=content&id=KB60404 +# https://kc.mcafee.com/corporate/index?page=content&id=KB60772 +# +# Version 6 of McAfee VirusScan Command Line Scanner for Unix uses V2 DATs. +# Version 5, which uses V1 DATs, is EoL and no longer receives DAT updates. +# +# If this script detects taht we are running VirusScan CLI version 6, +we # extract the DATs from the V2 DAT zip archive (avvdat-XXXX.zip). +# Otherwise, we log an error about EoL scanner and no available updates. +# +# As V1 DATs are no longer published, support for them has been removed +# from this update script. # defaults OPTS="-d" PREFIX=/opt/uvscan -FTPDIR=http://download.nai.com/products/datfiles/4.x/nai +FTPDIR=http://update.nai.com/products/commonupdater RETRIES=1 INTERVAL=300 +CLIVERSION=6 + +wgetverbosity="--no-verbose" +tarverbosity="" +unzipverbosity="-q" +unzipopts="-o" # handle the command line usage () { @@ -61,7 +92,7 @@ ;; /*) PREFIX=$arg ;; - http:) ftp_proxy=$arg + http://*) ftp_proxy=$arg http_proxy=$arg export ftp_proxy export http_proxy @@ -90,20 +121,32 @@ option v VERBOSE case $FORCE in yes) VERBOSE=yes + wgetverbosity="" + tarverbosity="v" + unzipverbosity="" esac -# look for binaries and libraris in plausible places +# look for binaries and libraries in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX export PATH LD_LIBRARY_PATH +#setup sane umask, just in case... +umask 022 + # where this script finds things DATDIR=$PREFIX/datfiles -DATFILES="clean.dat extra.dat internet.dat names.dat scan.dat" + +# These are for CLI v6+: +# Note that runtime.dat is not distributed; it is generated by uvscan +the # first time it runs (including with "uvscan --version"). +DATFILES6="avvclean.dat avvnames.dat avvscan.dat runtime.dat extra.dat" + LINKNAME=current LINKREL=datfiles/$LINKNAME + # wrapper functions for echo etc. timestamp () { case $TIME in @@ -143,7 +186,11 @@ say PREFIX=$PREFIX # check directory setup is correct -for link in $LINKREL $DATFILES +# At this point we do not know whether this is a CLI version 6 or +version 5 # installation, and more particularly what the filenames for +the DAT files # are. +#for link in $LINKREL $DATFILES +for link in $LINKREL do if ! is -h $PREFIX/$link then @@ -181,12 +228,59 @@ run rm -f $out $err } +#this parses an ini file for the occurence of a value in the specified section +#parseini INIFILE SECTION ITEM +parseini () { + myINIFILE="$1" + mySECTION="$2" + myITEM="$3" + if [ ! -s "${myINIFILE}" ] + then + echo "UNKNOWN" + return 1 + fi + + myINSEC="no" + while read line + do + #just incase input is in DOS format... (Is the case for avvdat.ini) + line="`echo $line|sed 's/\r//'`" + + if [ "${line}" = "[${mySECTION}]" ] + then + myINSEC="yes" + continue + fi + if [ "`echo ${line}|cut -c1`" = "[" ] + then + myINSEC="no" + continue + fi + [ "${myINSEC}" = "yes" ] || continue + if [ "`echo ${line}|cut -d= -f1`" = "${myITEM}" ] + then + echo "`echo ${line}|sed 's/^'"${myITEM}="'//'`" + return 0 + fi + done < ${myINIFILE} + echo "UNKNOWN" + return 1 +} + # work out latest dat version try=$RETRIES while : -do getver "wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/update.ini" update.ini "DATVersion=" - VERSION=$VER - case $VERSION in +do + rm -f avvdat.ini + if is $? != 0 + then + say "Error deleting avvdat.init... update may not be successful." + fi + + run wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/avvdat.ini + NEWVER=`parseini avvdat.ini AVV-ZIP DATVersion` say New version +is $NEWVER + case $NEWVER in UNKNOWN) if ! try=`expr $try - 1` then break @@ -201,40 +295,75 @@ done # work out installed dat version -getver "uvscan --version" version.err "Virus data file v" +# CLI v5 is EoL so no point in checking for it first, # as no one +should still be using it getver "uvscan --version" version.err "Dat set +version: " +if is $VER = UNKNOWN +then + # Might be CLI pre-v6: + getver "uvscan --version" version.err "Virus data file v" + if is $VER != UNKNOWN + then + VERBOSE=yes + say "uvscan earlier than v6 found. No DATs available. ABORTING." + say "Please upgrade uvscan to at least v6.0.0" + if is $VER != 5937 + then + say "" + say "You are not running the last released v1 DAT." + say "Please manually upgrade to DAT v5937 if possible." + fi + run exit 1 + fi +fi PREVIOUS=$VER case $FORCE in yes) say Forced update from $PREVIOUS PREVIOUS=0000 ;; -*) if is $VERSION -eq $PREVIOUS - then say Already have $VERSION +*) if is $NEWVER -eq $PREVIOUS + then say Already have $NEWVER run exit 0 fi esac +# select appropriate archive name and DAT filenames # if this is CLI +v6, we use V2 DAT archive if is $CLIVERSION = 6 then + DISTARC=avvdat-$NEWVER.zip + DATFILES="$DATFILES6" +else + say "Fatal Error. Unsupported CLI version found..." + exit 1 +fi + VERBOSE=yes +# We are performing an update, so be chatty (as opposed to explicitly # +verbose as requested) CHATTY=yes + say Installed dat file is $PREVIOUS -say Latest dat file is $VERSION +say Latest dat file is $NEWVER -if is $VERSION = UNKNOWN +if is $NEWVER = UNKNOWN then say Problem with McAfee datfile update from $FTPDIR run exit 1 -elif is $VERSION -lt $PREVIOUS +elif is $NEWVER -lt $PREVIOUS then say Remote version $VERSION older than installed version $PREVIOUS run exit 1 -elif is -d $VERSION -then say Cleaning away $VERSION directory - run rm -rf $VERSION +elif is -d $NEWVER +then say Cleaning away $NEWVER directory + run rm -rf $NEWVER fi retry () { echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR - run rm -rf $VERSION + run rm -rf $NEWVER if ! try=`expr $try - 1` then say Giving up run exit 1 @@ -248,19 +377,25 @@ while : do # fetch and extract dat files - TARFILE=dat-$VERSION.tar - run mkdir $VERSION - run cd $VERSION + run mkdir $NEWVER + run cd $NEWVER run chmod 700 . - if ! run wget --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE + if ! run wget $wgetverbosity --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$DISTARC then retry fi - run tar xvf $TARFILE + if is ! $CLIVERSION 6 + then + run tar x${tarverbosity}f $DISTARC + else + run unzip $unzipverbosity $unzipopts $DISTARC + fi run chmod 644 * run chmod 755 . # verify the contents - CMD="uvscan --version --dat ." + # this will create runtime.dat too + # we use --decompress to speed up future runs... + CMD="uvscan --version --dat . --decompress" say "> $CMD" if ! OUT=`$CMD 2>&1` then retry @@ -280,21 +415,19 @@ s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap -run rm -f *.diz *.exe *.ini *.lst *.tar *.txt +run rm -f *.diz *.exe *.ini *.lst *.tar *.txt *.zip -# do remaining part of initial setup -case $INIT in -yes) for file in $DATFILES - do - run rm -f $PREFIX/$file - run ln -s $LINKREL/$file $PREFIX/$file - done -esac +# Make sure symlinks are in place +for file in $DATFILES +do + run rm -f $PREFIX/$file + run ln -s $LINKREL/$file $PREFIX/$file done # update the current version link run cd $DATDIR -run ln -s $VERSION $VERSION/$LINKNAME -run mv $VERSION/$LINKNAME . +run ln -s $NEWVER $NEWVER/$LINKNAME +run mv $NEWVER/$LINKNAME . # maybe delete old dat files case $DELETE in ######################################################################## ###### # diff -u lib/mcafee-wrapper.47911 lib/mcafee-wrapper --- lib/mcafee-wrapper.47911 2010-04-15 10:33:07.000000000 +0100 +++ lib/mcafee-wrapper 2010-04-10 23:23:36.000000000 +0100 @@ -33,6 +33,7 @@ # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script +# Modified by MJMM to exclude uvscan v6 (different output parsing +required) PackageDir=$1 shift @@ -43,7 +44,14 @@ export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then - [ -x ${PackageDir}/$prog ] && exit 0 + + #first check if the excutable exists... + [ -x ${PackageDir}/$prog ] || exit 1 + + #second check if it is pre-v6 (using different output string) + ${PackageDir}/$prog --version | grep "Virus data file v" > /dev/null + [ $? = 0 ] && exit 0 + exit 1 fi ######################################################################## ############# New file: lib/mcafee6-wrapper # cat lib/mcafee6-wrapper #!/bin/sh # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script # # MJMM Copied as mcafee6-wrapper for handle uvscan v6.0+ # MJMM Updated to detect v6 (different output parsing required) PackageDir=$1 shift prog=uvscan # `basename $0` datDIR=$PackageDir LD_LIBRARY_PATH=$PackageDir export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then #first check if the excutable exists... [ -x ${PackageDir}/$prog ] || exit 1 #second check if it is v6 (using different output string) ${PackageDir}/$prog --version | grep "Dat set version: " > /dev/null [ $? = 0 ] && exit 0 exit 1 fi if [ -f ${PackageDir}/datfiles/current/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/datfiles/current/extra.dat "$@" else if [ -f ${PackageDir}/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/extra.dat "$@" fi exec ${PackageDir}/$prog -d $datDIR "$@" fi Michael Miller wrote: > Hi > > I was wondering if there was a date when we can expect MailScanner to > natively support the updated McAfee uvscan anti virus scanner? uvscan > v5.3 is now EoL as DATs are no longer being released. > > I see a few patches were posted a few months back but they don't > appear to have been merged into MailScanner itself. Does anyone have > any more recent patches for uvscan 6.0.0? > > If there is interest in this, I can set about testing the patches and > consolidating the parsing and the updating patches and reposting if > they will be useful. > > Regards, > Mike > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- A non-text attachment was scrubbed... Name: MailWatch.zip Type: application/x-zip-compressed Size: 22374 bytes Desc: MailWatch.zip Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100415/7152544f/MailWatch-0001.bin From jancarel.putter at gmail.com Thu Apr 15 13:04:50 2010 From: jancarel.putter at gmail.com (JC Putter) Date: Thu Apr 15 13:04:58 2010 Subject: MailScanner Quarantine Release Mail In-Reply-To: References: Message-ID: Kia, will you be able to point me in a direction of an example? i am not much of a developer... On Thu, Apr 15, 2010 at 12:31 PM, Kai Schaetzl wrote: > Yes. > > Kai > > -- > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100415/b9191b82/attachment.html From campbell at cnpapers.com Thu Apr 15 18:01:54 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 15 18:02:19 2010 Subject: OT: difficulty with moving server Message-ID: <4BC74682.1050402@cnpapers.com> I'm trying to move one of our servers behind one firewall to another. I can't figure out what might be cached that prevents a smooth move. The mailserver is running a caching dns server, but the public IP for the mailserver is being moved to the new firewall, so I don't think it's DNS causing the problem. It appears that when I have the machine moved, after stopping MS (along with sendmail), the firewall accepts a telnet on port 25 to another domain, but either the firewall or sendmail doesn't receive or accept the returning packet. I get nothing in my firewall logs for denials. Any arp tables are flushed that are in front of the mailserver and firewall. I do believe I discovered that sendmail retains routing information to it's default gateway. A check on the firewalls indicate the proper public IPs have been removed or installed. Mail travels into the server from the public lan and is sent and received behind the firewall. It just won't leave through the firewall to the public network. Does anyone know of anything I might be overlooking from the mailserver's point of view that might be cached and hanging around? A reboot didn't solve anything for me, and I have similar mailservers behind the new firewall with the same set of firewall rules. Thanks for any ideas and sorry for the OT. Steve Campbell From ecasarero at gmail.com Thu Apr 15 18:26:30 2010 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Apr 15 18:27:05 2010 Subject: OT: difficulty with moving server In-Reply-To: <4BC74682.1050402@cnpapers.com> References: <4BC74682.1050402@cnpapers.com> Message-ID: 2010/4/15 Steve Campbell > I'm trying to move one of our servers behind one firewall to another. I > can't figure out what might be cached that prevents a smooth move. The > mailserver is running a caching dns server, but the public IP for the > mailserver is being moved to the new firewall, so I don't think it's DNS > causing the problem. > > It appears that when I have the machine moved, after stopping MS (along > with sendmail), the firewall accepts a telnet on port 25 to another domain, > but either the firewall or sendmail doesn't receive or accept the returning > packet. I get nothing in my firewall logs for denials. Any arp tables are > flushed that are in front of the mailserver and firewall. I do believe I > discovered that sendmail retains routing information to it's default > gateway. A check on the firewalls indicate the proper public IPs have been > removed or installed. Mail travels into the server from the public lan and > is sent and received behind the firewall. It just won't leave through the > firewall to the public network. > > Does anyone know of anything I might be overlooking from the mailserver's > point of view that might be cached and hanging around? A reboot didn't solve > anything for me, and I have similar mailservers behind the new firewall with > the same set of firewall rules. > > Thanks for any ideas and sorry for the OT. > > Steve Campbell > I dont want to sound obvious, but did you change the default gateway? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100415/7bb0a61b/attachment.html From dcmwai at pl.jaring.my Thu Apr 15 19:00:08 2010 From: dcmwai at pl.jaring.my (Chan Min Wai) Date: Thu Apr 15 19:00:17 2010 Subject: Gentoo Security Bugs on MailScanner Message-ID: Hello all, There seem to be a security bugs on the installation of Mailscanner and thus caused the case. http://bugs.gentoo.org/show_bug.cgi?id=253657 Does anyknow what is wrong with it? Thank You From lstewart at superb.net Thu Apr 15 19:13:15 2010 From: lstewart at superb.net (Landon Stewart) Date: Thu Apr 15 19:13:25 2010 Subject: OT: difficulty with moving server In-Reply-To: References: <4BC74682.1050402@cnpapers.com> Message-ID: > > I dont want to sound obvious, but did you change the default gateway? > > And while on the server can you do nslookups using all the servers in /etc/resolv.conf? With mailscanner running - What happens if you telnet to localhost 25 *and* 25 while logged into the actual mailscanner server itself? What does "lsof -Pni tcp:25" look like? Anything interesting? And last but not least what do the logs say? Anything useful? -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100415/2f69ce5e/attachment.html From alex at rtpty.com Thu Apr 15 19:13:38 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Apr 15 19:13:48 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: References: Message-ID: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> It's all in the page you provide. Can you also provide a fix, or suggestions on how to fix it? On Apr 15, 2010, at 1:00 PM, Chan Min Wai wrote: > Hello all, > > There seem to be a security bugs on the installation of Mailscanner > and thus caused the case. > > http://bugs.gentoo.org/show_bug.cgi?id=253657 > > Does anyknow what is wrong with it? > > Thank You > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Thu Apr 15 19:23:22 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 15 19:24:13 2010 Subject: OT: difficulty with moving server In-Reply-To: References: <4BC74682.1050402@cnpapers.com> Message-ID: <4BC7599A.80304@cnpapers.com> Yep, I did. Obvious is usually where the problem lies. The problem is solved. It was an ancient switch that had an ancient ARP table that wasn't even supposed to be caching arp. Thanks for the help. steve Eduardo Casarero wrote: > > > 2010/4/15 Steve Campbell > > > I'm trying to move one of our servers behind one firewall to > another. I can't figure out what might be cached that prevents a > smooth move. The mailserver is running a caching dns server, but > the public IP for the mailserver is being moved to the new > firewall, so I don't think it's DNS causing the problem. > > It appears that when I have the machine moved, after stopping MS > (along with sendmail), the firewall accepts a telnet on port 25 to > another domain, but either the firewall or sendmail doesn't > receive or accept the returning packet. I get nothing in my > firewall logs for denials. Any arp tables are flushed that are in > front of the mailserver and firewall. I do believe I discovered > that sendmail retains routing information to it's default gateway. > A check on the firewalls indicate the proper public IPs have been > removed or installed. Mail travels into the server from the public > lan and is sent and received behind the firewall. It just won't > leave through the firewall to the public network. > > Does anyone know of anything I might be overlooking from the > mailserver's point of view that might be cached and hanging > around? A reboot didn't solve anything for me, and I have similar > mailservers behind the new firewall with the same set of firewall > rules. > > Thanks for any ideas and sorry for the OT. > > Steve Campbell > > > I dont want to sound obvious, but did you change the default gateway? > > > From campbell at cnpapers.com Thu Apr 15 19:31:20 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 15 19:32:10 2010 Subject: OT: difficulty with moving server In-Reply-To: References: <4BC74682.1050402@cnpapers.com> Message-ID: <4BC75B78.2020109@cnpapers.com> Problem solved. See my last post. I was able to do DNS lookups. Telnet wouldn't allow me to go outside. Turns out, the return from servers being sent an SMTP connect was being routed to the old firewall due to ancient ARP tables. The switch wasn't supposed to be doing anything arp-wise, and the address for the switch didn't even belong to us anymore. All the logs from the firewall indicated acceptance. Maillogs indicated timeouts. So I wasn't sure a connection was leaving the firewall or not. It was leaving, it just wasn't getting the return handshake. Thanks for all the pointers and help. We've never, ever had to flush this switch before and I've been here for decades. steve Landon Stewart wrote: > > I dont want to sound obvious, but did you change the default gateway? > > And while on the server can you do nslookups using all the servers in > /etc/resolv.conf? > > With mailscanner running - What happens if you telnet to localhost 25 > /and/ 25 while logged into the actual mailscanner server > itself? > > What does "lsof -Pni tcp:25" look like? Anything interesting? > > And last but not least what do the logs say? Anything useful? > > -- > Landon Stewart > > SuperbHosting.Net by Superb Internet Corp. > Toll Free (US/Canada): 888-354-6128 x 4199 > Direct: 206-438-5879 > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net From maillists at conactive.com Thu Apr 15 23:32:11 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 15 23:32:21 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> Message-ID: Alex Neuman wrote on Thu, 15 Apr 2010 13:13:38 -0500: > It's all in the page you provide Not really. Stefan Behte doesn't reveal details. It might be helpful if he would ... I don't see why using /tmp is so problematic. I see other stuff like the clamd socket there as well. Also, more than half of the code that you get displayed with his example is commented out and other parts are perhaps out of use either. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Apr 15 23:32:10 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 15 23:32:23 2010 Subject: MailScanner Quarantine Release Mail In-Reply-To: References: Message-ID: JC Putter wrote on Thu, 15 Apr 2010 14:04:50 +0200: > will you be able to point me in a direction of an example? i am not much of > a developer... Install Mailwatch. It includes functionality to send quarantine release mails. AFAIR you have to still login before you can release. But you can easily rewrite that bit to a uniquely hashed link that will release without login. Maybe someone on the mailwatch list has already done this and provides code. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From J.Ede at birchenallhowden.co.uk Fri Apr 16 12:57:38 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Apr 16 12:58:15 2010 Subject: Watermarking In-Reply-To: <6407072.162.1271085100834.JavaMail.root@office.splatnix.net> References: <1213490F1F316842A544A850422BFA9635C5C71A91@BHLSBS.bhl.local> <6407072.162.1271085100834.JavaMail.root@office.splatnix.net> Message-ID: <1213490F1F316842A544A850422BFA9635C5C71C2B@BHLSBS.bhl.local> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 April 2010 16:12 To: MailScanner discussion Subject: Re: Watermarking From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- Sent: 12 April 2010 14:55 To: MailScanner discussion Subject: Re: Watermarking Hi, I really like the watermarking and find it useful and currently have it set to add 3 points to the SA score. I was wondering if there is an easy way to get it to appear as a SA rule rather than just adding to the score? It?s easier to explain if it is in a spam report than having to explain the SA score is 3 points high because of something you can?t see... I was thinking of a SA rule based on a header that is set if the message fails watermarking? Then I can turn off the rule in MS itself and just let SA mark the mail. Jason Why would you wish to add 3 points to the score ? I thought that watermarking was to prevent backscatter plus the ability to bypass spam checks if the email originated from your server. Would you not wish to reduce the score by 3 points if the watermark was valid; unless I am missing something ? -- Thanks ? Phil Currently we don?t outright reject emails without a watermark as some of our users still send email via other means and we don?t have a way of preventing that at the moment. I could exclude their domains from watermark checking, but until then its easier to add a few points to the spam score and let that and the other SA ratings take care of it. Jason Jason, I see where you are coming from now ... Looking at the code I do not think it would be that difficult to add this in; similar to the way SaneSecurity sigs etc are handled. Let me perform a bit more research and will see if I can get a patch together. Thanks, Phil I can see the code where it checks and I can see how I can amend the code to take the option of ?header? instead of spam score etc, but how do I add a header to the header array? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100416/b8bdf0b1/attachment.html From bryan.guest at bmts.com Fri Apr 16 19:32:35 2010 From: bryan.guest at bmts.com (Bryan Guest - Test Scarlett) Date: Fri Apr 16 19:54:45 2010 Subject: Determining what modules MS is loading Message-ID: <01a401cadd93$34cc3690$0b01010a@DGPTBH91> Hi: I have to mail gateways (Sunfire V240 w 4Gb RAM) running MailScanner. Both are running the same version (not the most recent) of Mailscanner and the ClamAV-Sa package. Both are RHEL ES4, with the same package install and patch levels ( I think). On one, the resident RAM size of Mailscanner is 76M. On the other, the resident RAM size of Mailscanner is 156M. Can someone kindly assist me in determining what Perl modules or other libraries are being loaded by MailScanner so I can determine why there is such a large size discrepancy? The second box was swapping itself off to death, because I was allowing too many child processes and using up more than available RAM. Any information that can help me track down modules or functions that are loading different betweeen the boxes would be appreciated. Thanks in advance, Bryan From alex at rtpty.com Fri Apr 16 20:46:00 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Apr 16 20:46:19 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> Message-ID: <917F654A-638D-42E0-A41C-BCB252684D99@rtpty.com> What I meant to convey is that all the non-details of this (to me) non-issue are in the non-helpful page. The non-useful non-question the original poster asked was just an apple tossed in an Eris-like fashion into the middle of an otherwise healthy support mailing list. On Apr 15, 2010, at 5:32 PM, Kai Schaetzl wrote: > Alex Neuman wrote on Thu, 15 Apr 2010 13:13:38 -0500: > >> It's all in the page you provide > > Not really. Stefan Behte doesn't reveal details. It might be helpful if he > would ... From maillists at conactive.com Fri Apr 16 22:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 16 22:31:31 2010 Subject: Determining what modules MS is loading In-Reply-To: <01a401cadd93$34cc3690$0b01010a@DGPTBH91> References: <01a401cadd93$34cc3690$0b01010a@DGPTBH91> Message-ID: Bryan Guest - Test Scarlett wrote on Fri, 16 Apr 2010 14:32:35 -0400: > On one, the resident RAM size of Mailscanner is 76M. On the other, the > resident RAM size of Mailscanner is 156M. Well, my first guess would be that these machines carry different SA rules. The second that they carry quite different Bayes DBs. It is unlikely that the difference is in MS itself, it's basically doing the same and needing the same everywhere. > not the most recent You are not saying which, so I assume they are rather old? When where they left like they are now? Do yourself a favor and upgrade. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maxsec at gmail.com Sun Apr 18 23:55:36 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Sun Apr 18 23:55:45 2010 Subject: FreeBSD MailScanner port In-Reply-To: References: <4BC075B2.1060308@elasticmind.net> Message-ID: Just use the generic Unix installer - works fine. On 10 April 2010 14:28, Mikael Syska wrote: > Hi, > > On Sat, Apr 10, 2010 at 2:57 PM, mog wrote: > > Hi all, > > > > Just wondering if anyone knows anything regarding the current status of > the > > FreeBSD MailScanner port? Like are there currently any more taint mode or > > other problems that anyone is aware of? > > No > > > > > With thanks, > > mog > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100418/1d7983df/attachment.html From herlenrosa at yahoo.co.in Mon Apr 19 09:12:56 2010 From: herlenrosa at yahoo.co.in (Anselmo Rosa) Date: Mon Apr 19 09:13:07 2010 Subject: Mail getting queued up in mqueue.in and not getting delivered Message-ID: <320755.75551.qm@web8407.mail.in.yahoo.com> I have?? MailScanner? 4.68 ,spamassassin 3.2 and sendmail 3.2 razor/pyzor installed .All was working fine for 1 & 1/2 year until i changed my ISP/dns servers lately . The mails are getting queued up in mailqueue.in and not getting delivered, even local mails . I have to stop mailscanner and start only sendmial, then incomming mail get delivered with a lot of spam . I dont remember changing any setup . pls help me to get things right Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100419/c2abeb8b/attachment.html From maillists at conactive.com Mon Apr 19 10:31:19 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Apr 19 10:31:32 2010 Subject: Mail getting queued up in mqueue.in and not getting delivered In-Reply-To: <320755.75551.qm@web8407.mail.in.yahoo.com> References: <320755.75551.qm@web8407.mail.in.yahoo.com> Message-ID: Remove all RBL checks in SA and MS and then check what's wrong with your or your ISP's DNS. With that MS/SA version it's also time for an upgrade. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Apr 19 11:31:17 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Apr 19 11:31:30 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: <917F654A-638D-42E0-A41C-BCB252684D99@rtpty.com> References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> <917F654A-638D-42E0-A41C-BCB252684D99@rtpty.com> Message-ID: Ah, ok, that didn't "convey" to here ;-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From Kay.Irmer at VPIsystems.com Mon Apr 19 11:22:18 2010 From: Kay.Irmer at VPIsystems.com (Kay Irmer) Date: Mon Apr 19 11:35:12 2010 Subject: McAfee uvscan 6.0.0 - patches provided References: <4BBEEEA7.8080805@mjmm.org> <4BC6E171.1000902@mjmm.org> Message-ID: Michael Miller mjmm.org> writes: Mike, Could you please provide me the Patch as zip or tar. THANKS!!! etc/virus.scanners.conf lib/MailScanner/SweepViruses.pm lib/mcafee-autoupdate lib/mcafee-wrapper lib/mcafee6-autoupdate lib/mcafee6-wrapper Regards, Kay From john at tradoc.fr Mon Apr 19 12:12:39 2010 From: john at tradoc.fr (John Wilcock) Date: Mon Apr 19 12:12:54 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> Message-ID: <4BCC3AA7.6080706@tradoc.fr> Le 16/04/2010 00:32, Kai Schaetzl a ?crit : > Alex Neuman wrote on Thu, 15 Apr 2010 13:13:38 -0500: > >> It's all in the page you provide > > Not really. Stefan Behte doesn't reveal details. It might be helpful if he > would ... I don't see why using /tmp is so problematic. I see other stuff > like the clamd socket there as well. Also, more than half of the code that > you get displayed with his example is commented out and other parts are > perhaps out of use either. /tmp is generally world-writeable, so any unprivileged local user can create symlinks there pointing at system files or whatever. Processes that may run with elevated privs creating files in /tmp with predetermined or predictable filenames is therefore theoretically a bad idea, as malevolent local users could thereby overwrite important system files. For example, any local user could hose a MailScanner box with a simple ln -s /etc/passwd /tmp/ClamAV.update.log ; just wait until clamav-autoupdate runs... Of course, on most mail servers there won't be any unprivileged interactive local users anyway, so it's pretty much a non-issue. Still, there aren't many MS files concerned though, only a few of the antivirus wrapper and autoupdate scripts, and I'm surprised Julian hasn't fixed them already. I wrote to him offlist recently after a gentoo admin masked the MailScanner ebuild and threatened to remove it from the gentoo tree, but have not had a reply. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From noel.butler at ausics.net Tue Apr 20 00:10:12 2010 From: noel.butler at ausics.net (Noel Butler) Date: Tue Apr 20 00:10:31 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: <4BCC3AA7.6080706@tradoc.fr> References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> <4BCC3AA7.6080706@tradoc.fr> Message-ID: <1271718613.7597.24.camel@tardis> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stock_smiley-1.png Type: image/png Size: 873 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100420/35ca1b2a/stock_smiley-1.png From john at tradoc.fr Tue Apr 20 07:37:10 2010 From: john at tradoc.fr (John Wilcock) Date: Tue Apr 20 07:37:26 2010 Subject: Gentoo Security Bugs on MailScanner In-Reply-To: <1271718613.7597.24.camel@tardis> References: <75D92B30-A830-488A-BEB4-53E7513F33E5@rtpty.com> <4BCC3AA7.6080706@tradoc.fr> <1271718613.7597.24.camel@tardis> Message-ID: <4BCD4B96.3070505@tradoc.fr> Le 20/04/2010 01:10, Noel Butler a ?crit : > root@dev:/tmp# rm /tmp/ClamAV.update.log > root@dev:/tmp# ln -s /etc/passwd /tmp/ClamAV.update.log > > < gave my login a shell, su'd to me, and cat of ClavAV.update.log > verifies a non priv user can view the contents as one expects, but is > useless since its not a shadow file> Well, in attempting to explain these so-called symlink vulnerabilities, I chose /etc/passwd as a well-known system file, though I'm well aware that on many recent systems it isn't what counts. But the same principle could of course be used to malevolently overwrite whatever important system file you want. > using antiquated versions is one way where Julian may not give high > priority into looking into such things when he returns. Despite the title of the gentoo bug referred to, the gentoo tree now contains (unless the removal threat has been carried out) an ebuild for MailScanner 4.79.11, the latest stable version, which still contains some symlink vulnerabilities. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From bryan.guest at bmts.com Tue Apr 20 16:41:09 2010 From: bryan.guest at bmts.com (Bryan Guest) Date: Tue Apr 20 16:41:25 2010 Subject: reducing memory used by Mailscanner Message-ID: <00e301cae09f$eccadc60$0b01010a@DGPTBH91> Hi: This is a follow up to a previous post about the resident size of MailScanner. I have added a new incoming MailScanner blade to my setup. It's a Sun X2200 with 4Gb of RAM. My previous two blades are Sun V20Z machines also with 4Gb of RAM. All Machines are running Redhat ESv4 I am running the latest Mailscanner and ClamAV-SA package on the new machine. The resident size of MailScanner is 170Meg on the new machine. (It's 76M on the best running machine). I am interested in how I can pair down the resident memory size used by MailScanner or improve performance/reduce load average. My fundamental problem is that even though the two V20Z's are running the same older version of MS (4.56.8), one runs hotter (higher load average) then the other. And the newer X2200 machine runs hotter still. IE: the one V20Z is at load average 0.5. The second is at 1.32. The X2200 with the latest MS is at 3.57. Note that these are in round-robin rotation behind an L4 switch. I have adjusted the number of processes as best I can to avoid swapping out based on the resident size of MS. But randomly it seems the load average will shoot up on the second V20Z or the X2200. And by shoot up, I mean that it goes over 25 (~30-50 sometimes) and sendmail stops accepting mail. Can anyone assist me in shedding any light on why one blade of two identical boxes runs hotter, and why a newer machine running the latest MailScanner runs even higher. Alternately I would be supremely receptive to tips on how to bring down the load on these servers. Note, I am running the log and spool partitions with noatime, and syslog with - on the logs. For clarification, we are not using SpamAssassin or the Bayes functionality on these blades. We employ MailScanner strictly for policy enforcement and virus scanning and use an external spam filter. If I install a fresh Mailscanner install, and the ClamAV/SA package but halt the install before it compiles SA, will this reduced the resident size of MailScanner? All the best regards to everyone, and thanks in advance, Bryan From ecasarero at gmail.com Tue Apr 20 16:49:41 2010 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Apr 20 16:50:17 2010 Subject: reducing memory used by Mailscanner In-Reply-To: <00e301cae09f$eccadc60$0b01010a@DGPTBH91> References: <00e301cae09f$eccadc60$0b01010a@DGPTBH91> Message-ID: 2010/4/20 Bryan Guest > Hi: > > This is a follow up to a previous post about the resident size of > MailScanner. > > I have added a new incoming MailScanner blade to my setup. It's a Sun > X2200 with 4Gb of RAM. My previous two blades are Sun V20Z machines also > with 4Gb of RAM. All Machines are running Redhat ESv4 > > I am running the latest Mailscanner and ClamAV-SA package on the new > machine. The resident size of MailScanner is 170Meg on the new machine. > (It's 76M on the best running machine). > > I am interested in how I can pair down the resident memory size used by > MailScanner or improve performance/reduce load average. > > My fundamental problem is that even though the two V20Z's are running the > same older version of MS (4.56.8), one runs hotter (higher load average) > then the other. And the newer X2200 machine runs hotter still. > > IE: the one V20Z is at load average 0.5. The second is at 1.32. The > X2200 with the latest MS is at 3.57. Note that these are in round-robin > rotation behind an L4 switch. > > I have adjusted the number of processes as best I can to avoid swapping out > based on the resident size of MS. But randomly it seems the load average > will shoot up on the second V20Z or the X2200. And by shoot up, I mean that > it goes over 25 (~30-50 sometimes) and sendmail stops accepting mail. > > Can anyone assist me in shedding any light on why one blade of two > identical boxes runs hotter, and why a newer machine running the latest > MailScanner runs even higher. > > Alternately I would be supremely receptive to tips on how to bring down the > load on these servers. Note, I am running the log and spool partitions with > noatime, and syslog with - on the logs. > > For clarification, we are not using SpamAssassin or the Bayes functionality > on these blades. We employ MailScanner strictly for policy enforcement and > virus scanning and use an external spam filter. > > If I install a fresh Mailscanner install, and the ClamAV/SA package but > halt the install before it compiles SA, will this reduced the resident size > of MailScanner? > > All the best regards to everyone, and thanks in advance, > Bryan > > How do you use clamav? we use clamd and reduces a lot the memory usage of mailscanner childs. (and its also faster) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100420/333ae2fc/attachment.html From mikej at rogers.com Tue Apr 20 19:31:56 2010 From: mikej at rogers.com (Mike Jakubik) Date: Tue Apr 20 19:31:52 2010 Subject: FreeBSD MailScanner port In-Reply-To: References: <4BC075B2.1060308@elasticmind.net> Message-ID: <42841ef6e4e0146ad7d28a00c4eb6a9f.squirrel@wettoast.dyndns.org> On Sun, April 18, 2010 6:55 pm, Martin Hepworth wrote: > Just use the generic Unix installer - works fine. So does the port. From maxsec at gmail.com Wed Apr 21 00:58:12 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Apr 21 01:06:14 2010 Subject: reducing memory used by Mailscanner In-Reply-To: <00e301cae09f$eccadc60$0b01010a@DGPTBH91> References: <00e301cae09f$eccadc60$0b01010a@DGPTBH91> Message-ID: Bryan don't get hung up on load av - that's just a measure of how many processes are waiting for resource (cpu/memory/disk etc) and not necessarily an indication of 'slowness'. I've seen machines with load av well over 100 and running very nicely thankyou. you can turn off the spamassassin checks in mailscanner.conf. also near identical machines will need different numbers for batch size and children size. Also make sure you read the wiki on performance tuning etc. Martin On 20 April 2010 16:41, Bryan Guest wrote: > Hi: > > This is a follow up to a previous post about the resident size of > MailScanner. > > I have added a new incoming MailScanner blade to my setup. It's a Sun > X2200 with 4Gb of RAM. My previous two blades are Sun V20Z machines also > with 4Gb of RAM. All Machines are running Redhat ESv4 > > I am running the latest Mailscanner and ClamAV-SA package on the new > machine. The resident size of MailScanner is 170Meg on the new machine. > (It's 76M on the best running machine). > > I am interested in how I can pair down the resident memory size used by > MailScanner or improve performance/reduce load average. > > My fundamental problem is that even though the two V20Z's are running the > same older version of MS (4.56.8), one runs hotter (higher load average) > then the other. And the newer X2200 machine runs hotter still. > > IE: the one V20Z is at load average 0.5. The second is at 1.32. The > X2200 with the latest MS is at 3.57. Note that these are in round-robin > rotation behind an L4 switch. > > I have adjusted the number of processes as best I can to avoid swapping out > based on the resident size of MS. But randomly it seems the load average > will shoot up on the second V20Z or the X2200. And by shoot up, I mean that > it goes over 25 (~30-50 sometimes) and sendmail stops accepting mail. > > Can anyone assist me in shedding any light on why one blade of two > identical boxes runs hotter, and why a newer machine running the latest > MailScanner runs even higher. > > Alternately I would be supremely receptive to tips on how to bring down the > load on these servers. Note, I am running the log and spool partitions with > noatime, and syslog with - on the logs. > > For clarification, we are not using SpamAssassin or the Bayes functionality > on these blades. We employ MailScanner strictly for policy enforcement and > virus scanning and use an external spam filter. > > If I install a fresh Mailscanner install, and the ClamAV/SA package but > halt the install before it compiles SA, will this reduced the resident size > of MailScanner? > > All the best regards to everyone, and thanks in advance, > Bryan > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/08972342/attachment.html From ram at netcore.co.in Wed Apr 21 08:35:58 2010 From: ram at netcore.co.in (ram) Date: Wed Apr 21 08:36:14 2010 Subject: child processes just "waiting for messages" Message-ID: <1271835358.5923.36.camel@darkstar.netcore.co.in> On one of my Centos(5.2) servers MailScanner(4.70.7) processes sporadically stop pickup of hold mails automatically in the incoming until I reload my MTA is Postfix If I do a "ps -auxw | grep MailScanner" I can see all the processes just like this -- - MailScanner: waiting for messages The exact same configuration works on all other servers , why does this server behave strangely. How do I debug this ? Thanks Ram From maillists at conactive.com Wed Apr 21 10:31:15 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 21 10:31:24 2010 Subject: child processes just "waiting for messages" In-Reply-To: <1271835358.5923.36.camel@darkstar.netcore.co.in> References: <1271835358.5923.36.camel@darkstar.netcore.co.in> Message-ID: Ram wrote on Wed, 21 Apr 2010 13:05:58 +0530: > The exact same configuration works on all other servers , why does this > server behave strangely. How do I debug this ? with MailScanner --debug You want to go to the latest stable as well. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From prandal at herefordshire.gov.uk Wed Apr 21 10:45:39 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Apr 21 10:45:56 2010 Subject: McAfee uvscan 6.0.0 - patches provided In-Reply-To: <4BC6E171.1000902@mjmm.org> References: <4BBEEEA7.8080805@mjmm.org> <4BC6E171.1000902@mjmm.org> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4542A425@HC-MBX01.herefordshire.gov.uk> There was one minor bug which resulted in incomplete reporting of some phishing emails, e.g. Report: McAfee6: ./o3GA2bRn018830.message with no virus name included. A patch which fixes it follows: [root@mx0 ~]# diff -Naur SweepViruses.pm.old SweepViruses.pm --- SweepViruses.pm.old 2010-04-16 14:09:50.000000000 +0100 +++ SweepViruses.pm 2010-04-16 14:33:59.000000000 +0100 @@ -1913,6 +1913,15 @@ $logout =~ s/\s{20,}/ /g; # note: '$dot' does become '.' ($dot, $id, $part, @rest) = split(/\//, $filename); + + # Infections found in the header must be handled specially here if + ($id =~ /\.(?:header|message)/) { + # The attachment name is "" ==> infection is whole messsage + $part = ""; + # Correct the message id by deleting all from .header onwards + $id =~ s/\.(?:header|message).*$//; } + my $notype = substr($part,1); $logout =~ s/\Q$part\E/$notype/; $report =~ s/\Q$part\E/$notype/; @@ -1921,13 +1930,6 @@ $report = $Name . ': ' . $report if $Name; - # Infections found in the header must be handled specially here - if ($id =~ /\.(?:header|message)/) { - # The attachment name is "" ==> infection is whole messsage - $part = ""; - # Correct the message id by deleting all from .header onwards - $id =~ s/\.(?:header|message).*$//; - } $infections->{"$id"}{"$part"} .= $report . "\n"; $types->{"$id"}{"$part"} .= "v"; return 1; Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Miller Sent: 15 April 2010 10:51 To: mailscanner@lists.mailscanner.info Subject: Re: McAfee uvscan 6.0.0 - patches provided Hi, Attached are a set of patches to add support for the McAfee uvscan v6.0.0 command line scanner. The v5 and v4 versions of uvscan are no longer receiving updates from McAfee and should be viewed as retired. During the testing Phil and I noticed that uvscan sometimes outputs "... Found " or "... Found: " when a virus is found - please be sure to test, at a minimum, with an eicar signature to ensure your copy of uvscan v6 is parsed correctly. I have updated the following files: etc/virus.scanners.conf lib/MailScanner/SweepViruses.pm lib/mcafee-autoupdate lib/mcafee-wrapper I have added the following files: lib/mcafee6-autoupdate lib/mcafee6-wrapper (Note that mcafee-autoupdate and mcafee6-autoupdate are identical, so after patching mcafee-autoupdate, you need to copy the resulting file to mcafee6-autoupdate) Thanks to Phil Randal for testing and troubleshooting my initial versions! If the patches don't come through correctly, please let me know and I can send as attachments. Regards, Mike Patches against MailScanner-4.79.11-1 below: ######################################################################## # # diff -u etc/virus.scanners.conf.47911 etc/virus.scanners.conf --- etc/virus.scanners.conf.47911 2010-04-11 00:14:02.000000000 +0100 +++ etc/virus.scanners.conf 2010-04-15 10:36:18.000000000 +0100 @@ -37,6 +37,7 @@ kaspersky /opt/MailScanner/lib/kaspersky-wrapper /opt/AVP kavdaemonclient /opt/MailScanner/lib/kavdaemonclient-wrapper /usr/local mcafee /opt/MailScanner/lib/mcafee-wrapper /usr/local/uvscan +mcafee6 /opt/MailScanner/lib/mcafee6-wrapper /usr/local/uvscan # Now updated to handle nod32 2.01 and upwards #nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/local/nod32 nod32-1.99 /opt/MailScanner/lib/nod32-wrapper /usr/sbin # diff -u lib/MailScanner/SweepViruses.pm.47911 lib/MailScanner/SweepViruses.pm --- lib/MailScanner/SweepViruses.pm.47911 2010-04-10 23:26:06.000000000 +0100 +++ lib/MailScanner/SweepViruses.pm 2010-04-13 16:14:52.000000000 +0100 @@ -127,6 +127,18 @@ SupportScanning => $S_SUPPORTED, SupportDisinfect => $S_SUPPORTED, }, + mcafee6 => { + Name => 'McAfee6', + Lock => 'mcafee6Busy.lock', + CommonOptions => '--recursive --ignore-links --analyze --mime ' . + '--secure --noboot', + DisinfectOptions => '--clean', + ScanOptions => '', + InitParser => \&InitMcAfee6Parser, + ProcessOutput => \&ProcessMcAfee6Output, + SupportScanning => $S_SUPPORTED, + SupportDisinfect => $S_SUPPORTED, + }, command => { Name => 'Command', Lock => 'commandBusy.lock', @@ -1379,6 +1391,11 @@ $currentline = ''; } +# Initialise any state variables the McAfee6 output parser uses sub +InitMcAfee6Parser { + ; +} + # Initialise any state variables the Command (CSAV) output parser uses sub InitCommandParser { ; @@ -1837,7 +1854,7 @@ $logout = $report; $logout =~ s/%/%%/g; $logout =~ s/\s{20,}/ /g; - # note: '$dot' does not become '.' + # note: '$dot' does not become '.', but blank for rootdir ($dot, $id, $part, @rest) = split(/\//, $lastline); my $notype = substr($part,1); $logout =~ s/\Q$part\E/$notype/; @@ -1858,6 +1875,64 @@ return 1; } +sub ProcessMcAfee6Output { + my($line, $infections, $types, $BaseDir, $Name) = @_; + + my($report, $dot, $id, $part, @rest); my($logout); my($filename, + $virusname); + + chomp $line; + + #MailScanner::Log::InfoLog("McAfee6 said \"$line\""); + + # Should we worry about any warnings/errors? + return 0 unless $line =~ /Found/; + + # McAfee prints the whole path including # ./message/part so make it + the same # eg: + /var/spool/MailScanner/incoming/4118/./o3B07pUD004176/eicar.com + # + # strip off leading BaseDir + $line =~ s/^$BaseDir//; + # and then remaining /. (which may be removed in future as per v5 + uvscan) $line =~ s/^\/\.//; # and put the leading . back in place + $line =~ s/^/\./; + + $filename = $line; + $filename =~ s/ \.\.\. Found.*$//; + + #get the virus name - not used currently #$virusname = $line; + #$virusname =~ s/^.* \.\.\. Found.?//; + + $report = $line; + $logout = $line; + $logout =~ s/%/%%/g; + $logout =~ s/\s{20,}/ /g; + # note: '$dot' does become '.' + ($dot, $id, $part, @rest) = split(/\//, $filename); my $notype = + substr($part,1); $logout =~ s/\Q$part\E/$notype/; $report =~ + s/\Q$part\E/$notype/; $report =~ s/ \.\.\. Found/ Found/; + MailScanner::Log::InfoLog($logout); + + $report = $Name . ': ' . $report if $Name; + + # Infections found in the header must be handled specially here + if ($id =~ /\.(?:header|message)/) { + # The attachment name is "" ==> infection is whole messsage + $part = ""; + # Correct the message id by deleting all from .header onwards + $id =~ s/\.(?:header|message).*$//; + } + $infections->{"$id"}{"$part"} .= $report . "\n"; + $types->{"$id"}{"$part"} .= "v"; + return 1; +} + # This next function originally contributed in its entirety by # "Richard Brookhuis" # ######################################################################## # # diff -u lib/mcafee-autoupdate.47911 lib/mcafee-autoupdate --- lib/mcafee-autoupdate.47911 2010-04-10 20:02:56.000000000 +0100 +++ lib/mcafee-autoupdate 2010-04-15 10:19:51.000000000 +0100 @@ -2,7 +2,15 @@ # # Update the McAfee data files. # +# As at 2010/04/10 the mcafee6-autoupdate and mcafee6-autoupdate +scripts # are identical. The logic to differentiate between versions is +built in # to the script to enable only one version of the script to be maintained. +# +# based on: +# # $Cambridge: hermes/conf/build/bin/uvscan-update,v 1.52 2004/08/18 19:12:02 fanf2 Exp $ +# and patch from: +# http://lists.mailscanner.info/pipermail/mailscanner/2009-November/094019 .html # $PREFIX is the directory where the uvscan binary is (NOT a symlink to # the binary), which is where it looks for its dat files. You may run @@ -17,13 +25,36 @@ # the subdirectory via a current link. The current link is updated # without locking on the assumption that this is sufficiently unlikely # to cause a problem. +# + +# As of Apr 2010, McAfee is no longer publishing V1 DATs, and is only # +publishing V2 DATs: +# +# https://kc.mcafee.com/corporate/index?page=content&id=KB60404 +# https://kc.mcafee.com/corporate/index?page=content&id=KB60772 +# +# Version 6 of McAfee VirusScan Command Line Scanner for Unix uses V2 DATs. +# Version 5, which uses V1 DATs, is EoL and no longer receives DAT updates. +# +# If this script detects taht we are running VirusScan CLI version 6, +we # extract the DATs from the V2 DAT zip archive (avvdat-XXXX.zip). +# Otherwise, we log an error about EoL scanner and no available updates. +# +# As V1 DATs are no longer published, support for them has been removed +# from this update script. # defaults OPTS="-d" PREFIX=/opt/uvscan -FTPDIR=http://download.nai.com/products/datfiles/4.x/nai +FTPDIR=http://update.nai.com/products/commonupdater RETRIES=1 INTERVAL=300 +CLIVERSION=6 + +wgetverbosity="--no-verbose" +tarverbosity="" +unzipverbosity="-q" +unzipopts="-o" # handle the command line usage () { @@ -61,7 +92,7 @@ ;; /*) PREFIX=$arg ;; - http:) ftp_proxy=$arg + http://*) ftp_proxy=$arg http_proxy=$arg export ftp_proxy export http_proxy @@ -90,20 +121,32 @@ option v VERBOSE case $FORCE in yes) VERBOSE=yes + wgetverbosity="" + tarverbosity="v" + unzipverbosity="" esac -# look for binaries and libraris in plausible places +# look for binaries and libraries in plausible places PATH=$PREFIX:/usr/local/bin:/usr/bin:/bin # this is only necessary for broken setups LD_LIBRARY_PATH=$PREFIX export PATH LD_LIBRARY_PATH +#setup sane umask, just in case... +umask 022 + # where this script finds things DATDIR=$PREFIX/datfiles -DATFILES="clean.dat extra.dat internet.dat names.dat scan.dat" + +# These are for CLI v6+: +# Note that runtime.dat is not distributed; it is generated by uvscan +the # first time it runs (including with "uvscan --version"). +DATFILES6="avvclean.dat avvnames.dat avvscan.dat runtime.dat extra.dat" + LINKNAME=current LINKREL=datfiles/$LINKNAME + # wrapper functions for echo etc. timestamp () { case $TIME in @@ -143,7 +186,11 @@ say PREFIX=$PREFIX # check directory setup is correct -for link in $LINKREL $DATFILES +# At this point we do not know whether this is a CLI version 6 or +version 5 # installation, and more particularly what the filenames for +the DAT files # are. +#for link in $LINKREL $DATFILES +for link in $LINKREL do if ! is -h $PREFIX/$link then @@ -181,12 +228,59 @@ run rm -f $out $err } +#this parses an ini file for the occurence of a value in the specified section +#parseini INIFILE SECTION ITEM +parseini () { + myINIFILE="$1" + mySECTION="$2" + myITEM="$3" + if [ ! -s "${myINIFILE}" ] + then + echo "UNKNOWN" + return 1 + fi + + myINSEC="no" + while read line + do + #just incase input is in DOS format... (Is the case for avvdat.ini) + line="`echo $line|sed 's/\r//'`" + + if [ "${line}" = "[${mySECTION}]" ] + then + myINSEC="yes" + continue + fi + if [ "`echo ${line}|cut -c1`" = "[" ] + then + myINSEC="no" + continue + fi + [ "${myINSEC}" = "yes" ] || continue + if [ "`echo ${line}|cut -d= -f1`" = "${myITEM}" ] + then + echo "`echo ${line}|sed 's/^'"${myITEM}="'//'`" + return 0 + fi + done < ${myINIFILE} + echo "UNKNOWN" + return 1 +} + # work out latest dat version try=$RETRIES while : -do getver "wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/update.ini" update.ini "DATVersion=" - VERSION=$VER - case $VERSION in +do + rm -f avvdat.ini + if is $? != 0 + then + say "Error deleting avvdat.init... update may not be successful." + fi + + run wget --tries=$try --waitretry=$INTERVAL --passive-ftp $FTPDIR/avvdat.ini + NEWVER=`parseini avvdat.ini AVV-ZIP DATVersion` say New version +is $NEWVER + case $NEWVER in UNKNOWN) if ! try=`expr $try - 1` then break @@ -201,40 +295,75 @@ done # work out installed dat version -getver "uvscan --version" version.err "Virus data file v" +# CLI v5 is EoL so no point in checking for it first, # as no one +should still be using it getver "uvscan --version" version.err "Dat set +version: " +if is $VER = UNKNOWN +then + # Might be CLI pre-v6: + getver "uvscan --version" version.err "Virus data file v" + if is $VER != UNKNOWN + then + VERBOSE=yes + say "uvscan earlier than v6 found. No DATs available. ABORTING." + say "Please upgrade uvscan to at least v6.0.0" + if is $VER != 5937 + then + say "" + say "You are not running the last released v1 DAT." + say "Please manually upgrade to DAT v5937 if possible." + fi + run exit 1 + fi +fi PREVIOUS=$VER case $FORCE in yes) say Forced update from $PREVIOUS PREVIOUS=0000 ;; -*) if is $VERSION -eq $PREVIOUS - then say Already have $VERSION +*) if is $NEWVER -eq $PREVIOUS + then say Already have $NEWVER run exit 0 fi esac +# select appropriate archive name and DAT filenames # if this is CLI +v6, we use V2 DAT archive if is $CLIVERSION = 6 then + DISTARC=avvdat-$NEWVER.zip + DATFILES="$DATFILES6" +else + say "Fatal Error. Unsupported CLI version found..." + exit 1 +fi + VERBOSE=yes +# We are performing an update, so be chatty (as opposed to explicitly # +verbose as requested) CHATTY=yes + say Installed dat file is $PREVIOUS -say Latest dat file is $VERSION +say Latest dat file is $NEWVER -if is $VERSION = UNKNOWN +if is $NEWVER = UNKNOWN then say Problem with McAfee datfile update from $FTPDIR run exit 1 -elif is $VERSION -lt $PREVIOUS +elif is $NEWVER -lt $PREVIOUS then say Remote version $VERSION older than installed version $PREVIOUS run exit 1 -elif is -d $VERSION -then say Cleaning away $VERSION directory - run rm -rf $VERSION +elif is -d $NEWVER +then say Cleaning away $NEWVER directory + run rm -rf $NEWVER fi retry () { echo "$OUT" say Fetch or test failed -- removing bad McAfee data files run cd $DATDIR - run rm -rf $VERSION + run rm -rf $NEWVER if ! try=`expr $try - 1` then say Giving up run exit 1 @@ -248,19 +377,25 @@ while : do # fetch and extract dat files - TARFILE=dat-$VERSION.tar - run mkdir $VERSION - run cd $VERSION + run mkdir $NEWVER + run cd $NEWVER run chmod 700 . - if ! run wget --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$TARFILE + if ! run wget $wgetverbosity --tries=$try --waitretry=$INTERVAL --passive-ftp --progress=dot:mega $FTPDIR/$DISTARC then retry fi - run tar xvf $TARFILE + if is ! $CLIVERSION 6 + then + run tar x${tarverbosity}f $DISTARC + else + run unzip $unzipverbosity $unzipopts $DISTARC + fi run chmod 644 * run chmod 755 . # verify the contents - CMD="uvscan --version --dat ." + # this will create runtime.dat too + # we use --decompress to speed up future runs... + CMD="uvscan --version --dat . --decompress" say "> $CMD" if ! OUT=`$CMD 2>&1` then retry @@ -280,21 +415,19 @@ s/^/# /;/@MM/s/$/ <--/' readme.txt esac # remove some crap -run rm -f *.diz *.exe *.ini *.lst *.tar *.txt +run rm -f *.diz *.exe *.ini *.lst *.tar *.txt *.zip -# do remaining part of initial setup -case $INIT in -yes) for file in $DATFILES - do - run rm -f $PREFIX/$file - run ln -s $LINKREL/$file $PREFIX/$file - done -esac +# Make sure symlinks are in place +for file in $DATFILES +do + run rm -f $PREFIX/$file + run ln -s $LINKREL/$file $PREFIX/$file done # update the current version link run cd $DATDIR -run ln -s $VERSION $VERSION/$LINKNAME -run mv $VERSION/$LINKNAME . +run ln -s $NEWVER $NEWVER/$LINKNAME +run mv $NEWVER/$LINKNAME . # maybe delete old dat files case $DELETE in ######################################################################## ###### # diff -u lib/mcafee-wrapper.47911 lib/mcafee-wrapper --- lib/mcafee-wrapper.47911 2010-04-15 10:33:07.000000000 +0100 +++ lib/mcafee-wrapper 2010-04-10 23:23:36.000000000 +0100 @@ -33,6 +33,7 @@ # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script +# Modified by MJMM to exclude uvscan v6 (different output parsing +required) PackageDir=$1 shift @@ -43,7 +44,14 @@ export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then - [ -x ${PackageDir}/$prog ] && exit 0 + + #first check if the excutable exists... + [ -x ${PackageDir}/$prog ] || exit 1 + + #second check if it is pre-v6 (using different output string) + ${PackageDir}/$prog --version | grep "Virus data file v" > /dev/null + [ $? = 0 ] && exit 0 + exit 1 fi ######################################################################## ############# New file: lib/mcafee6-wrapper # cat lib/mcafee6-wrapper #!/bin/sh # MailScanner - SMTP E-Mail Virus Scanner # Copyright (C) 2001 Julian Field # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # The author, Julian Field, can be contacted by email at # Jules@JulianField.net # or by paper mail at # Julian Field # Dept of Electronics & Computer Science # University of Southampton # Southampton # SO17 1BJ # United Kingdom # # JKF Wrapper Sophos programs with the correct LD_LIBRARY_PATH # Modified for solaris by CJG # Then tweaked for heron by JKF again # Then tweaked for McAfee by JKF # Modified (badly!) by SEP398 to work with the update script # # MJMM Copied as mcafee6-wrapper for handle uvscan v6.0+ # MJMM Updated to detect v6 (different output parsing required) PackageDir=$1 shift prog=uvscan # `basename $0` datDIR=$PackageDir LD_LIBRARY_PATH=$PackageDir export LD_LIBRARY_PATH if [ "x$1" = "x-IsItInstalled" ]; then #first check if the excutable exists... [ -x ${PackageDir}/$prog ] || exit 1 #second check if it is v6 (using different output string) ${PackageDir}/$prog --version | grep "Dat set version: " > /dev/null [ $? = 0 ] && exit 0 exit 1 fi if [ -f ${PackageDir}/datfiles/current/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/datfiles/current/extra.dat "$@" else if [ -f ${PackageDir}/extra.dat ]; then exec ${PackageDir}/$prog -d $datDIR --extra ${PackageDir}/extra.dat "$@" fi exec ${PackageDir}/$prog -d $datDIR "$@" fi Michael Miller wrote: > Hi > > I was wondering if there was a date when we can expect MailScanner to > natively support the updated McAfee uvscan anti virus scanner? uvscan > v5.3 is now EoL as DATs are no longer being released. > > I see a few patches were posted a few months back but they don't > appear to have been merged into MailScanner itself. Does anyone have > any more recent patches for uvscan 6.0.0? > > If there is interest in this, I can set about testing the patches and > consolidating the parsing and the updating patches and reposting if > they will be useful. > > Regards, > Mike > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From bttterceira at net.sapo.pt Wed Apr 21 13:13:07 2010 From: bttterceira at net.sapo.pt (Ludgero Parreira) Date: Wed Apr 21 14:14:00 2010 Subject: Sanesecurity Message-ID: Hi, I'm getting spam even when clamd triggers a sanesecurity rule: X--MailScanner-From: rachitic@mmorpguides.com X--MailScanner-SpamScore: 6 X--MailScanner-SpamCheck: not spam, SpamAssassin (score=6.977, required 7, BAYES_99 4.00, RCVD_IN_PBL 2.00, RCVD_IN_SORBS_DUL 0.88, RDNS_NONE 0.10) X--MailScanner-SpamVirus-Report: Sanesecurity.Junk.22048.UNOFFICIALSanesecurity.Junk.22048.UNOFFICIAL X--MailScanner: Found to be clean This email should have been removed ? I'm missing something ? Regards Ludgero Parreira From m.anderlini at database.it Wed Apr 21 14:36:42 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Apr 21 14:37:12 2010 Subject: [OT] How to avoid Backscatter in Sendmail Message-ID: I beg your pardon but for this OT but I'm desperate, my system is blacklisted by Backscatterer.org and I'm trying to configure it to avoid backscatter. I'm following what suggest here: http://elqui.dcsc.utfsm.cl/util/email/backscatter.html I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. I configured my access file to reject unknown recipients but my system still sends an email instead of rejecting it at smtp initial transaction. I would be very grateful for any kind of help anyone could give me. Best regards This is my sendmail.mc divert(-1) dnl This is the sendmail macro config file. If you make changes to this file, dnl you need the sendmail-cf rpm installed and then have to generate a dnl new /etc/sendmail.cf by running the following command: dnl dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf dnl include(`/usr/share/sendmail-cf/m4/cf.m4') VERSIONID(`linux setup for Red Hat Linux')dnl OSTYPE(`linux') define(`confDEF_USER_ID',``8:12'')dnl undefine(`UUCP_RELAY')dnl undefine(`BITNET_RELAY')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`confCW_FILE', `/etc/mail/sendmail.cw')dnl dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confBAD_RCPT_THROTTLE',`2')dnl dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(`enhdnsbl', `bl.spamcop.net', `"553 rejected - see http://spamcop.net/bl.shtml?"$&{client_addr}', `')dnl FEATURE(`enhdnsbl', `cbl.abuseat.org', `"553 rejected - see http://cbl.abuseat.org/lookup.cgi?"$&{client_addr}', `')dnl FEATURE(`enhdnsbl', `sbl-xbl.spamhaus.org', `"553 rejected - see http://www.spamhaus.org/query/bl?"$&{client_addr}', `')dnl FEATURE(`enhdnsbl', `clients.blocked.rbl', `"553 rejected - see http://www.database.it/bl.asp?"$&{client_addr}', `')dnl FEATURE(`enhdnsbl', `hosts.blocked.rbl', `"553 rejected - see http://www.database.itt/bl.asp?"$&{client_addr}', `')dnl EXPOSED_USER(`root')dnl dnl This changes sendmail to only listen on the loopback device 127.0.0.1 dnl and not on any other network devices. Comment this out if you want dnl to accept email over the network. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam. However, the laptop and users on computers that do dnl not have 24x7 DNS do need this. dnl FEATURE(`accept_unresolvable_domains')dnl FEATURE(`relay_based_on_MX')dnl MAILER(smtp)dnl MAILER(procmail)dnl Cwlocalhost.localdomain Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From J.Ede at birchenallhowden.co.uk Wed Apr 21 14:43:33 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Apr 21 14:44:21 2010 Subject: [OT] How to avoid Backscatter in Sendmail In-Reply-To: References: Message-ID: <1213490F1F316842A544A850422BFA9635C5C71DF0@BHLSBS.bhl.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini > Sent: 21 April 2010 14:37 > To: mailscanner@lists.mailscanner.info > Subject: [OT] How to avoid Backscatter in Sendmail > > I beg your pardon but for this OT but I'm desperate, my system is > blacklisted by Backscatterer.org and I'm trying to configure it to > avoid > backscatter. > I'm following what suggest here: > http://elqui.dcsc.utfsm.cl/util/email/backscatter.html > > I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. > I configured my access file to reject unknown recipients but my system > still > sends an email instead of rejecting it at smtp initial transaction. > > I would be very grateful for any kind of help anyone could give me. > > Best regards > > > This is my sendmail.mc > > divert(-1) > dnl This is the sendmail macro config file. If you make changes to this > file, > dnl you need the sendmail-cf rpm installed and then have to generate a > dnl new /etc/sendmail.cf by running the following command: > dnl > dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf > dnl > include(`/usr/share/sendmail-cf/m4/cf.m4') > VERSIONID(`linux setup for Red Hat Linux')dnl > OSTYPE(`linux') > define(`confDEF_USER_ID',``8:12'')dnl > undefine(`UUCP_RELAY')dnl > undefine(`BITNET_RELAY')dnl > define(`confTO_CONNECT', `1m')dnl > define(`confTRY_NULL_MX_LIST',true)dnl > define(`confDONT_PROBE_INTERFACES',true)dnl > define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl > define(`ALIAS_FILE', `/etc/aliases')dnl > define(`confCW_FILE', `/etc/mail/sendmail.cw')dnl > dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl > define(`UUCP_MAILER_MAX', `2000000')dnl > define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl > define(`confPRIVACY_FLAGS', > `authwarnings,novrfy,noexpn,restrictqrun')dnl > define(`confAUTH_OPTIONS', `A')dnl > TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confBAD_RCPT_THROTTLE',`2')dnl > dnl define(`confTO_QUEUEWARN', `4h')dnl > dnl define(`confTO_QUEUERETURN', `5d')dnl > dnl define(`confQUEUE_LA', `12')dnl > dnl define(`confREFUSE_LA', `18')dnl > dnl FEATURE(delay_checks)dnl > FEATURE(`no_default_msa',`dnl')dnl > FEATURE(`smrsh',`/usr/sbin/smrsh')dnl > FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl > FEATURE(redirect)dnl > FEATURE(always_add_domain)dnl > FEATURE(use_cw_file)dnl > FEATURE(use_ct_file)dnl > FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl > FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl > FEATURE(`blacklist_recipients')dnl > FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl > FEATURE(`enhdnsbl', `bl.spamcop.net', `"553 rejected - see > http://spamcop.net/bl.shtml?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `cbl.abuseat.org', `"553 rejected - see > http://cbl.abuseat.org/lookup.cgi?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `sbl-xbl.spamhaus.org', `"553 rejected - see > http://www.spamhaus.org/query/bl?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `clients.blocked.rbl', `"553 rejected - see > http://www.database.it/bl.asp?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `hosts.blocked.rbl', `"553 rejected - see > http://www.database.itt/bl.asp?"$&{client_addr}', `')dnl > EXPOSED_USER(`root')dnl > dnl This changes sendmail to only listen on the loopback device > 127.0.0.1 > dnl and not on any other network devices. Comment this out if you want > dnl to accept email over the network. > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') > dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires > dnl a kernel patch > dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') > dnl We strongly recommend to comment this one out if you want to > protect > dnl yourself from spam. However, the laptop and users on computers that > do > dnl not have 24x7 DNS do need this. > dnl FEATURE(`accept_unresolvable_domains')dnl > FEATURE(`relay_based_on_MX')dnl > MAILER(smtp)dnl > MAILER(procmail)dnl > Cwlocalhost.localdomain > > Is your destination server an exchange server by any chance? If so then which version? Jason From elec.arun at gmail.com Wed Apr 21 14:47:01 2010 From: elec.arun at gmail.com (arun gupta) Date: Wed Apr 21 14:47:10 2010 Subject: regarding "WARNING: Ignoring deprecated option --unzip" In-Reply-To: References: Message-ID: Hi, I am using MailScanner-4.69 with clamav-0.94, when I installed clamav-0.96 I found following error WARNING: Ignoring deprecated option --unzip WARNING: Ignoring deprecated option --jar WARNING: Ignoring deprecated option --tar WARNING: Ignoring deprecated option --tgz WARNING: Ignoring deprecated option --deb When I googling this error I found the suggestion upgrade the MailScanner. but i do not want to upgrade the MailScanner, in future there will be problem with this error, because right now i am sending the email and it is delivering, please suggest -- With Regards, Arun Kumar Gupta System Administrator C-DAC Pune -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/63f0dc20/attachment.html From m.anderlini at database.it Wed Apr 21 14:50:11 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Apr 21 14:50:43 2010 Subject: R: [OT] How to avoid Backscatter in Sendmail In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71DF0@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C71DF0@BHLSBS.bhl.local> Message-ID: <8EAA9F0DE2D04A9A8AE511080D3A3EFF@dbdomain.database.it> No my system is a Linux Centos with sendmail Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Jason Ede Inviato: 21/04/2010 15:44 A: MailScanner discussion Oggetto: RE: [OT] How to avoid Backscatter in Sendmail > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Marcello Anderlini > Sent: 21 April 2010 14:37 > To: mailscanner@lists.mailscanner.info > Subject: [OT] How to avoid Backscatter in Sendmail > > I beg your pardon but for this OT but I'm desperate, my system is > blacklisted by Backscatterer.org and I'm trying to configure it to > avoid backscatter. > I'm following what suggest here: > http://elqui.dcsc.utfsm.cl/util/email/backscatter.html > > I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. > I configured my access file to reject unknown recipients but my system > still sends an email instead of rejecting it at smtp initial > transaction. > [omissis] Is your destination server an exchange server by any chance? If so then which version? Jason -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From prandal at herefordshire.gov.uk Wed Apr 21 15:06:16 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Apr 21 15:06:35 2010 Subject: regarding "WARNING: Ignoring deprecated option --unzip" In-Reply-To: References: Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4542A4B2@HC-MBX01.herefordshire.gov.uk> You have a choice. Use a recent MailScanner, or don't. If you don't, it won't work. Simple, your choice. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of arun gupta Sent: 21 April 2010 14:47 To: mailscanner@lists.mailscanner.info Subject: regarding "WARNING: Ignoring deprecated option --unzip" Hi, I am using MailScanner-4.69 with clamav-0.94, when I installed clamav-0.96 I found following error WARNING: Ignoring deprecated option --unzip WARNING: Ignoring deprecated option --jar WARNING: Ignoring deprecated option --tar WARNING: Ignoring deprecated option --tgz WARNING: Ignoring deprecated option --deb When I googling this error I found the suggestion upgrade the MailScanner. but i do not want to upgrade the MailScanner, in future there will be problem with this error, because right now i am sending the email and it is delivering, please suggest -- With Regards, Arun Kumar Gupta System Administrator C-DAC Pune Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/bf1cc804/attachment.html From steve.freegard at fsl.com Wed Apr 21 15:08:17 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Apr 21 15:08:34 2010 Subject: R: [OT] How to avoid Backscatter in Sendmail In-Reply-To: <8EAA9F0DE2D04A9A8AE511080D3A3EFF@dbdomain.database.it> References: <1213490F1F316842A544A850422BFA9635C5C71DF0@BHLSBS.bhl.local> <8EAA9F0DE2D04A9A8AE511080D3A3EFF@dbdomain.database.it> Message-ID: <4BCF06D1.3070905@fsl.com> On 21/04/10 14:50, Marcello Anderlini wrote: > No my system is a Linux Centos with sendmail If the mailboxes are for local UNIX users then generating backscatter for unknown users is impossible unless you are using something like Cyrus (which requires a plug-in to verify users). I've just checked and unless I'm missing something: smf@smf-laptop:~$ host -t MX database.it database.it mail is handled by 10 netra2.database.it. smf@smf-laptop:~$ host netra2.database.it netra2.database.it has address 83.216.185.70 smf@smf-laptop:~$ host 70.185.216.83.ips.backscatterer.org Host 70.185.216.83.ips.backscatterer.org not found: 3(NXDOMAIN) ^^^ Shows that you are not listed Also I checked: smf@smf-laptop:~$ telnet netra2.database.it 25 Trying 83.216.185.70... Connected to netra2.database.it (83.216.185.70). Escape character is '^]'. 220 netra.database.it ESMTP Sendmail 8.13.1/8.13.1; Wed, 21 Apr 2010 16:07:36 +0200 EHLO foo 250-netra.database.it Hello 74-93-209-150-WashingtonDC.hfc.comcastbusiness.net [74.93.209.150], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP MAIL FROM:<> 250 2.1.0 <>... Sender ok RCPT TO: 550 5.1.1 ... User unknown QUIT 221 2.0.0 netra.database.it closing connection Connection closed by foreign host. ^^^ Shows that you are correctly rejecting unknown users at the SMTP stage. So I can't see any problems at all. Regards, Steve. From alvaro at hostalia.com Wed Apr 21 15:11:59 2010 From: alvaro at hostalia.com (=?ISO-8859-15?Q?Alvaro_Mar=EDn?=) Date: Wed Apr 21 15:12:08 2010 Subject: Sanesecurity In-Reply-To: References: Message-ID: <4BCF07AF.3060906@hostalia.com> Hi, On 21/04/10 14:13, Ludgero Parreira wrote: > Hi, > > I'm getting spam even when clamd triggers a sanesecurity rule: > > X--MailScanner-From: rachitic@mmorpguides.com > X--MailScanner-SpamScore: 6 > X--MailScanner-SpamCheck: not spam, SpamAssassin (score=6.977, required > 7, BAYES_99 4.00, RCVD_IN_PBL 2.00, RCVD_IN_SORBS_DUL 0.88, RDNS_NONE 0.10) > X--MailScanner-SpamVirus-Report: > Sanesecurity.Junk.22048.UNOFFICIALSanesecurity.Junk.22048.UNOFFICIAL > X--MailScanner: Found to be clean > > This email should have been removed ? > I'm missing something ? If you have on MailScanner.conf something like "UNOFFICIAL" defined on: Virus Names Which Are Spam all viruses from Sanesecurity will be treated as "spam viruses" so you need a SA rule to assign points to them. If you want to treat them as real viruses, remove that "UNOFFICIAL" string. http://www.mailscanner.info/ChangeLog 3 New feature to allow detection of "spam-viruses" which are items of spam that are reported by your virus scanner. You can set 2 new configuration options: Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* The names of the "spam-viruses" found are those viruses reported by your virus scanners which match any of the strings given in "Virus Names Which Are Spam". These "spam-virus" names are added to the header set by "Spam-Virus Header". You can then write a SpamAssassin rule in spam.assassin.prefs.conf which gives a score for the presence or contents of this header. I supply an example rule which adds a score of 3 if the header exists. Feel free to re-write and extend that rule! It will not work unless you customise it. You could even write a "SpamAssassin Rule Action" Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From prandal at herefordshire.gov.uk Wed Apr 21 15:24:11 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Apr 21 15:24:29 2010 Subject: regarding "WARNING: Ignoring deprecated option --unzip" In-Reply-To: References: Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4542A4BE@HC-MBX01.herefordshire.gov.uk> >From the Changelog: 12/1/2009 New in Version 4.74.16-1 ================================== * New Features and Improvements * 1 Patch added to ClamAV & SpamAssassin easy-to-install package to make Mail::ClamAV Perl module handle ClamAV 0.94 correctly. Thanks to Steve Barber for telling me about this fix. 1/11/2008 New in Version 4.72.5-1 ================================= * New Features and Improvements * 1 Added support for ClamAV 0.94. Note that this has necessitated removal of complete support for earlier versions of ClamAV as the command-line settings are incompatible. So only use this version if you have upgraded to the latest ClamAV 0.94. So you needed a later version of MailScanner anyway to run even ClamAV 0.94. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of arun gupta Sent: 21 April 2010 14:47 To: mailscanner@lists.mailscanner.info Subject: regarding "WARNING: Ignoring deprecated option --unzip" Hi, I am using MailScanner-4.69 with clamav-0.94, when I installed clamav-0.96 I found following error WARNING: Ignoring deprecated option --unzip WARNING: Ignoring deprecated option --jar WARNING: Ignoring deprecated option --tar WARNING: Ignoring deprecated option --tgz WARNING: Ignoring deprecated option --deb When I googling this error I found the suggestion upgrade the MailScanner. but i do not want to upgrade the MailScanner, in future there will be problem with this error, because right now i am sending the email and it is delivering, please suggest -- With Regards, Arun Kumar Gupta System Administrator C-DAC Pune Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/c28c41c3/attachment.html From ka at pacific.net Wed Apr 21 15:45:05 2010 From: ka at pacific.net (Ken A) Date: Wed Apr 21 15:45:39 2010 Subject: [OT] How to avoid Backscatter in Sendmail In-Reply-To: References: Message-ID: <4BCF0F71.100@pacific.net> disable relay_based_on_MX Ken On 4/21/2010 8:36 AM, Marcello Anderlini wrote: > I beg your pardon but for this OT but I'm desperate, my system is > blacklisted by Backscatterer.org and I'm trying to configure it to avoid > backscatter. > I'm following what suggest here: > http://elqui.dcsc.utfsm.cl/util/email/backscatter.html > > I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. > I configured my access file to reject unknown recipients but my system still > sends an email instead of rejecting it at smtp initial transaction. > > I would be very grateful for any kind of help anyone could give me. > > Best regards > > > This is my sendmail.mc > > divert(-1) > dnl This is the sendmail macro config file. If you make changes to this > file, > dnl you need the sendmail-cf rpm installed and then have to generate a > dnl new /etc/sendmail.cf by running the following command: > dnl > dnl m4 /etc/mail/sendmail.mc> /etc/sendmail.cf > dnl > include(`/usr/share/sendmail-cf/m4/cf.m4') > VERSIONID(`linux setup for Red Hat Linux')dnl > OSTYPE(`linux') > define(`confDEF_USER_ID',``8:12'')dnl > undefine(`UUCP_RELAY')dnl > undefine(`BITNET_RELAY')dnl > define(`confTO_CONNECT', `1m')dnl > define(`confTRY_NULL_MX_LIST',true)dnl > define(`confDONT_PROBE_INTERFACES',true)dnl > define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl > define(`ALIAS_FILE', `/etc/aliases')dnl > define(`confCW_FILE', `/etc/mail/sendmail.cw')dnl > dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl > define(`UUCP_MAILER_MAX', `2000000')dnl > define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl > define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl > define(`confAUTH_OPTIONS', `A')dnl > TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > define(`confBAD_RCPT_THROTTLE',`2')dnl > dnl define(`confTO_QUEUEWARN', `4h')dnl > dnl define(`confTO_QUEUERETURN', `5d')dnl > dnl define(`confQUEUE_LA', `12')dnl > dnl define(`confREFUSE_LA', `18')dnl > dnl FEATURE(delay_checks)dnl > FEATURE(`no_default_msa',`dnl')dnl > FEATURE(`smrsh',`/usr/sbin/smrsh')dnl > FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl > FEATURE(redirect)dnl > FEATURE(always_add_domain)dnl > FEATURE(use_cw_file)dnl > FEATURE(use_ct_file)dnl > FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl > FEATURE(`access_db',`hash -T -o /etc/mail/access.db')dnl > FEATURE(`blacklist_recipients')dnl > FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl > FEATURE(`enhdnsbl', `bl.spamcop.net', `"553 rejected - see > http://spamcop.net/bl.shtml?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `cbl.abuseat.org', `"553 rejected - see > http://cbl.abuseat.org/lookup.cgi?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `sbl-xbl.spamhaus.org', `"553 rejected - see > http://www.spamhaus.org/query/bl?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `clients.blocked.rbl', `"553 rejected - see > http://www.database.it/bl.asp?"$&{client_addr}', `')dnl > FEATURE(`enhdnsbl', `hosts.blocked.rbl', `"553 rejected - see > http://www.database.itt/bl.asp?"$&{client_addr}', `')dnl > EXPOSED_USER(`root')dnl > dnl This changes sendmail to only listen on the loopback device 127.0.0.1 > dnl and not on any other network devices. Comment this out if you want > dnl to accept email over the network. > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') > dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires > dnl a kernel patch > dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6') > dnl We strongly recommend to comment this one out if you want to protect > dnl yourself from spam. However, the laptop and users on computers that do > dnl not have 24x7 DNS do need this. > dnl FEATURE(`accept_unresolvable_domains')dnl > FEATURE(`relay_based_on_MX')dnl > MAILER(smtp)dnl > MAILER(procmail)dnl > Cwlocalhost.localdomain > > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -- Ken Anderson Pacific Internet - http://www.pacific.net From brucel at eece.maine.edu Wed Apr 21 15:51:47 2010 From: brucel at eece.maine.edu (Bruce R. Littlefield) Date: Wed Apr 21 15:52:07 2010 Subject: Dangerous content detection with "file" command Message-ID: <4BCF1103.7050605@eece.maine.edu> > From: arcelormittal.com> > Subject: Dangerous content detection with "file" command > Newsgroups: gmane.mail.virus.mailscanner > Date: 2009-09-29 17:05:15 GMT (29 weeks, 21 hours and 37 minutes ago) > > I have a word document that was mistakenly flagged as "executable". > Adding some debugging into the "SweepOther.pm" code revealed that the > document contained a Title property of "The Quest of the Self". The > linux "file" command used to identify file types returns this property > (along with author and others) in it's output as follows: > > Support.doc: CDF V2 Document, Little Endian, Os: Windows, Version 5.1, > Code page > : 1252, Title: The Quest of the Self, Author: johndoe, Template: Normal, > Last Sa > ved By: JOHN DOE, Revision Number: 2, Name of Creating Application: > Microsoft > Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Sep 17 > 09:57:00 20 > 09, Last Saved Time/Date: Thu Sep 17 09:57:00 2009, Number of Pages: 1, > Number o > f Words: 2597, Number of Characters: 14289, Security: 0 > > MailScanner does a simple regex compare of the output from the "file" > command and sees the string "ELF" in it (in the word Self), and flags > the file as executable. This will happen with any Word doucment that > contains any matching strings in the title, subject, author, category, > comments, or any other property fields. > > A simple change in the regex used in the CheckFileContentTypes to only > capture the "file" command's output up to the first "," does the trick, > and I've checked some other files in quarantine to see if it would be a > problem. So far, I don't see a problem. > > The diffs for SweepOther.pm are as follows: > > 410c410 > < $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*(.*)$/; > --- >> $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*),/; > > -- > MailScanner mailing list > mailscanner lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Did this ever get addressed? I checked the latest Beta and SweepOther.pm still has the earlier code. I ran into the same problem on a Fedora 11 server running MailScanner 4.79.11-1 RPM with sendmail, spamassassin, and clamd. I found this change to be quite beneficial. Is it in the queue? -Bruce -- Bruce R. Littlefield Systems Manager/Lecturer Tel: (207) 581-2238 Electrical and Computer Engineering Fax: (207) 581-4531 University of Maine brucel@eece.maine.edu 210 Barrows Hall http://www.eece.maine.edu Orono, Maine 04469-5708 "Mastering MATLAB 7" (ISBN 0-13-143018-1) http://www.eece.maine.edu/mm mm@eece.maine.edu From m.anderlini at database.it Wed Apr 21 15:53:05 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Apr 21 15:53:37 2010 Subject: R: R: [OT] How to avoid Backscatter in Sendmail In-Reply-To: <4BCF06D1.3070905@fsl.com> References: <1213490F1F316842A544A850422BFA9635C5C71DF0@BHLSBS.bhl.local><8EAA9F0DE2D04A9A8AE511080D3A3EFF@dbdomain.database.it> <4BCF06D1.3070905@fsl.com> Message-ID: Thanks you for your time and help but the ip wich has problem is 83.216.185.66. I configured my access file but instead to refuse the email at smtp connection the system still sends an email of NDR. Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Steve Freegard Inviato: 21/04/2010 16:08 A: MailScanner discussion Oggetto: Re: R: [OT] How to avoid Backscatter in Sendmail On 21/04/10 14:50, Marcello Anderlini wrote: > No my system is a Linux Centos with sendmail If the mailboxes are for local UNIX users then generating backscatter for unknown users is impossible unless you are using something like Cyrus (which requires a plug-in to verify users). I've just checked and unless I'm missing something: smf@smf-laptop:~$ host -t MX database.it database.it mail is handled by 10 netra2.database.it. smf@smf-laptop:~$ host netra2.database.it netra2.database.it has address 83.216.185.70 smf@smf-laptop:~$ host 70.185.216.83.ips.backscatterer.org Host 70.185.216.83.ips.backscatterer.org not found: 3(NXDOMAIN) ^^^ Shows that you are not listed Also I checked: smf@smf-laptop:~$ telnet netra2.database.it 25 Trying 83.216.185.70... Connected to netra2.database.it (83.216.185.70). Escape character is '^]'. 220 netra.database.it ESMTP Sendmail 8.13.1/8.13.1; Wed, 21 Apr 2010 16:07:36 +0200 EHLO foo 250-netra.database.it Hello 74-93-209-150-WashingtonDC.hfc.comcastbusiness.net [74.93.209.150], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-DELIVERBY 250 HELP MAIL FROM:<> 250 2.1.0 <>... Sender ok RCPT TO: 550 5.1.1 ... User unknown QUIT 221 2.0.0 netra.database.it closing connection Connection closed by foreign host. ^^^ Shows that you are correctly rejecting unknown users at the SMTP stage. So I can't see any problems at all. Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From robertof at dmtserv.com Wed Apr 21 15:59:46 2010 From: robertof at dmtserv.com (Roberto Fulgado) Date: Wed Apr 21 16:00:00 2010 Subject: 'not spam (whitelisted)' in the headers Message-ID: <4BCF12E2.8040509@dmtserv.com> Hi there, I have noticed some email messages that are definitely spams but for some reason are being tagged as whitelisted. Here is the MailScanner report that appears on the header on one of those emails: not spam (whitelisted), SpamAssassin (not cached, score=11.131, required 6, BAYES_99 3.50, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_PBL 0.91, RDNS_DYNAMIC 0.10, URIBL_BLACK 1.96) I know that the sender's email and/or it's domain is not present in /etc/MailScanner/rules/spam.whitelist/rules file. Thanks in advanced, Roberto -- The problem with any unwritten law is that you don't know where to go to erase it. -- Glaser and Way -- Message clean From bryan.guest at bmts.com Wed Apr 21 16:13:23 2010 From: bryan.guest at bmts.com (Bryan Guest) Date: Wed Apr 21 16:13:52 2010 Subject: reducing memory used by Mailscanner (Eduardo Casarero) Message-ID: <015e01cae165$3e909650$0b01010a@DGPTBH91> >How do you use clamav? we use clamd and reduces a lot the memory usage of >mailscanner childs. (and its also faster) We are using the clamav-sa package from the mailscanner site. So it sets us up to use ClamAVmodule which I thought was supposed to be fastest? If I use this package, how do I convert to clamd? I mean, I can find the option in MailScanner.conf, but what I am asking is does the Clamav-sa package actually install a functional clamd? Bryan From m.anderlini at database.it Wed Apr 21 16:15:03 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Wed Apr 21 16:15:29 2010 Subject: R: [OT] How to avoid Backscatter in Sendmail In-Reply-To: <4BCF0F71.100@pacific.net> References: <4BCF0F71.100@pacific.net> Message-ID: This is a production server with a lot of virtual users and virtual domains, I'm afraid that If I disabling relay_based_on_MX the system could be stop to process all email. Could I just disable relay_based_on_MX or I have to had some other feature to allow relay for virtual domains and users ? Thanks again Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Ken A Inviato: 21/04/2010 16:45 A: mailscanner@lists.mailscanner.info Oggetto: Re: [OT] How to avoid Backscatter in Sendmail disable relay_based_on_MX Ken On 4/21/2010 8:36 AM, Marcello Anderlini wrote: > I beg your pardon but for this OT but I'm desperate, my system is > blacklisted by Backscatterer.org and I'm trying to configure it to > avoid backscatter. > I'm following what suggest here: > http://elqui.dcsc.utfsm.cl/util/email/backscatter.html > > I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. > I configured my access file to reject unknown recipients but my system > still sends an email instead of rejecting it at smtp initial transaction. > > I would be very grateful for any kind of help anyone could give me. > > Best regards > > > This is my sendmail.mc > [omissis] > > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > -- Ken Anderson Pacific Internet - http://www.pacific.net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From ecasarero at gmail.com Wed Apr 21 16:25:33 2010 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Apr 21 16:26:06 2010 Subject: reducing memory used by Mailscanner (Eduardo Casarero) In-Reply-To: <015e01cae165$3e909650$0b01010a@DGPTBH91> References: <015e01cae165$3e909650$0b01010a@DGPTBH91> Message-ID: 2010/4/21 Bryan Guest > How do you use clamav? we use clamd and reduces a lot the memory usage of >> mailscanner childs. (and its also faster) >> > > We are using the clamav-sa package from the mailscanner site. So it sets > us up to use ClamAVmodule which I thought was supposed to be fastest? > > If I use this package, how do I convert to clamd? I mean, I can find the > option in MailScanner.conf, but what I am asking is does the Clamav-sa > package actually install a functional clamd? > > Bryan > We just install spamassassin-clamav package from mailscanner site and then you only have to run the daemon /usr/local/sbin/clamd --config-file=/usr/local/etc/clamd.conf You only have to verify that in /usr/local/etc/clamd.conf the value "LocalSocket" matches the one in MailScanner.conf and "clamd" is selected as AV. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/03aa3f1e/attachment.html From Denis.Beauchemin at USherbrooke.ca Wed Apr 21 16:34:49 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 21 16:35:06 2010 Subject: 'not spam (whitelisted)' in the headers In-Reply-To: <4BCF12E2.8040509@dmtserv.com> References: <4BCF12E2.8040509@dmtserv.com> Message-ID: <4BCF1B19.7080908@USherbrooke.ca> Le 2010-04-21 10:59, Roberto Fulgado a ?crit : > Hi there, > > I have noticed some email messages that are definitely spams but for > some reason are being tagged as whitelisted. Here is the MailScanner > report that appears on the header on one of those emails: > > not spam (whitelisted), SpamAssassin (not cached, score=11.131, > required 6, BAYES_99 3.50, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > RAZOR2_CHECK 0.50, RCVD_IN_PBL 0.91, RDNS_DYNAMIC 0.10, URIBL_BLACK > 1.96) > > I know that the sender's email and/or it's domain is not present in > /etc/MailScanner/rules/spam.whitelist/rules file. > > Thanks in advanced, > Roberto > > > Roberto, Check if you have a spam.blacklist.rule file. If you do and the action is "no" then it means to whitelist the entry. We use both files here. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From Kevin_Miller at ci.juneau.ak.us Wed Apr 21 17:56:05 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 21 17:56:16 2010 Subject: [OT] How to avoid Backscatter in Sendmail In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C14A6C8661C@city-exchange07> Marcello Anderlini wrote: > I beg your pardon but for this OT but I'm desperate, my system is > blacklisted by Backscatterer.org and I'm trying to configure it to > avoid backscatter. > I'm following what suggest here: > http://elqui.dcsc.utfsm.cl/util/email/backscatter.html > > I'm using sendmail-8.13.1-3.3.el4. on a CentOS release 4.8. > I configured my access file to reject unknown recipients but my > system still sends an email instead of rejecting it at smtp initial > transaction. > > I would be very grateful for any kind of help anyone could give me. Your backscatter may not be coming from you. It's quite likely that your users have been 'joe-jobbed' and some other mail server is bouncing spam. Since the From: field is forged with your domain, it could look like it came from you to a mail admin that's new to the game. Couple of obvious things - did you remake the /etc/sendmail.cf file? The m4 command to do so is given at the top of the sendmail.mc you posted. Also, did you remember to hash your access file? That's bitten me once or twice before: I edited /etc/access then forget to do 'makemap hash access < access' afterwards. Another thing you could look into if you're not already using it is SPF. It helps cut down on a lot of forged email. Finally, if your sendmail server is just a relay pointing to an internal server, look into smf-sav or milter-ahead. HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Wed Apr 21 18:25:42 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 21 18:25:53 2010 Subject: [OT] How to avoid Backscatter in Sendmail In-Reply-To: References: <4BCF0F71.100@pacific.net> Message-ID: <4A09477D575C2C4B86497161427DD94C14A6C8661D@city-exchange07> Marcello Anderlini wrote: > This is a production server with a lot of virtual users and virtual > domains, I'm afraid that If I disabling relay_based_on_MX the system > could be stop to process all email. Could I just disable > relay_based_on_MX or I have to had some other feature to allow relay > for virtual domains and users ? You don't have to disable relay - just specify the domains/ip ranges that are allowed to relay. Some examples from my access file: #cyberspammer.com ERROR:"550 We don't accept mail from spammers" #sendmail.org OK #192.168 RELAY You may also want to add appropriate entries in your mailertable and relay-domains files listing the domains for which you relay mail, i.e., internal systems not visible to the outside which your gateway will relay to. (Assuming that matches your setup.) Don't forget to hash mailertable if used... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From pedro.se at gmail.com Wed Apr 21 19:08:10 2010 From: pedro.se at gmail.com (Pedro Silva) Date: Wed Apr 21 19:08:20 2010 Subject: How to Message-ID: Hello to the entire list, I need your help.. I have installed centos 5.3 + sendmail + Mailscanner + clamav + spamassasin, MailScanner problem that catalogs the email as spam and sent to quarantine. How I can retrieve the message? In the Most Frequently Asked Questions (MAQ)in the mailscanner site, displays the following information to retrieve a quarantined message: 1. Navigate to the directory of the offending message 2. Copy the qf- and df- file pair into the outgoing queue (usually /var/spool/mqueue) 3. Run mailq to make sure you?ve put your files into the correct directory (your outgoing queue) 4. If you see your message listed it?s time to tell sendmail to recheck the outgoing queue and send any messages that are there by typing sendmail -q Examle in my system: cd /var/spool/MailScanner/quarantine/20100421/o3LDqW6Q015351 The steep 2, not found qf and df files, only the following files: dashitem.ICO message sv-ln20090127.dotm So, how I can send that mail is in quarantine without having qf and df files? Thank you. -- Pedro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/ea5da77d/attachment-0001.html From Denis.Beauchemin at USherbrooke.ca Wed Apr 21 19:24:13 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Apr 21 19:24:30 2010 Subject: How to In-Reply-To: References: Message-ID: <4BCF42CD.3030005@USherbrooke.ca> Le 2010-04-21 14:08, Pedro Silva a ?crit : > Hello to the entire list, > > I need your help.. > > > > I have installed centos 5.3 + sendmail + Mailscanner + clamav + > spamassasin, MailScanner problem that catalogs the email as spam and > sent to quarantine. How I can retrieve the message? > > In the Most Frequently Asked Questions (MAQ) > in the mailscanner site, displays > the following information to retrieve a quarantined message: > > 1. > Navigate to the directory of the offending message > 2. > Copy the qf- and df- file pair into the outgoing queue (usually > |/var/spool/mqueue|) > 3. > Run |mailq| to make sure you?ve put your files into the correct > directory (your outgoing queue) > 4. > If you see your message listed it?s time to tell sendmail to > recheck the outgoing queue and send any messages that are there > by typing |sendmail -q| > > Examle in my system: > > cd /var/spool/MailScanner/quarantine/20100421/o3LDqW6Q015351 > > The steep 2, not found qf and df files, only the following files: > dashitem.ICO message sv-ln20090127.dotm > > So, how I can send that mail is in quarantine without having qf and df > files? > > > > Thank you. > -- > Pedro > Pedro, You need to set the following in MailScanner.conf: Quarantine Whole Messages As Queue Files = yes Denis PS: don't forget to reload MS. -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/84599c64/attachment.html From pedro.se at gmail.com Wed Apr 21 20:59:27 2010 From: pedro.se at gmail.com (Pedro Silva) Date: Wed Apr 21 20:59:36 2010 Subject: How to In-Reply-To: <4BCF42CD.3030005@USherbrooke.ca> References: <4BCF42CD.3030005@USherbrooke.ca> Message-ID: Thanks, The new messages are arriving in quarantine with df and qf. But I can retrieve a message that the previous system, which saves files separately. How I can recover these? Thanks -- Pedro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100421/62c08233/attachment.html From bryan.guest at bmts.com Wed Apr 21 21:00:51 2010 From: bryan.guest at bmts.com (Bryan Guest) Date: Wed Apr 21 21:01:16 2010 Subject: [OT] How to avoid Backscatter in Sendmail Message-ID: <023c01cae18d$63268e70$0b01010a@DGPTBH91> Hello As mentioned you could try milter-ahead or smfsav, run as a milter from sendmail to drop the connection prior to the DATA command in the SMTP transaction. One note, apparently the same self appointed police at backscatterer.org also blacklist you for attempting to cut down on spam by using sender callouts. So if you use smfsav, disable SAV or you will just get blacklisted again. Bryan From robertof at dmtserv.com Wed Apr 21 22:16:32 2010 From: robertof at dmtserv.com (Roberto Fulgado) Date: Wed Apr 21 22:16:46 2010 Subject: 'not spam (whitelisted)' in the headers Message-ID: <4BCF6B30.7030103@dmtserv.com> Le 2010-04-21 10:59, Roberto Fulgado a ?crit : > > Hi there, > > > > I have noticed some email messages that are definitely spams but for > > some reason are being tagged as whitelisted. Here is the MailScanner > > report that appears on the header on one of those emails: > > > > not spam (whitelisted), SpamAssassin (not cached, score=11.131, > > required 6, BAYES_99 3.50, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, > > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, > > RAZOR2_CHECK 0.50, RCVD_IN_PBL 0.91, RDNS_DYNAMIC 0.10, URIBL_BLACK > > 1.96) > > > > I know that the sender's email and/or it's domain is not present in > > /etc/MailScanner/rules/spam.whitelist/rules file. > > > > Thanks in advanced, > > Roberto > > > > > > > Roberto, > > Check if you have a spam.blacklist.rule file. If you do and the action > is "no" then it means to whitelist the entry. We use both files here. > >Denis > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 Denis That probably was the case so I edited the last line of spam.blacklist.rules file: FromOrTo: default no to FromOrTo: default yes Thank you very much, Roberto Personally, I don't often talk about social good because when I hear other people talk about social good, that's when I reach for my revolver. -- Eric Raymond -- Message clean From dave.list at pixelhammer.com Thu Apr 22 00:51:23 2010 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 22 00:51:55 2010 Subject: OT: Goodbye and hosting wanted Message-ID: <4BCF8F7B.4000501@pixelhammer.com> All, I will be unsubscribed to a lot of mail lists this week as my position has been closed. I am uncertain I want to continue with IT. I know some of you from as far back as my Userland Frontier and HyperCard days. I want to thank everyone for their help and assistance over the past 15 years. (Yes this is going out to several lists). I will need to move my hosted domain, email, and DNS this week. I am sure I could continue to host it with my employer but I would rather not. I don't need much, less than a dozen email accounts, simple PHP or perl, and DNS. My wife would like to start a LiveJournal or something like it for her work here if a host can be found that supports that, http://flickr.com/catchoftheday (Feel free to offer to purchase something ;^). Now that I am unemployed, inexpensive would be nice. I am open to suggestions for hosting services. Today, my wife and I are going to play hooky and do nothing. Again, thanks everyone. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org From alex at rtpty.com Thu Apr 22 03:08:28 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Apr 22 03:08:45 2010 Subject: OT: Goodbye and hosting wanted In-Reply-To: <4BCF8F7B.4000501@pixelhammer.com> References: <4BCF8F7B.4000501@pixelhammer.com> Message-ID: <2B094207-5516-4AF3-9877-4C739D1BB4C3@rtpty.com> You could move your e-mail to Google Mail (free for less than 50 users I think). DNS can be done with FreeDNS for example. Website hosting would be something else that someone might have suggestions for. On Apr 21, 2010, at 6:51 PM, DAve wrote: > All, > > I will be unsubscribed to a lot of mail lists this week as my position > has been closed. I am uncertain I want to continue with IT. > > I know some of you from as far back as my Userland Frontier and > HyperCard days. I want to thank everyone for their help and assistance > over the past 15 years. (Yes this is going out to several lists). > > I will need to move my hosted domain, email, and DNS this week. I am > sure I could continue to host it with my employer but I would rather > not. I don't need much, less than a dozen email accounts, simple PHP or > perl, and DNS. My wife would like to start a LiveJournal or something > like it for her work here if a host can be found that supports that, > http://flickr.com/catchoftheday (Feel free to offer to purchase > something ;^). Now that I am unemployed, inexpensive would be nice. I am > open to suggestions for hosting services. > > Today, my wife and I are going to play hooky and do nothing. Again, > thanks everyone. > > DAve > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. I hope you will make good use of it. If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Adams > > http://appleseedinfo.org > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From wick at bobwickline.com Thu Apr 22 03:20:34 2010 From: wick at bobwickline.com (Bob Wickline) Date: Thu Apr 22 03:20:43 2010 Subject: OT: Goodbye and hosting wanted Message-ID: <4bcfb271.9e2be50a.3eb7.41bf@mx.google.com> +1 I have several domains on free Google mail ane it has been working great. I would highly recommend it. Sent from my HTC -----Original Message----- From: Alex Neuman Sent: Wednesday, April 21, 2010 21:08 To: MailScanner discussion Subject: Re: OT: Goodbye and hosting wanted You could move your e-mail to Google Mail (free for less than 50 users I think). DNS can be done with FreeDNS for example. Website hosting would be something else that someone might have suggestions for. On Apr 21, 2010, at 6:51 PM, DAve wrote: > All, > > I will be unsubscribed to a lot of mail lists this week as my position > has been closed. I am uncertain I want to continue with IT. > > I know some of you from as far back as my Userland Frontier and > HyperCard days. I want to thank everyone for their help and assistance > over the past 15 years. (Yes this is going out to several lists). > > I will need to move my hosted domain, email, and DNS this week. I am > sure I could continue to host it with my employer but I would rather > not. I don't need much, less than a dozen email accounts, simple PHP or > perl, and DNS. My wife would like to start a LiveJournal or something > like it for her work here if a host can be found that supports that, > http://flickr.com/catchoftheday (Feel free to offer to purchase > something ;^). Now that I am unemployed, inexpensive would be nice. I am > open to suggestions for hosting services. > > Today, my wife and I are going to play hooky and do nothing. Again, > thanks everyone. > > DAve > -- > "Posterity, you will know how much it cost the present generation to > preserve your freedom. I hope you will make good use of it. If you > do not, I shall repent in heaven that ever I took half the pains to > preserve it." John Adams > > http://appleseedinfo.org > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rob at poeweb.com Thu Apr 22 03:22:35 2010 From: rob at poeweb.com (Rob Poe) Date: Thu Apr 22 03:22:53 2010 Subject: Weird Archiving Need Message-ID: <4BCFB2EB.6050300@poeweb.com> I have a client who gets email from a certain domain name (in this case we'll call the sending domain valuedclient.com). They want ** ANY ** email that comes in from that domain to be forwarded to a certain distribution group (in this case, they're using sendmail aliases file to define the group). Could I set up the email archiving, then do a rule such as From: @valuedclient.com sendmailalias FromOrTo: default Would that work out? From jpete at iinet.net.au Thu Apr 22 06:01:20 2010 From: jpete at iinet.net.au (Pete Russell) Date: Thu Apr 22 06:02:18 2010 Subject: Move addresses from To to Bcc? Message-ID: <4BCFD820.6090405@iinet.net.au> Its possible this is an MTA question and not an MS question? Every day we see staff send email to customers and students in massive lists. Everyone the message is addressed to is listed in the To: field. Would it make sense to have a test for more than x entries in the To: field so move all of the addresses to Bcc: ? If this did make sense would it be very difficult? justathought Pete From peter at farrows.org Thu Apr 22 08:19:05 2010 From: peter at farrows.org (Peter Farrow) Date: Thu Apr 22 08:16:30 2010 Subject: Weird Archiving Need In-Reply-To: <4BCFB2EB.6050300@poeweb.com> References: <4BCFB2EB.6050300@poeweb.com> Message-ID: <4BCFF869.50308@farrows.org> On 22/04/2010 03:22, Rob Poe wrote: > I have a client who gets email from a certain domain name (in this > case we'll call the sending domain valuedclient.com). They want ** > ANY ** email that comes in from that domain to be forwarded to a > certain distribution group (in this case, they're using sendmail > aliases file to define the group). > > Could I set up the email archiving, then do a rule such as > > From: @valuedclient.com sendmailalias > FromOrTo: default > > Would that work out? If you are using sendmail: Either: Install the sendmail milter sm-archive, this will allow you the branch the email to any subequent email address you like. Alternatively, add the domain the the mailscanner's local-host-names in /etc/mail/ and add an entry in the virtusertable that says: @valuedclient.com otheraddress@somewhereelse.com once mailscanner has finished its stuff, it will then foward it to the "other address" Regards Pete From maillists at conactive.com Thu Apr 22 08:31:18 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 22 08:31:28 2010 Subject: Move addresses from To to Bcc? In-Reply-To: <4BCFD820.6090405@iinet.net.au> References: <4BCFD820.6090405@iinet.net.au> Message-ID: Pete Russell wrote on Thu, 22 Apr 2010 15:01:20 +1000: > Would it make sense to have a test for more than x entries in the To: > field so move all of the addresses to Bcc: ? Technically spoken, not "move to bcc", but: remove from to (or cc)! The bcc is not a header field, it does not exist. It's a notice to the client to send to all these addresses, but don't put them in any header destination field. I "love" my relatives or friends put me in the cc, send me a joke or picture I do not want, anyway, and spread my private email address to lots of unknown people and thereby to the spammers. It's really hard to educate them. So, I think it makes sense to sanitize such mails. But this is not functionality built-in in MS. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From rob at poeweb.com Thu Apr 22 08:59:40 2010 From: rob at poeweb.com (Rob Poe) Date: Thu Apr 22 08:59:57 2010 Subject: Weird Archiving Need In-Reply-To: <4BCFF869.50308@farrows.org> References: <4BCFB2EB.6050300@poeweb.com> <4BCFF869.50308@farrows.org> Message-ID: <4BD001EC.70906@poeweb.com> On 4/22/2010 2:19 AM, Peter Farrow wrote: > > On 22/04/2010 03:22, Rob Poe wrote: >> I have a client who gets email from a certain domain name (in this >> case we'll call the sending domain valuedclient.com). They want ** >> ANY ** email that comes in from that domain to be forwarded to a >> certain distribution group (in this case, they're using sendmail >> aliases file to define the group). >> >> Could I set up the email archiving, then do a rule such as >> >> From: @valuedclient.com sendmailalias >> FromOrTo: default >> >> Would that work out? > If you are using sendmail: > > Either: > Install the sendmail milter sm-archive, this will allow you the branch > the email to any subequent email address you like. > > Alternatively, add the domain the the mailscanner's local-host-names > in /etc/mail/ > > and add an entry in the virtusertable that says: > > @valuedclient.com otheraddress@somewhereelse.com > > once mailscanner has finished its stuff, it will then foward it to the > "other address" > > Regards > > Pete Would the archive rule not work properly then? From jethro.binks at strath.ac.uk Thu Apr 22 09:14:07 2010 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Thu Apr 22 09:14:16 2010 Subject: Move addresses from To to Bcc? In-Reply-To: <4BCFD820.6090405@iinet.net.au> References: <4BCFD820.6090405@iinet.net.au> Message-ID: On Thu, 22 Apr 2010, Pete Russell wrote: > Its possible this is an MTA question and not an MS question? I'd say it's an MTA issue really. > Every day we see staff send email to customers and students in massive > lists. Everyone the message is addressed to is listed in the To: field. > Would it make sense to have a test for more than x entries in the To: > field so move all of the addresses to Bcc: ? > > If this did make sense would it be very difficult? Here's what I say to my users when overuse of To:/Cc: occurs: " Hi, It is poor practice to send a message to a large number of recipients listed in the To: or Cc: field, as you have done with a recent message. As well as damaging privacy by exposing everyone's email address to everyone else, it is difficult to read, and can cause problems with some mail clients, for example, they fail to complete downloading the message and keep trying to do so over and over again. If you wish to send out a message to a large number of people, then a better way to do so would be to address the message to yourself or some other primary recipient in the To: header, and place all the other recipients in the Bcc: (blind carbon copy) header. That way each recipient doesn't get to see the full list of recipients in headers as received, and it prevents the related problems. You may need to alter the configuration of your mail client to make the Bcc: header available for completion: contact the Helpdesk for advice. Can you please ensure that you use this method in future. We could enforce this at the mail servers, but we would prefer people to do so voluntarily. If mailing a specific large group is something you are likely to do regularly, then the best option would be to request the establishment of a properly managed mailing list. " It doesn't really make sense to "move" recipients from the To: header to the Bcc: header. To the email system, they are all just recipients. What goes in those headers is cosmetic only, and need bear no relation to the actual messsage recipients (but ordinary mail clients usually "do the right thing" behind the scenes). In your MTA, you could refuse to accept messages where the To:/Cc: headers are "too large", for some value. Alternatively you could accept the message and then just wipe the contents of the To:/Cc: headers (or replace with something syntactically valid like: To: many recipients:; However, generally I would advise against automatic tinkering with message contents. Choose carrots rather than sticks: after user education, maybe penalise messages that don't conform (maybe you could hold them on the queue for manual evaluation and then give the sender some more education, before releasing them. Repeated delays will annoy them, but they will learn how to avoid them eventually. Make the delays longer for repeated offenders!). If the carrot doesn't work over time, use your stick and refuse to accept them! But what you can get away with depends on your userbase, and what you can technically do depends on your MTA. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From maillists at conactive.com Thu Apr 22 09:31:15 2010 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 22 09:31:29 2010 Subject: reducing memory used by Mailscanner (Eduardo Casarero) In-Reply-To: <015e01cae165$3e909650$0b01010a@DGPTBH91> References: <015e01cae165$3e909650$0b01010a@DGPTBH91> Message-ID: Bryan Guest wrote on Wed, 21 Apr 2010 11:13:23 -0400: > If I use this package, how do I convert to clamd? I mean, I can find the > option in MailScanner.conf, but what I am asking is does the Clamav-sa > package actually install a functional clamd? Remove that package. Then install clamav from the rpmforge repo. That should be working on your Red Hat system as well. If you do not want to use SA (which I don't understand, but alas), there's no point to install it. After this you may need to set the clamd socket to the same that MS uses. Then start the clamd service. That's all. As for your basic problem. Youa re using different software versions. That *can* make a difference. Also, using 32bit/64bit makes a difference. The only thing you said about the system is ESv4. That's not much. Isn't that bound to reach EOL soon, anyway? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From jpete at iinet.net.au Thu Apr 22 10:57:43 2010 From: jpete at iinet.net.au (Pete Russell) Date: Thu Apr 22 10:57:58 2010 Subject: Move addresses from To to Bcc? In-Reply-To: References: <4BCFD820.6090405@iinet.net.au> Message-ID: <4BD01D97.1070600@iinet.net.au> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100422/7519a66d/attachment.html From uxbod at splatnix.net Thu Apr 22 14:11:16 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 22 14:11:39 2010 Subject: OT: Goodbye and hosting wanted In-Reply-To: <4BCF8F7B.4000501@pixelhammer.com> Message-ID: <28522930.284.1271941876523.JavaMail.root@office.splatnix.net> ----- Original Message ----- > All, > > I will be unsubscribed to a lot of mail lists this week as my position > has been closed. I am uncertain I want to continue with IT. > > I know some of you from as far back as my Userland Frontier and > HyperCard days. I want to thank everyone for their help and assistance > over the past 15 years. (Yes this is going out to several lists). > > I will need to move my hosted domain, email, and DNS this week. I am > sure I could continue to host it with my employer but I would rather > not. I don't need much, less than a dozen email accounts, simple PHP > or perl, and DNS. My wife would like to start a LiveJournal or > something like it for her work here if a host can be found that > supports that, > http://flickr.com/catchoftheday (Feel free to offer to purchase > something ;^). Now that I am unemployed, inexpensive would be nice. I > am open to suggestions for hosting services. > > Today, my wife and I are going to play hooky and do nothing. Again, > thanks everyone. > DAve, Sorry to hear about the job! Do wish you all the best and if can help in anyway please drop me a line. -- Thanks, Phil From MailScanner at ecs.soton.ac.uk Thu Apr 22 14:31:46 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 22 14:31:59 2010 Subject: OT: Goodbye and hosting wanted In-Reply-To: <4bcfb271.9e2be50a.3eb7.41bf@mx.google.com> References: <4bcfb271.9e2be50a.3eb7.41bf@mx.google.com> <4BD04FC2.9050905@ecs.soton.ac.uk> Message-ID: I have to recommend Blacknight (www.blacknight.com). They host all of my services, including MailScanner, and the tech support is absolutely fantastic, even on a Sunday morning! They are cheap too, I recommend them to everyone. Best wishes for the future! Jules. P.S. As a few other people may notice, I am alive still. Need to get back to the docs though, I have a sinking feeling something is badly wrong. On 22/04/2010 03:20, Bob Wickline wrote: > +1 > > I have several domains on free Google mail ane it has been working great. I would highly recommend it. > > Sent from my HTC > > -----Original Message----- > From: Alex Neuman > Sent: Wednesday, April 21, 2010 21:08 > To: MailScanner discussion > Subject: Re: OT: Goodbye and hosting wanted > > You could move your e-mail to Google Mail (free for less than 50 users I think). DNS can be done with FreeDNS for example. > > Website hosting would be something else that someone might have suggestions for. > > On Apr 21, 2010, at 6:51 PM, DAve wrote: > > >> All, >> >> I will be unsubscribed to a lot of mail lists this week as my position >> has been closed. I am uncertain I want to continue with IT. >> >> I know some of you from as far back as my Userland Frontier and >> HyperCard days. I want to thank everyone for their help and assistance >> over the past 15 years. (Yes this is going out to several lists). >> >> I will need to move my hosted domain, email, and DNS this week. I am >> sure I could continue to host it with my employer but I would rather >> not. I don't need much, less than a dozen email accounts, simple PHP or >> perl, and DNS. My wife would like to start a LiveJournal or something >> like it for her work here if a host can be found that supports that, >> http://flickr.com/catchoftheday (Feel free to offer to purchase >> something ;^). Now that I am unemployed, inexpensive would be nice. I am >> open to suggestions for hosting services. >> >> Today, my wife and I are going to play hooky and do nothing. Again, >> thanks everyone. >> >> DAve >> -- >> "Posterity, you will know how much it cost the present generation to >> preserve your freedom. I hope you will make good use of it. If you >> do not, I shall repent in heaven that ever I took half the pains to >> preserve it." John Adams >> >> http://appleseedinfo.org >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Apr 22 14:36:03 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 22 14:36:16 2010 Subject: OT: Julian In-Reply-To: <4BBC991D.2000300@tradoc.fr> References: <4BBC991D.2000300@tradoc.fr> <4BD050C3.1040600@ecs.soton.ac.uk> Message-ID: I'm still here folks. Just haven't been around for a long time. Work has been very busy and I'm starting to get a sinking feeling about my health position; something is wrong, just don't know what yet. I need to summon up the courage to go back to the docs and let them start prodding and poking again :-( Anything important or urgent, send to MailScanner@ecs.soton.ac.uk and I'll try to monitor that as much as I can. What's all this stuff about ClamAV 0.96? I just upgraded my RHEL4 development server to it, did a "service clamd restart" and it's working fine with the latest code. If someone can mail me a short summary of the problem and proposed workarounds, I'll take a look a.s.a.p. Best regards, Jules. On 07/04/2010 15:39, John Wilcock wrote: > I see that Julian hasn't posted to this list since his 10th > anniversary message almost a month ago, nor has he replied to a couple > of recent offlist messages of mine. > > Has anyone here heard from him recently? I do hope his health problems > haven't reared their ugly head again... > > John. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Thu Apr 22 15:07:16 2010 From: ka at pacific.net (Ken A) Date: Thu Apr 22 15:07:52 2010 Subject: OT: Julian In-Reply-To: References: <4BBC991D.2000300@tradoc.fr> <4BD050C3.1040600@ecs.soton.ac.uk> Message-ID: <4BD05814.5010509@pacific.net> Julian, You have been missed around here, but your health comes first. Do take care of yourself! You are in my prayers, and thanks as always for MailScanner! Ken Pacific.Net On 4/22/2010 8:36 AM, Julian Field wrote: > I'm still here folks. Just haven't been around for a long time. Work has > been very busy and I'm starting to get a sinking feeling about my health > position; something is wrong, just don't know what yet. I need to summon > up the courage to go back to the docs and let them start prodding and > poking again :-( > > Anything important or urgent, send to MailScanner@ecs.soton.ac.uk and > I'll try to monitor that as much as I can. > > What's all this stuff about ClamAV 0.96? I just upgraded my RHEL4 > development server to it, did a "service clamd restart" and it's working > fine with the latest code. If someone can mail me a short summary of the > problem and proposed workarounds, I'll take a look a.s.a.p. > > Best regards, > Jules. > > On 07/04/2010 15:39, John Wilcock wrote: >> I see that Julian hasn't posted to this list since his 10th >> anniversary message almost a month ago, nor has he replied to a couple >> of recent offlist messages of mine. >> >> Has anyone here heard from him recently? I do hope his health problems >> haven't reared their ugly head again... >> >> John. >> > > Jules > -- Ken Anderson Pacific Internet - http://www.pacific.net From MailScanner at ecs.soton.ac.uk Thu Apr 22 15:20:42 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 22 15:21:00 2010 Subject: ClamAv 0.96 is out In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net><4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net><4BB68959.9060008@msapiro.net> <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk> <4BD05B3A.703@ecs.soton.ac.uk> Message-ID: Look in /usr/lib/MailScanner/MessageBatch.pm In there around line 1212 or so you will find a line that looks like this: my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); Change this to read my $MessageDir = tempdir( 'MSlintXXXXXX', TMPDIR => 1, CLEANUP => 1); and "MailScanner --lint" will work properly again. I was just putting a temporary directory (which I don't use but which needs to be there for the code to work) in the wrong place. Jules. On 09/04/2010 09:39, Randal, Phil wrote: > Scott Silva wrote: > >> on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >> >>> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >>> >>> >>>> Changed >>>> incoming work user to clamav and changed incoming work group to >>>> blank... >>>> >>> Thanks for the suggestion, but this doesn't work for me. I changed to >>> user = clamav and then also removed the group as you did. >>> >>> The result of that (in both cases) is that the owner of the directory >>> is now postfix and the error already happens in MS. >>> >>> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >>> writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >>> 1211 >>> >>> As I said I think there is something wrong about the group ownership >>> or permissions only in the lint code that wasn't a problem before >>> 0.96 but now is. Maybe clamav used ftstat before which doesn't need >>> execute permission. >>> >>> Kai >>> >>> >> I guess I should have been more specific. I am using sendmail. Maybe >> Julian will see this thread when he is free and something will pop in >> his head. I am also having some problems with the new spamassassin, >> but I downgraded, as I don't have time to deal with that right now. >> > It doesn't work for me with sendmail, either. > > The only workaround I have which works is to comment out > > user clamav > > in /etc/clamd.conf and restart clamd. > > I haven't had the time to dig into MailScanner's lint and virus scanning > code, alas. > > Cheers, > > Phil > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From neilw at dcdata.co.za Thu Apr 22 15:28:35 2010 From: neilw at dcdata.co.za (Neil Wilson) Date: Thu Apr 22 15:28:58 2010 Subject: Recommended hardware spec 20000 users Message-ID: <4BD05D13.30409@dcdata.co.za> Hi guys, I need some advice please, What are your recommendations for hardware for a server that does Spam scanning with SA, Clamav scanning, running postfix under Centos 5.4 and logs in mysql and then forwards the emails on to an Exchange server for +-20000 users? The emails theoretically have some basic spam scanning done before they get to the Linux server however there will still be a large amount of junk email to get rid of before passing it on to Exchange. There is currently a dual proc dual core Xeon server with 512MB of RAM running amavisd, clamd and postfix handling the email at the moment, but this is very outdated and lacking functionality so it needs to be upgraded asap. Would the current server handle the load with just a large RAM upgrade, EG: 4-8Gigs? Any advice will be appreciated. Thanks. Regards. Neil Wilson. From prandal at herefordshire.gov.uk Thu Apr 22 15:36:23 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 22 15:36:39 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net><4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net><4BB68959.9060008@msapiro.net> <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk><4BD05B3A.703@ecs.soton.ac.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE455DC73E@HC-MBX01.herefordshire.gov.uk> That fixes it. You're a star, Julian. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 22 April 2010 15:21 To: MailScanner discussion Subject: Re: ClamAv 0.96 is out Look in /usr/lib/MailScanner/MessageBatch.pm In there around line 1212 or so you will find a line that looks like this: my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); Change this to read my $MessageDir = tempdir( 'MSlintXXXXXX', TMPDIR => 1, CLEANUP => 1); and "MailScanner --lint" will work properly again. I was just putting a temporary directory (which I don't use but which needs to be there for the code to work) in the wrong place. Jules. On 09/04/2010 09:39, Randal, Phil wrote: > Scott Silva wrote: > >> on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >> >>> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >>> >>> >>>> Changed >>>> incoming work user to clamav and changed incoming work group to >>>> blank... >>>> >>> Thanks for the suggestion, but this doesn't work for me. I changed >>> to user = clamav and then also removed the group as you did. >>> >>> The result of that (in both cases) is that the owner of the >>> directory is now postfix and the error already happens in MS. >>> >>> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >>> writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >>> 1211 >>> >>> As I said I think there is something wrong about the group ownership >>> or permissions only in the lint code that wasn't a problem before >>> 0.96 but now is. Maybe clamav used ftstat before which doesn't need >>> execute permission. >>> >>> Kai >>> >>> >> I guess I should have been more specific. I am using sendmail. Maybe >> Julian will see this thread when he is free and something will pop in >> his head. I am also having some problems with the new spamassassin, >> but I downgraded, as I don't have time to deal with that right now. >> > It doesn't work for me with sendmail, either. > > The only workaround I have which works is to comment out > > user clamav > > in /etc/clamd.conf and restart clamd. > > I haven't had the time to dig into MailScanner's lint and virus > scanning code, alas. > > Cheers, > > Phil > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From prandal at herefordshire.gov.uk Thu Apr 22 15:51:24 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 22 15:51:41 2010 Subject: Recommended hardware spec 20000 users In-Reply-To: <4BD05D13.30409@dcdata.co.za> References: <4BD05D13.30409@dcdata.co.za> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE455DC741@HC-MBX01.herefordshire.gov.uk> It all depends on email volumes, and whether you blacklist at the MTA level (e.g zen.spamhaus.org). Any idea of those numbers? We're using two Dell 2950 quad-core, 4GB RAM, CentOS 5.4 x64, sendmail, with zen blocking 80% to 90% of incoming connections. 5 to 8 million emails per month, in total, 700,000 or getting through to MailScanner/spamassassin. Virus scanning using clamd 0.96 and McAfee uvscan 6.0.0. Load average under 3, CPU utilisation under 50%. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Neil Wilson Sent: 22 April 2010 15:29 To: MailScanner discussion Subject: Recommended hardware spec 20000 users Hi guys, I need some advice please, What are your recommendations for hardware for a server that does Spam scanning with SA, Clamav scanning, running postfix under Centos 5.4 and logs in mysql and then forwards the emails on to an Exchange server for +-20000 users? The emails theoretically have some basic spam scanning done before they get to the Linux server however there will still be a large amount of junk email to get rid of before passing it on to Exchange. There is currently a dual proc dual core Xeon server with 512MB of RAM running amavisd, clamd and postfix handling the email at the moment, but this is very outdated and lacking functionality so it needs to be upgraded asap. Would the current server handle the load with just a large RAM upgrade, EG: 4-8Gigs? Any advice will be appreciated. Thanks. Regards. Neil Wilson. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From MailScanner at ecs.soton.ac.uk Thu Apr 22 15:53:05 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 22 15:53:26 2010 Subject: Release 4.80.3 is out References: <4BD062D1.4050402@ecs.soton.ac.uk> Message-ID: I have released version 4.80.3. This fixes the "MailScanner --lint" problems and adds support for McAfee 6. Many thanks to all of you for your hard work on this, you know who you are :-) Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Amelein at dantumadiel.eu Thu Apr 22 16:02:11 2010 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Thu Apr 22 16:02:28 2010 Subject: Betr.: Recommended hardware spec 20000 users In-Reply-To: <4BD05D13.30409@dcdata.co.za> References: <4BD05D13.30409@dcdata.co.za> Message-ID: <4BD081130200008E0001429D@10.1.0.206> >>> Op 22-4-2010 om 4:28 is door Neil Wilson geschreven: > Hi guys, > > I need some advice please, > > What are your recommendations for hardware for a server that does Spam > scanning with SA, Clamav scanning, running postfix under Centos 5.4 and > logs in mysql and then forwards the emails on to an Exchange server for > +-20000 users? Its not as much about the number of users but more about the actual e-mail volume .. if every user gets about 100 e-mails per day average you're talking 2.000.000 e-mails per day which is just over 20 per second. Your biggest concern will probably be disk IO and not RAM, although your server will probably love you if you put 4Gb in. (Dont forget that it needs to be 64bit for 8gb ram, aka OS re-install if its already installed) One plus for more ram is that in theory you could use a ramdisk for temporary files, this should speed things up considerably and i *think* there is actually something like that mentioned in one of the MS wiki/faq's A good thing to keep in mind is greylisting, if this server is actually on the internet side directly which I'm somewhat doubting as you said there is already some basic spam scanning done. Greylisting cut my e-mail volume that actually gets into MS by 4. - Arjan From thomasl at mtl.mit.edu Thu Apr 22 16:28:41 2010 From: thomasl at mtl.mit.edu (Thomas Lohman) Date: Thu Apr 22 16:29:00 2010 Subject: 'not spam (whitelisted)' in the headers In-Reply-To: <4BCF6B30.7030103@dmtserv.com> References: <4BCF6B30.7030103@dmtserv.com> Message-ID: <4BD06B29.1000300@mtl.mit.edu> > Denis > > That probably was the case so I edited the last line of > spam.blacklist.rules file: > > FromOrTo: default no > to > FromOrTo: default yes > > Thank you very much, > Roberto Roberto, unless I'm missing something on how you're using this file, if you change the last line to "default yes" then Mailscanner is going to mark all mail as blacklisted since that is telling it that that is the default. cheers, --tom From prandal at herefordshire.gov.uk Thu Apr 22 16:31:15 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 22 16:31:31 2010 Subject: Release 4.80.3 is out In-Reply-To: References: <4BD062D1.4050402@ecs.soton.ac.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE455DC756@HC-MBX01.herefordshire.gov.uk> Fabulous, Jules! I've given it a visual once-over and it looks good. Just waiting for some real-world malware to get caught. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 22 April 2010 15:53 To: MailScanner discussion Subject: Release 4.80.3 is out I have released version 4.80.3. This fixes the "MailScanner --lint" problems and adds support for McAfee 6. Many thanks to all of you for your hard work on this, you know who you are :-) Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From MailScanner at ecs.soton.ac.uk Thu Apr 22 17:12:12 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 22 17:12:31 2010 Subject: Dangerous content detection with "file" command In-Reply-To: <4BCF1103.7050605@eece.maine.edu> References: <4BCF1103.7050605@eece.maine.edu> <4BD0755C.4050208@ecs.soton.ac.uk> Message-ID: On 21/04/2010 15:51, Bruce R. Littlefield wrote: >> >> The diffs for SweepOther.pm are as follows: >> >> 410c410 >> < $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*(.*)$/; >> --- >>> $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*),/; >> > Did this ever get addressed? I checked the latest Beta and > SweepOther.pm still has the earlier code. I ran into the same problem > on a Fedora 11 server running MailScanner 4.79.11-1 RPM with sendmail, > spamassassin, and clamd. I found this change to be quite beneficial. > Is it in the queue? That patch won't work if there is *not* a comma in the output of the "file" command. What I would recommend you try instead is this: $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*)/; Please try that and get back to me to let me know if it works. For now, please email me at mailscanner@ecs.soton.ac.uk rather than post to the list. If my suggested fix works, I'll release a new beta containing it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajos1 at onion.demon.co.uk Thu Apr 22 18:27:32 2010 From: ajos1 at onion.demon.co.uk (ajos1 at onion) Date: Thu Apr 22 17:27:44 2010 Subject: Which Virus Checkers do people recommend?? Message-ID: - With all the hassles of the older McAfee system doing a runner... I am looking at what other virus checkers can be used instead... Do people have recommendations on which ones they do/would use... and some form of order of preference if there is more than one choice. Thanks in advance-o, Ajos1 From prandal at herefordshire.gov.uk Thu Apr 22 17:35:28 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 22 17:35:51 2010 Subject: Which Virus Checkers do people recommend?? In-Reply-To: References: Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE455DC779@HC-MBX01.herefordshire.gov.uk> McAfee uvscan 6 works fine with the latest MailScanner beta. My preferred option is ClamAv (clamd version) with SaneSecurity and other additional patterns. It's very rare for McAfee to catch something which ClamAV doesn't. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ajos1 at onion Sent: 22 April 2010 18:28 To: mailscanner@lists.mailscanner.info Cc: ajos1@onion.demon.co.uk Subject: Which Virus Checkers do people recommend?? - With all the hassles of the older McAfee system doing a runner... I am looking at what other virus checkers can be used instead... Do people have recommendations on which ones they do/would use... and some form of order of preference if there is more than one choice. Thanks in advance-o, Ajos1 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From Kevin_Miller at ci.juneau.ak.us Thu Apr 22 18:46:50 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Apr 22 18:47:05 2010 Subject: Which Virus Checkers do people recommend?? In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C14A6C86627@city-exchange07> ajos1 at onion wrote: > - > > With all the hassles of the older McAfee system doing a runner... I > am looking at what other virus checkers can be used instead... > > Do people have recommendations on which ones they do/would use... and > some form of order of preference if there is more than one choice. > > Thanks in advance-o, I've used clamav and f-secure for several years on my MailScanner boxes, which forward to Exchange running Trend Micro. The Exchange antiviurs agent extremely bored... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From uxbod at splatnix.net Thu Apr 22 20:00:30 2010 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Apr 22 20:00:46 2010 Subject: Which Virus Checkers do people recommend?? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE455DC779@HC-MBX01.herefordshire.gov.uk> Message-ID: <30685853.314.1271962830564.JavaMail.root@office.splatnix.net> ----- Original Message ----- > McAfee uvscan 6 works fine with the latest MailScanner beta. > > My preferred option is ClamAv (clamd version) with SaneSecurity and > other additional patterns. > > It's very rare for McAfee to catch something which ClamAV doesn't. > > Cheers, > > Phil > -- Phil Randal | Networks Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those > of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended > solely for the use of the addressee. This communication may contain > material protected by law from being passed on. If you are not the > intended recipient and have received this e-mail in error, you are > advised that > any use, dissemination, forwarding, printing or copying of this e-mail > is strictly prohibited. If you have received this e-mail in error > please contact the sender immediately and destroy all copies of it. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ajos1 > at onion > Sent: 22 April 2010 18:28 > To: mailscanner@lists.mailscanner.info > Cc: ajos1@onion.demon.co.uk > Subject: Which Virus Checkers do people recommend?? > > - > > With all the hassles of the older McAfee system doing a runner... I am > looking at what other virus checkers can be used instead... > > Do people have recommendations on which ones they do/would use... and > some form of order of preference if there is more than one choice. > > Thanks in advance-o, > > Ajos1 > -- MailScanner mailing list Thumbs up for Phil's recommendations. I run three AV scanners and probably 1% gets passed ClamAV with SaneSecurity sigs (set as primary scanner). -- Thanks, Phil From ssilva at sgvwater.com Thu Apr 22 20:04:31 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 22 20:04:50 2010 Subject: [OT] How to avoid Backscatter in Sendmail In-Reply-To: <023c01cae18d$63268e70$0b01010a@DGPTBH91> References: <023c01cae18d$63268e70$0b01010a@DGPTBH91> Message-ID: on 4-21-2010 1:00 PM Bryan Guest spake the following: > Hello > > As mentioned you could try milter-ahead or smfsav, run as a milter from > sendmail to drop the connection prior to the DATA command in the SMTP > transaction. > > One note, apparently the same self appointed police at backscatterer.org > also blacklist you for attempting to cut down on spam by using sender > callouts. So if you use smfsav, disable SAV or you will just get > blacklisted again. > > Bryan Sender callouts are just another form of backscatter. From ajos1 at onion.demon.co.uk Thu Apr 22 21:27:39 2010 From: ajos1 at onion.demon.co.uk (ajos1 at onion) Date: Thu Apr 22 20:27:49 2010 Subject: Thank You! Message-ID: - Thank you so much!! The day I decide I need to sort out the Virus Checkers and try some of the patches... I see this lovely message! Much time saved. Thank you! ------ 22/04/2010 New in Version 4.80.3-1 ================================== * New Features and Improvements * 1 Upgraded AVG support to AVG version 8. Support no longer guaranteed for older versions. 2 Installers no longer over-write mailscanner.cf in SpamAssassin directory if the file or link exists. 3 Added support for McAfee version 6. Use the virus scanner name "mcafee6" to get this support. Many thanks to Phil Randal and Michael Miller for all their hard work on this. ------ From Denis.Beauchemin at USherbrooke.ca Thu Apr 22 20:39:21 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Apr 22 20:39:43 2010 Subject: 'not spam (whitelisted)' in the headers In-Reply-To: <4BD06B29.1000300@mtl.mit.edu> References: <4BCF6B30.7030103@dmtserv.com> <4BD06B29.1000300@mtl.mit.edu> Message-ID: <4BD0A5E9.7030500@USherbrooke.ca> Le 2010-04-22 11:28, Thomas Lohman a ?crit : >> Denis >> >> That probably was the case so I edited the last line of >> spam.blacklist.rules file: >> >> FromOrTo: default no >> to >> FromOrTo: default yes >> >> Thank you very much, >> Roberto > > Roberto, unless I'm missing something on how you're using this file, > if you change the last line to "default yes" then Mailscanner is going > to mark all mail as blacklisted since that is telling it that that is > the default. > > cheers, > > > --tom Tom is probably right! We have: Fromorto default no in that file. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From maxsec at gmail.com Thu Apr 22 23:59:04 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Apr 22 23:59:13 2010 Subject: Recommended hardware spec 20000 users In-Reply-To: <4BD05D13.30409@dcdata.co.za> References: <4BD05D13.30409@dcdata.co.za> Message-ID: running modern hardware you shouldn't have any problem - it's more a matter of memory and tuning. We'd normally recommend 4GB (the more the better) as SA is quite heavy on RAM these days. depends on the volume (number and amount) of emails per day. you can do alot to keep the volume down by dropping unknown recipients (see the wiki for MTA how-to's) and also splitting the email into individual recipient emails (again see the wiki). I'd also suggest looking at the performance tuning sections of the wiki anyway. martin On 22 April 2010 15:28, Neil Wilson wrote: > Hi guys, > > I need some advice please, > > What are your recommendations for hardware for a server that does Spam > scanning with SA, Clamav scanning, running postfix under Centos 5.4 and logs > in mysql and then forwards the emails on to an Exchange server for +-20000 > users? > > The emails theoretically have some basic spam scanning done before they get > to the Linux server however there will still be a large amount of junk email > to get rid of before passing it on to Exchange. > > There is currently a dual proc dual core Xeon server with 512MB of RAM > running amavisd, clamd and postfix handling the email at the moment, but > this is very outdated and lacking functionality so it needs to be upgraded > asap. > > Would the current server handle the load with just a large RAM upgrade, EG: > 4-8Gigs? > > Any advice will be appreciated. > > Thanks. > > Regards. > > Neil Wilson. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100422/fc1777d2/attachment.html From seven at seven.dorksville.net Fri Apr 23 01:15:18 2010 From: seven at seven.dorksville.net (Anthony Giggins) Date: Fri Apr 23 01:15:36 2010 Subject: Move addresses from To to Bcc? In-Reply-To: <4BD01D97.1070600@iinet.net.au> References: <4BCFD820.6090405@iinet.net.au> <4BD01D97.1070600@iinet.net.au> Message-ID: <62481.125.168.254.15.1271981718.squirrel@seven.dorksville.net> > Thanks. Yeah we already do that but its just not important enough for > most users, they just want to send email :)
>
> I will look at a script the MTA can use.
If you write a script for this I'm actually after a script to do the opposite in qmail ie. rewrite BCC to TO as we have a Ticketing Systems which breaks when emails are BCC'd to it. Cheers, Anthony From mailscanner at pdscc.com Fri Apr 23 06:20:14 2010 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Fri Apr 23 06:20:29 2010 Subject: resent/requene archived messages in mbox format Message-ID: <20100423052014.E86401FB001@sinclaire.sibble.net> Hmm, client just advised that the exchange server behind mailscanner had it's transport database crash loosing a bunch of mail from 1630 yesterday until noon today so he needs me to resend all the messages that were archived by mailscanner during the period in question. Specifically inbound messages to users, but not outbound emails System is CentOS 4.7 with MS 4.76.25 with postfix in single queue configuration. All emails in and outbound are archived.to an mbox formatted file incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Archive Mail = /var/spool/MailScanner/archive/company-archive Missing Mail Archive Is = directory This results in 1 file per day company-archive.2010-04-21-2300-01.txt due to this script #!/bin/sh ###DATE=/bin/date "+%Y-%m-%d-%H:%M:%S" DATE=`/bin/date "+%Y-%m-%d-%H%M-%S.txt"` cd /var/spool/MailScanner/archive /etc/init.d/MailScanner stop /bin/sleep 15 /bin/cp company-archive company-archive.$DATE /bin/mv company-archive company-archive.old /bin/touch company-archive /bin/chown postfix company-archive /bin/chgrp postfix company-archive /etc/init.d/MailScanner start what's the best way to extract the mbox into 1 email per file and then dump that back into postfix for resending to all the recipients? I came across this script when googling http://lists.mailscanner.info/pipermail/mailscanner/2004-June/036054.html and this info http://lists.mailscanner.info/pipermail/mailscanner/2005-October/054143.html Also this thread http://lists.mailscanner.info/pipermail/mailscanner/2006-May/060934.html But none are quite what I need Any suggestions? Is this even easily doable based on settings above? -- Harondel J. Sibble Sibble Computer Consulting Creating Solutions for the small and medium business computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice) From m.anderlini at database.it Fri Apr 23 08:34:42 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Fri Apr 23 08:34:59 2010 Subject: R: [OT] How to avoid Backscatter in Sendmail In-Reply-To: References: <023c01cae18d$63268e70$0b01010a@DGPTBH91> Message-ID: <4B5F7DFBDF0F45CD96B17274771A5FD5@dbdomain.database.it> Hi, I think I've finaly found my problem. It seems it was due relay_based_on_MX configuration. Thanks a lot to all for help :-) Best regards Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Scott Silva Inviato: 22/04/2010 21:05 A: mailscanner@lists.mailscanner.info Oggetto: Re: [OT] How to avoid Backscatter in Sendmail on 4-21-2010 1:00 PM Bryan Guest spake the following: > Hello > > As mentioned you could try milter-ahead or smfsav, run as a milter > from sendmail to drop the connection prior to the DATA command in the > SMTP transaction. > > One note, apparently the same self appointed police at > backscatterer.org also blacklist you for attempting to cut down on > spam by using sender callouts. So if you use smfsav, disable SAV or > you will just get blacklisted again. > > Bryan Sender callouts are just another form of backscatter. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From e.mink at remote.nl Fri Apr 23 09:30:58 2010 From: e.mink at remote.nl (Eric Mink) Date: Fri Apr 23 09:31:31 2010 Subject: [OT] How to avoid Backscatter in Sendmail References: <023c01cae18d$63268e70$0b01010a@DGPTBH91> <4B5F7DFBDF0F45CD96B17274771A5FD5@dbdomain.database.it> Message-ID: Adding a SPF record to your dns zone will do the trick http://old.openspf.org/wizard.html?mydomain=&x=35&y=9 Met vriendelijk groet, Eric Mink ? Remote IT - Services Pascalweg 1, Postbus 256 8000 AG? Zwolle ? Telefoon: 038 - 428 44 44 Fax: 038 - 428 44 40 -----Oorspronkelijk bericht----- Van: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Namens Marcello Anderlini Verzonden: vrijdag 23 april 2010 9:35 Aan: 'MailScanner discussion' Onderwerp: R: [OT] How to avoid Backscatter in Sendmail Hi, I think I've finaly found my problem. It seems it was due relay_based_on_MX configuration. Thanks a lot to all for help :-) Best regards Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Scott Silva Inviato: 22/04/2010 21:05 A: mailscanner@lists.mailscanner.info Oggetto: Re: [OT] How to avoid Backscatter in Sendmail on 4-21-2010 1:00 PM Bryan Guest spake the following: > Hello > > As mentioned you could try milter-ahead or smfsav, run as a milter > from sendmail to drop the connection prior to the DATA command in the > SMTP transaction. > > One note, apparently the same self appointed police at > backscatterer.org also blacklist you for attempting to cut down on > spam by using sender callouts. So if you use smfsav, disable SAV or > you will just get blacklisted again. > > Bryan Sender callouts are just another form of backscatter. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Apr 23 10:26:13 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 23 10:26:23 2010 Subject: How to In-Reply-To: References: <4BCF42CD.3030005@USherbrooke.ca> <4BD167B5.3020007@ecs.soton.ac.uk> Message-ID: If you want to just deliver the message, something like sendmail -i -oem -t < message-filename-here should deliver it for you. On 21/04/2010 20:59, Pedro Silva wrote: > Thanks, > > The new messages are arriving in quarantine with df and qf. > > But I can retrieve a message that the previous system, which saves > files separately. How I can recover these? > > > Thanks > -- > Pedro > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajos1 at onion.demon.co.uk Fri Apr 23 13:42:47 2010 From: ajos1 at onion.demon.co.uk (ajos1 at onion) Date: Fri Apr 23 12:42:56 2010 Subject: Which Virus Checkers do people recommend?? Message-ID: >> >> It's very rare for McAfee to catch something which ClamAV doesn't. >> This is quite interesting... With Dat files that were not more than 4 weeks old... I did some tests last night... which I will stick on here later... Of the 44 files (some infected / some not)... ============================================= McAfee - vlp4530l - Got 5 virus... McAfee - vscl-l32-6.0.0-l - Got 12 virus... The McAfee 6 was much faster... And... It looks like the Clam system has been picking up more than the vlp4530l system. From brucel at eece.maine.edu Fri Apr 23 18:52:00 2010 From: brucel at eece.maine.edu (Bruce R. Littlefield) Date: Fri Apr 23 18:52:21 2010 Subject: MailScanner Digest, Vol 52, Issue 24 In-Reply-To: <201004230744.o3N7iWD7011796@safir.blacknight.ie> References: <201004230744.o3N7iWD7011796@safir.blacknight.ie> Message-ID: <4BD1DE40.8000004@eece.maine.edu> On 04/23/2010 03:44 AM, mailscanner-request@lists.mailscanner.info wrote: > Message: 13 > Date: Thu, 22 Apr 2010 17:12:12 +0100 > From: Julian Field > Subject: Re: Dangerous content detection with "file" command > To: MailScanner discussion > Message-ID: > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > On 21/04/2010 15:51, Bruce R. Littlefield wrote: >>> >> >>> >> The diffs for SweepOther.pm are as follows: >>> >> >>> >> 410c410 >>> >> < $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*(.*)$/; >>> >> --- >>>> >>> $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*),/; >>> >> >> > Did this ever get addressed? I checked the latest Beta and >> > SweepOther.pm still has the earlier code. I ran into the same problem >> > on a Fedora 11 server running MailScanner 4.79.11-1 RPM with sendmail, >> > spamassassin, and clamd. I found this change to be quite beneficial. >> > Is it in the queue? > That patch won't work if there is*not* a comma in the output of the > "file" command. > What I would recommend you try instead is this: > $FileTypes{$1}{$2} = $3 if /^([^\/]+)\/([^:]+):\s*([^,]*)/; > > Please try that and get back to me to let me know if it works. > For now, please email me atmailscanner@ecs.soton.ac.uk rather than post > to the list. > If my suggested fix works, I'll release a new beta containing it. > > Jules > Jules: The new code worked correctly on the test cases I had here. It looks like it is just the ticket. Thanks. -Bruce Bruce R. Littlefield Systems Manager/Lecturer Tel: (207) 581-2238 Electrical and Computer Engineering Fax: (207) 581-4531 University of Maine brucel@eece.maine.edu 210 Barrows Hall http://www.eece.maine.edu Orono, Maine 04469-5708 "Mastering MATLAB 7" (ISBN 0-13-143018-1) http://www.eece.maine.edu/mm mm@eece.maine.edu From Augustine_Velasco at kgi.edu Fri Apr 23 19:41:47 2010 From: Augustine_Velasco at kgi.edu (Augustine Velasco) Date: Fri Apr 23 19:45:59 2010 Subject: Barricade MX Plus Allow Filename Message-ID: <8A1FFD89E2A2024EB50FB14B6F6FDC7D015D97DA@hermes.kgi.edu> Hello, We've just had Barricade MX Plus installed for our domain (upgraded from Mailscanner). No manual to read, but I was wondering if anyone is familiar enough with the GUI to explain a simple procedure. How do I add a filename exception, so that my Blackberry users can send ETP.DAT files through, to their carrier's network. I know the procedure is done via SETUP > DOMAINS > CONFIG > ATTACHMENTS > ALLOW FILENAMES > EXCEPTIONS. Just not sure about all of the values needed for the pop-up window that shows the ruleset. Thanks in advance, Augustine Velasco Windows Systems Administrator MCITP, MCSA Keck Graduate Institute Voice: 909-607-9291 Fax: 909-607-8598 www.kgi.edu -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100423/b38bd37a/attachment.html From steve at fsl.com Fri Apr 23 20:18:12 2010 From: steve at fsl.com (Stephen Swaney) Date: Fri Apr 23 20:18:23 2010 Subject: Barricade MX Plus Allow Filename In-Reply-To: <8A1FFD89E2A2024EB50FB14B6F6FDC7D015D97DA@hermes.kgi.edu> References: <8A1FFD89E2A2024EB50FB14B6F6FDC7D015D97DA@hermes.kgi.edu> Message-ID: On Apr 23, 2010, at 2:41 PM, Augustine Velasco wrote: > > Hello, > > We?ve just had Barricade MX Plus installed for our domain (upgraded from Mailscanner). No manual to read, but I was wondering if anyone is familiar enough with the GUI to explain a simple procedure. How do I add a filename exception, so that my Blackberry users can send ETP.DAT files through, to their carrier?s network. I know the procedure is done via SETUP > DOMAINS > CONFIG > ATTACHMENTS > ALLOW FILENAMES > EXCEPTIONS. Just not sure about all of the values needed for the pop-up window that shows the ruleset. > > Thanks in advance, > > Augustine Velasco > Windows Systems Administrator > MCITP, MCSA > Keck Graduate Institute > Voice: 909-607-9291 > Fax: 909-607-8598 > www.kgi.edu Augustine, Please refer all BarricadeMX plus support questions to support@fsl.com. BarricadeMX plus uses a Potrgres Database and a web interface for all configuration information. The users on the Mailscanner list are not familiar with either and wpuld neo be able to assist Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100423/477012a6/attachment.html From noel.butler at ausics.net Mon Apr 26 01:13:24 2010 From: noel.butler at ausics.net (Noel Butler) Date: Mon Apr 26 01:13:43 2010 Subject: MailScanner under openvz Message-ID: <1272240804.7560.30.camel@tardis> Greetings, Has anyone had any issues with this configuration? I have installed MailScanner on many servers, personal, my employers, and private clients over the years, must be totalling into hundreds having used it since 2002, even on virtual stuff like xen and vmware, but I've never had the displeasure of doing one under an openvz container, that said, this is my first hands on with openvz (no, I don't control of the vps server hardware but I have faith in the company that does as they have been doing this for a couple years, so I trust the container and master host are properly setup). I know even an old pro like myself can make a mistake, so I duplicated the setup on a spare dev box, and it works fine, but on that vps, not a hope in hell... There are no errors in any lint/debug for MS or SA, forcing a confiscated rootkit, gets found by clamav and dealt with correctly, so I'm ruling out anti virus as well. Using base config of 5 children, It repeatedly restarts, it will process mail in the process though, there are again, no indications as to why it is restarting continuously. So I dropped the kids to "2" and it starts, all good as it should. 26227 ? Ss 0:00 MailScanner: master waiting for children, sleeping 26232 ? S 0:02 MailScanner: waiting for messages 28345 ? S 0:02 MailScanner: waiting for messages Except.. (yep there's always an "except")... Often, a child grabs the batch, then, the other kid grabs it, processing it twice, resulting in the recipient getting two copies of the message. and.. then, if it restarts itself as per the restart timeout value, they end up like this, trying to start a child, even though it already has restarted itself and both of its kids (and we don't ever see 26227 return to master state.) 16328 ? S 0:02 MailScanner: waiting for messages 18049 ? S 0:02 MailScanner: waiting for messages 26227 ? Ss 0:00 MailScanner: starting child This is a centos 5.4 system. MailScanner was installed from source not an ancient rpm or whatever. CPU: 8 Intel(R) Xeon(R) CPU E5450 @ 3.00GHz at 123MHz Memory: 512 MB Machine: x86_64 Release: Linux 2.6.18-028stab068.3 So, has anyone run into any problems like this with openvz? Cheers (thanks to Julian if he approves this post) (direct replies accepted) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100426/2413785d/attachment.html From seven at seven.dorksville.net Mon Apr 26 06:11:57 2010 From: seven at seven.dorksville.net (Anthony Giggins) Date: Mon Apr 26 06:11:48 2010 Subject: MailScanner under openvz In-Reply-To: <1272240804.7560.30.camel@tardis> References: <1272240804.7560.30.camel@tardis> Message-ID: <003301cae4fe$ffc69170$ff53b450$@dorksville.net> Check your /proc/userbeancounters odds are it exceeding one or some of them. Cheers, Anthony From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Noel Butler Sent: Monday, 26 April 2010 10:13 AM To: MailScanner discussion Subject: MailScanner under openvz Greetings, Has anyone had any issues with this configuration? I have installed MailScanner on many servers, personal, my employers, and private clients over the years, must be totalling into hundreds having used it since 2002, even on virtual stuff like xen and vmware, but I've never had the displeasure of doing one under an openvz container, that said, this is my first hands on with openvz (no, I don't control of the vps server hardware but I have faith in the company that does as they have been doing this for a couple years, so I trust the container and master host are properly setup). I know even an old pro like myself can make a mistake, so I duplicated the setup on a spare dev box, and it works fine, but on that vps, not a hope in hell... There are no errors in any lint/debug for MS or SA, forcing a confiscated rootkit, gets found by clamav and dealt with correctly, so I'm ruling out anti virus as well. Using base config of 5 children, It repeatedly restarts, it will process mail in the process though, there are again, no indications as to why it is restarting continuously. So I dropped the kids to "2" and it starts, all good as it should. 26227 ? Ss 0:00 MailScanner: master waiting for children, sleeping 26232 ? S 0:02 MailScanner: waiting for messages 28345 ? S 0:02 MailScanner: waiting for messages Except.. (yep there's always an "except")... Often, a child grabs the batch, then, the other kid grabs it, processing it twice, resulting in the recipient getting two copies of the message. and.. then, if it restarts itself as per the restart timeout value, they end up like this, trying to start a child, even though it already has restarted itself and both of its kids (and we don't ever see 26227 return to master state.) 16328 ? S 0:02 MailScanner: waiting for messages 18049 ? S 0:02 MailScanner: waiting for messages 26227 ? Ss 0:00 MailScanner: starting child This is a centos 5.4 system. MailScanner was installed from source not an ancient rpm or whatever. CPU: 8 Intel(R) Xeon(R) CPU E5450 @ 3.00GHz at 123MHz Memory: 512 MB Machine: x86_64 Release: Linux 2.6.18-028stab068.3 So, has anyone run into any problems like this with openvz? Cheers (thanks to Julian if he approves this post) (direct replies accepted) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100426/9a4177d4/attachment.html From noel.butler at ausics.net Mon Apr 26 06:54:40 2010 From: noel.butler at ausics.net (Noel Butler) Date: Mon Apr 26 06:55:01 2010 Subject: MailScanner under openvz In-Reply-To: <003301cae4fe$ffc69170$ff53b450$@dorksville.net> References: <1272240804.7560.30.camel@tardis> <003301cae4fe$ffc69170$ff53b450$@dorksville.net> Message-ID: <1272261280.7557.6.camel@tardis> Hi Anthony, As far as I can tell, it isn't coming close to any exceeds. Thanks anyway. On Mon, 2010-04-26 at 15:11 +1000, Anthony Giggins wrote: > Check your /proc/userbeancounters odds are it exceeding one or some of > them. > > > > Cheers, > > > > Anthony > > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Noel > Butler > Sent: Monday, 26 April 2010 10:13 AM > To: MailScanner discussion > Subject: MailScanner under openvz > > > > > > Greetings, > > Has anyone had any issues with this configuration? > > I have installed MailScanner on many servers, personal, my employers, > and private clients over the years, must be totalling into hundreds > having used it since 2002, even on virtual stuff like xen and vmware, > but I've never had the displeasure of doing one under an openvz > container, that said, this is my first hands on with openvz (no, I > don't control of the vps server hardware but I have faith in the > company that does as they have been doing this for a couple years, so > I trust the container and master host are properly setup). > > I know even an old pro like myself can make a mistake, so I duplicated > the setup on a spare dev box, and it works fine, but on that vps, not > a hope in hell... > > There are no errors in any lint/debug for MS or SA, forcing a > confiscated rootkit, gets found by clamav and dealt with correctly, so > I'm ruling out anti virus as well. > > Using base config of 5 children, It repeatedly restarts, it will > process mail in the process though, there are again, no indications as > to why it is restarting continuously. > > > So I dropped the kids to "2" and it starts, all good as it should. > > 26227 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 26232 ? S 0:02 MailScanner: waiting for messages > 28345 ? S 0:02 MailScanner: waiting for messages > > Except.. (yep there's always an "except")... > Often, a child grabs the batch, then, the other kid grabs it, > processing it twice, resulting in the recipient getting two copies of > the message. > > and.. then, if it restarts itself as per the restart timeout value, > they end up like this, trying to start a child, even though it already > has restarted itself and both of its kids (and we don't ever see 26227 > return to master state.) > 16328 ? S 0:02 MailScanner: waiting for messages > 18049 ? S 0:02 MailScanner: waiting for messages > 26227 ? Ss 0:00 MailScanner: starting child > > > This is a centos 5.4 system. MailScanner was installed from source > not an ancient rpm or whatever. > > CPU: 8 Intel(R) Xeon(R) CPU E5450 @ 3.00GHz at 123MHz > Memory: 512 MB > Machine: x86_64 > Release: Linux 2.6.18-028stab068.3 > > > So, has anyone run into any problems like this with openvz? > > Cheers > (thanks to Julian if he approves this post) > (direct replies accepted) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100426/90fa2cb6/attachment.html From MailScanner at ecs.soton.ac.uk Mon Apr 26 08:46:59 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 26 08:47:11 2010 Subject: MailScanner under openvz In-Reply-To: <1272240804.7560.30.camel@tardis> References: <1272240804.7560.30.camel@tardis> <4BD544F3.9030208@ecs.soton.ac.uk> Message-ID: On 26/04/2010 01:13, Noel Butler wrote: > Greetings, > > Has anyone had any issues with this configuration? > > I have installed MailScanner on many servers, personal, my employers, > and private clients over the years, must be totalling into hundreds > having used it since 2002, even on virtual stuff like xen and vmware, > but I've never had the displeasure of doing one under an openvz > container, that said, this is my first hands on with openvz (no, I > don't control of the vps server hardware but I have faith in the > company that does as they have been doing this for a couple years, so > I trust the container and master host are properly setup). > > I know even an old pro like myself can make a mistake, so I duplicated > the setup on a spare dev box, and it works fine, but on that vps, not > a hope in hell... > > There are no errors in any lint/debug for MS or SA, forcing a > confiscated rootkit, gets found by clamav and dealt with correctly, so > I'm ruling out anti virus as well. > > Using base config of 5 children, It repeatedly restarts, it will > process mail in the process though, there are again, no indications as > to why it is restarting continuously. > > > So I dropped the kids to "2" and it starts, all good as it should. > > 26227 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 26232 ? S 0:02 MailScanner: waiting for messages > 28345 ? S 0:02 MailScanner: waiting for messages > > Except.. (yep there's always an "except")... > Often, a child grabs the batch, then, the other kid grabs it, > processing it twice, resulting in the recipient getting two copies of > the message. That's a locking fault. > > and.. then, if it restarts itself as per the restart timeout value, > they end up like this, trying to start a child, even though it already > has restarted itself and both of its kids (and we don't ever see 26227 > return to master state.) > 16328 ? S 0:02 MailScanner: waiting for messages > 18049 ? S 0:02 MailScanner: waiting for messages > 26227 ? Ss 0:00 MailScanner: starting child What happens if you put a message or two into mqueue.in and then "MailScanner --debug" ? Does that produce any errors or warnings? And what does your maillog say about the whole process? Any give-aways there? > > > This is a centos 5.4 system. MailScanner was installed from source > not an ancient rpm or whatever. > > CPU: 8 Intel(R) Xeon(R) CPU E5450 @ 3.00GHz at 123MHz > Memory: 512 MB > Machine: x86_64 > Release: Linux 2.6.18-028stab068.3 > > > So, has anyone run into any problems like this with openvz? > > Cheers > (thanks to Julian if he approves this post) > (direct replies accepted) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mwen at f-i-ts.net Mon Apr 26 12:50:35 2010 From: mwen at f-i-ts.net (Markus Wennrich) Date: Mon Apr 26 12:50:46 2010 Subject: Filetype/Filename Rules: strip attachment AND forward original mail to third address Message-ID: <4BD57E0B.4030304@f-i-ts.net> Hi # Syntax is allow/deny/deny+delete/email-addresses, then regular expression, # then log text, then user report text. # # The "email-addresses" can be a space or comma-separated list of email # addresses. If the rule hits, the message will be sent to these address(es) # instead of the original recipients. Is it possible, to deny a attachment (and have the mail sent to the original recipient without the attachment) AND have the original mail (with the attachment included) forwarded to another email-address? For example: 1) mail to user@domain.com with "fun.exe" attached comes in 2) mail is sent to user@domain.com, but "fun.exe" has been replaced by "stored.filename.message.txt" 3) a copy of the original mail with fun.exe included is forwarded to security-admins@example.com "clean" mails should not be forwarded Is something like this possible? Thanks in advance, Markus From sandrews at andrewscompanies.com Mon Apr 26 13:25:13 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Apr 26 13:25:23 2010 Subject: ClamAv 0.96 is out In-Reply-To: References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net><4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net><4BB68959.9060008@msapiro.net> <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk><4BD05B3A.703@ecs.soton.ac.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB0E315D5@winchester.andrewscompanies.com> Has this been rolled into the latest easy install package? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, April 22, 2010 10:21 AM To: MailScanner discussion Subject: Re: ClamAv 0.96 is out Look in /usr/lib/MailScanner/MessageBatch.pm In there around line 1212 or so you will find a line that looks like this: my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); Change this to read my $MessageDir = tempdir( 'MSlintXXXXXX', TMPDIR => 1, CLEANUP => 1); and "MailScanner --lint" will work properly again. I was just putting a temporary directory (which I don't use but which needs to be there for the code to work) in the wrong place. Jules. On 09/04/2010 09:39, Randal, Phil wrote: > Scott Silva wrote: > >> on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >> >>> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >>> >>> >>>> Changed >>>> incoming work user to clamav and changed incoming work group to >>>> blank... >>>> >>> Thanks for the suggestion, but this doesn't work for me. I changed to >>> user = clamav and then also removed the group as you did. >>> >>> The result of that (in both cases) is that the owner of the directory >>> is now postfix and the error already happens in MS. >>> >>> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >>> writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >>> 1211 >>> >>> As I said I think there is something wrong about the group ownership >>> or permissions only in the lint code that wasn't a problem before >>> 0.96 but now is. Maybe clamav used ftstat before which doesn't need >>> execute permission. >>> >>> Kai >>> >>> >> I guess I should have been more specific. I am using sendmail. Maybe >> Julian will see this thread when he is free and something will pop in >> his head. I am also having some problems with the new spamassassin, >> but I downgraded, as I don't have time to deal with that right now. >> > It doesn't work for me with sendmail, either. > > The only workaround I have which works is to comment out > > user clamav > > in /etc/clamd.conf and restart clamd. > > I haven't had the time to dig into MailScanner's lint and virus scanning > code, alas. > > Cheers, > > Phil > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Apr 26 14:44:28 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 26 14:44:46 2010 Subject: ClamAv 0.96 is out In-Reply-To: <1964AAFBC212F742958F9275BF63DBB0E315D5@winchester.andrewscompanies.com> References: <76415AED4CCF214F80FD9B0DA9A9EE45429622@HC-MBX01.herefordshire.gov.uk> <4BB4D63C.1050108@msapiro.net> <4BB60FD0.8020907@msapiro.net> <4BB65D77.2070900@ruraltel.net><4BB65EF9.1030705@alexb.ch> <4BB686BA.1000607@msapiro.net><4BB68959.9060008@msapiro.net> <76415AED4CCF214F80FD9B0DA9A9EE45429A67@HC-MBX01.herefordshire.gov.uk><4BD05B3A.703@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB0E315D5@winchester.andrewscompanies.com> <4BD598BC.2010904@ecs.soton.ac.uk> Message-ID: It has now :-) On 26/04/2010 13:25, Steven Andrews wrote: > Has this been rolled into the latest easy install package? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Thursday, April 22, 2010 10:21 AM > To: MailScanner discussion > Subject: Re: ClamAv 0.96 is out > > Look in /usr/lib/MailScanner/MessageBatch.pm > > In there around line 1212 or so you will find a line that looks like > this: > my $MessageDir = tempdir( 'MSlintXXXXXX', CLEANUP => 1); > > Change this to read > my $MessageDir = tempdir( 'MSlintXXXXXX', TMPDIR => 1, CLEANUP => 1); > > and "MailScanner --lint" will work properly again. I was just putting a > temporary directory (which I don't use but which needs to be there for > the code to work) in the wrong place. > > Jules. > > On 09/04/2010 09:39, Randal, Phil wrote: > >> Scott Silva wrote: >> >> >>> on 4-8-2010 12:31 PM Kai Schaetzl spake the following: >>> >>> >>>> Scott Silva wrote on Mon, 05 Apr 2010 16:33:25 -0700: >>>> >>>> >>>> >>>>> Changed >>>>> incoming work user to clamav and changed incoming work group to >>>>> blank... >>>>> >>>>> >>>> Thanks for the suggestion, but this doesn't work for me. I changed >>>> > to > >>>> user = clamav and then also removed the group as you did. >>>> >>>> The result of that (in both cases) is that the owner of the >>>> > directory > >>>> is now postfix and the error already happens in MS. >>>> >>>> Error in tempdir() using MSlintXXXXXX: Parent directory (.) is not >>>> writable at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >>>> 1211 >>>> >>>> As I said I think there is something wrong about the group ownership >>>> or permissions only in the lint code that wasn't a problem before >>>> 0.96 but now is. Maybe clamav used ftstat before which doesn't need >>>> execute permission. >>>> >>>> Kai >>>> >>>> >>>> >>> I guess I should have been more specific. I am using sendmail. Maybe >>> Julian will see this thread when he is free and something will pop in >>> his head. I am also having some problems with the new spamassassin, >>> but I downgraded, as I don't have time to deal with that right now. >>> >>> >> It doesn't work for me with sendmail, either. >> >> The only workaround I have which works is to comment out >> >> user clamav >> >> in /etc/clamd.conf and restart clamd. >> >> I haven't had the time to dig into MailScanner's lint and virus >> > scanning > >> code, alas. >> >> Cheers, >> >> Phil >> >> >> > Jules > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From noel.butler at ausics.net Tue Apr 27 00:36:41 2010 From: noel.butler at ausics.net (Noel Butler) Date: Tue Apr 27 00:37:05 2010 Subject: MailScanner under openvz In-Reply-To: References: <1272240804.7560.30.camel@tardis> <4BD544F3.9030208@ecs.soton.ac.uk> Message-ID: <1272325001.8722.13.camel@tardis> On Mon, 2010-04-26 at 08:46 +0100, Julian Field wrote: > > > > So I dropped the kids to "2" and it starts, all good as it should. > > > > 26227 ? Ss 0:00 MailScanner: master waiting for children, > > sleeping > > 26232 ? S 0:02 MailScanner: waiting for messages > > 28345 ? S 0:02 MailScanner: waiting for messages > > > > Except.. (yep there's always an "except")... > > Often, a child grabs the batch, then, the other kid grabs it, > > processing it twice, resulting in the recipient getting two copies of > > the message. > That's a locking fault. > > That's what I thought but all perms seem correct. > > and.. then, if it restarts itself as per the restart timeout value, > > they end up like this, trying to start a child, even though it already > > has restarted itself and both of its kids (and we don't ever see 26227 > > return to master state.) > > 16328 ? S 0:02 MailScanner: waiting for messages > > 18049 ? S 0:02 MailScanner: waiting for messages > > 26227 ? Ss 0:00 MailScanner: starting child > What happens if you put a message or two into mqueue.in and then > "MailScanner --debug" ? > Does that produce any errors or warnings? Using postfix, but have run debug about 20 times in past week with single and multiple batches, and every time normal. > And what does your maillog say about the whole process? Any give-aways > there? > Not a thing, that's just it, it gives nothing away, all looks normal. I have asked their host providor to see if it is exceeding any limits but going by what Anthony suggested I look at, it doesn't appear to be going near exceeding anything. Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100427/71843b29/attachment.html From nick at inticon.net.au Tue Apr 27 01:09:49 2010 From: nick at inticon.net.au (Nick Brown) Date: Tue Apr 27 01:10:16 2010 Subject: MailScanner under openvz In-Reply-To: <1272325001.8722.13.camel@tardis> References: <1272240804.7560.30.camel@tardis> <4BD544F3.9030208@ecs.soton.ac.uk> <1272325001.8722.13.camel@tardis> Message-ID: <019601cae59d$f3edbaf0$dbc930d0$@net.au> On Mon, 2010-04-26 at 08:46 +0100, Julian Field wrote: > > So I dropped the kids to "2" and it starts, all good as it should. > > 26227 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 26232 ? S 0:02 MailScanner: waiting for messages > 28345 ? S 0:02 MailScanner: waiting for messages > > Except.. (yep there's always an "except")... > Often, a child grabs the batch, then, the other kid grabs it, > processing it twice, resulting in the recipient getting two copies of > the message. That's a locking fault. > That's what I thought but all perms seem correct. I?ve never looked at how MailScanner handles file locking ? however have seen a similar issue previously where the filesystem was stored over NFS (Which requires some rejigging to get ?file locking support? out of the box) however the end user was not aware due to the fact it was a Virtuozzo VE. Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100427/2145a26a/attachment.html From tony at ai.net.nz Tue Apr 27 02:49:25 2010 From: tony at ai.net.nz (Tony Arcus) Date: Tue Apr 27 02:49:46 2010 Subject: Upgrade not delivering emails Message-ID: <20100427134925.17212crahdv8mzs5@mail.ai.net.nz> This is my first post, so a bit of background. Had a couple of emails servers stop sending emails, they backed up in the inbound queue. Did a search and saw the need to upgrade clamav. So upgrade the servers Version 4.79.11-1 & ClamAV 0.95.3 and SpamAssassin 3.3.0 Still a few problems This morning saw the new ClamAV 0.96 and SpamAssassin 3.3.0 and now almost all sweet. BUT One server is still not sending emails to users, but it does seem to be sending some spam though from time to time. If I run it in debug mode nothing jumps out to me, the emails are processed but end back in the inbound queue and not the user. Here is the --lint though I am getting an error here Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 859 hostnames from the phishing whitelist Read 5874 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 0 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.79.11) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 100 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamavmodule" Found these virus scanners installed: clamavmodule =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com Commercial scanner clamavmodule timed out! at /usr/lib/MailScanner/MailScanner/S clamavmodule: Failed to complete, timed out at /usr/lib/MailScanner/MailScanner/ Virus Scanning: Denial Of Service attack detected! at /usr/lib/MailScanner/MailS I do not believe that I am suffering a denial of service attack but that the anti-virus is having issues, can anyone shed any light on this please. Thanks -- Tony Arcus Systems and Network Engineer Access Information Limited PO Box 122 Carterton Wairarapa Phone : 06-379-6668 Phone : 04-831-1401 Email : tony@ai.net.nz Cell : 021-827-660 This email and any accompanying documentation may contain privileged and confidential information. If you are not the intended recipient, your use of the information is strictly prohibited. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 27 08:49:11 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 27 08:49:27 2010 Subject: MailScanner under openvz In-Reply-To: <019601cae59d$f3edbaf0$dbc930d0$@net.au> References: <1272240804.7560.30.camel@tardis> <4BD544F3.9030208@ecs.soton.ac.uk> <1272325001.8722.13.camel@tardis> <019601cae59d$f3edbaf0$dbc930d0$@net.au> <4BD696F7.8040406@ecs.soton.ac.uk> Message-ID: On 27/04/2010 01:09, Nick Brown wrote: > > On Mon, 2010-04-26 at 08:46 +0100, Julian Field wrote: > > > > > > So I dropped the kids to "2" and it starts, all good as it should. > > > > 26227 ? Ss 0:00 MailScanner: master waiting for children, > > sleeping > > 26232 ? S 0:02 MailScanner: waiting for messages > > 28345 ? S 0:02 MailScanner: waiting for messages > > > > Except.. (yep there's always an "except")... > > Often, a child grabs the batch, then, the other kid grabs it, > > processing it twice, resulting in the recipient getting two copies of > > the message. > That's a locking fault. > > > > That's what I thought but all perms seem correct. > > I?ve never looked at how MailScanner handles file locking ? however > have seen a similar issue previously where the filesystem was stored > over NFS (Which requires some rejigging to get ?file locking support? > out of the box) > MailScanner does not support shared queues over NFS. NFS file locking is a total nightmare, you're trying to impose a stateful system (file-locking) on a stateless file server protocol (NFS). > > however the end user was not aware due to the fact it was a Virtuozzo VE. > > Nick. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 27 08:51:27 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 27 08:51:57 2010 Subject: Upgrade not delivering emails In-Reply-To: <20100427134925.17212crahdv8mzs5@mail.ai.net.nz> References: <20100427134925.17212crahdv8mzs5@mail.ai.net.nz> <4BD6977F.8020405@ecs.soton.ac.uk> Message-ID: I would strongly advise you ditch clamavmodule and switch to clamd instead. Remove all trace of ClamAV from /usr/local, then install the ClamAV RPMs from packages.sw.be (an RPMforge site). Then ensure the socket filenames are the same in /etc/clamd.conf and /etc/MailScanner/MailScanner.conf and set "Virus Scanners = clamd". It will be faster and use a lot less memory. I'm considering removing the clamavmodule support altogether, it just isn't worth it being there any more. Jules. On 27/04/2010 02:49, Tony Arcus wrote: > This is my first post, so a bit of background. > > Had a couple of emails servers stop sending emails, they backed up in > the inbound queue. > Did a search and saw the need to upgrade clamav. > So upgrade the servers Version 4.79.11-1 & ClamAV 0.95.3 and > SpamAssassin 3.3.0 > Still a few problems > This morning saw the new ClamAV 0.96 and SpamAssassin 3.3.0 > and now almost all sweet. > > BUT > > One server is still not sending emails to users, but it does seem to > be sending some spam though from time to time. > If I run it in debug mode nothing jumps out to me, the emails are > processed but end back in the inbound queue and not the user. > Here is the --lint > > though I am getting an error here > > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 859 hostnames from the phishing whitelist > Read 5874 hostnames from the phishing blacklists > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 0 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 0 whitelist entries > > Checking version numbers... > Version number in MailScanner.conf (4.79.11) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 100 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamavmodule" > Found these virus scanners installed: clamavmodule > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > Other Checks: Found 1 problems > Virus and Content Scanning: Starting > ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com > Commercial scanner clamavmodule timed out! at > /usr/lib/MailScanner/MailScanner/S > clamavmodule: Failed to complete, timed out at > /usr/lib/MailScanner/MailScanner/ > Virus Scanning: Denial Of Service attack detected! at > /usr/lib/MailScanner/MailS > > I do not believe that I am suffering a denial of service attack but > that the anti-virus is having issues, > can anyone shed any light on this please. > > Thanks > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paulo-m-roncon at ptinovacao.pt Tue Apr 27 12:37:44 2010 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Apr 27 12:38:02 2010 Subject: Mailscanner problem logging to mailwatch In-Reply-To: <201004271103.o3RB0SJu006154@safir.blacknight.ie> References: <201004271103.o3RB0SJu006154@safir.blacknight.ie> Message-ID: Hello, This maybe be a bit off topic but: It seems that mailscanner isn't logging all messages to mailwatch (maillog table). Has anyone experienced this? Thanks, Paulo From alex at rtpty.com Tue Apr 27 13:07:32 2010 From: alex at rtpty.com (Alex Neuman) Date: Tue Apr 27 13:07:49 2010 Subject: Mailscanner problem logging to mailwatch In-Reply-To: References: <201004271103.o3RB0SJu006154@safir.blacknight.ie> Message-ID: What's the difference between those that are being logged and those that aren't? Did you try the mailwatch list? On Apr 27, 2010, at 6:37 AM, Paulo Roncon wrote: > It seems that mailscanner isn't logging all messages to mailwatch (maillog table). > Has anyone experienced this? From brad.mclean at cloudtechinc.com Tue Apr 27 15:27:22 2010 From: brad.mclean at cloudtechinc.com (Brad McLean) Date: Tue Apr 27 15:27:38 2010 Subject: What creates the quarantine folder each day. Message-ID: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com> We have been running 2 MailScanner servers for the past 8 months without any trouble. Over the past week we have been experiencing trouble with the inbound mailq piling up. As best I can tell, at midnight each night some process creates the folder /var/spool/MailScanner/quarantine/. If the folder does not exist then the MailScanner process all show as and the queue builds up. I manually create the folder and set the proper ownership and the MailScanner processes start to process the mailq. We are running CentOs 5.3 with MailScanner 4.75.11 with Postfix MTA. If I could figure out what creates this folder each day I may be able to solve the issue. I suspect that it probably is permissions stopping it from being created but I have not found anything in any log. Any help would be greatly appreciated. Thanks Brad From MailScanner at ecs.soton.ac.uk Tue Apr 27 15:41:38 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 27 15:41:58 2010 Subject: What creates the quarantine folder each day. In-Reply-To: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com> References: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com> <4BD6F7A2.80209@ecs.soton.ac.uk> Message-ID: It's created at the start of sub StoreInfections in /usr/lib/MailScanner/MailScanner/Quarantine.pm. In other words, MailScanner itself creates the directory. On 27/04/2010 15:27, Brad McLean wrote: > We have been running 2 MailScanner servers for the past 8 months without any > trouble. Over the past week we have been experiencing trouble with the > inbound mailq piling up. As best I can tell, at midnight each night some > process creates the folder /var/spool/MailScanner/quarantine/. > If the folder does not exist then the MailScanner process all show as > and the queue builds up. I manually create the folder and set the > proper ownership and the MailScanner processes start to process the mailq. > > We are running CentOs 5.3 with MailScanner 4.75.11 with Postfix MTA. > > If I could figure out what creates this folder each day I may be able to > solve the issue. I suspect that it probably is permissions stopping it from > being created but I have not found anything in any log. > > Any help would be greatly appreciated. > > Thanks > Brad > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From J.Ede at birchenallhowden.co.uk Tue Apr 27 20:22:08 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Apr 27 20:22:42 2010 Subject: OT: Blocking persistent spammers using IPTables? Message-ID: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> We're debating blocking (using IPTables) IP's that register more than a set number of rejections (554 from spamhaus and other blacklists or persistently try random address@domain). Before we actually implement this I'm wondering if there can be any problems with this method? It will only be used for IP's that try to connect a significant number of times and we'll have an expiry on each IP so the blocklist doesn't keep growing indefinitely. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100427/4415e7b2/attachment.html From alex at rtpty.com Tue Apr 27 20:33:03 2010 From: alex at rtpty.com (Alex Neuman) Date: Tue Apr 27 20:33:44 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> Message-ID: <1907297098-1272396785-cardhu_decombobulator_blackberry.rim.net-1573530421-@bda942.bisx.prod.on.blackberry> Sounds sane. A lot of people do this using fail2ban or similar tools. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Jason Ede Date: Tue, 27 Apr 2010 20:22:08 To: MailScanner discussion Subject: OT: Blocking persistent spammers using IPTables? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From vincent at zijnemail.nl Wed Apr 28 08:09:34 2010 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Wed Apr 28 08:09:45 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> Message-ID: Don't see a big issue there. As long as you pick the number of transgressions relatively high and your expiry time reasonable. I've been thinking about this for a while, but don't do it because it would mess up the statistics I provide for management to "prove the need for funding". I am doing this for ssh and pop3/imap, using SEC to auto-create iptables rules, to stop brute force attacks. On Tue, 27 Apr 2010 20:22:08 +0100, Jason Ede wrote: We're debating blocking (using IPTables) IP's that register more than a set number of rejections (554 from spamhaus and other blacklists or persistently try random address@domain). Before we actually implement this I'm wondering if there can be any problems with this method? It will only be used for IP's that try to connect a significant number of times and we'll have an expiry on each IP so the blocklist doesn't keep growing indefinitely. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100428/1e04d57e/attachment.html From noel.butler at ausics.net Wed Apr 28 11:45:57 2010 From: noel.butler at ausics.net (Noel Butler) Date: Wed Apr 28 11:46:21 2010 Subject: MailScanner under openvz In-Reply-To: <019601cae59d$f3edbaf0$dbc930d0$@net.au> References: <1272240804.7560.30.camel@tardis> <4BD544F3.9030208@ecs.soton.ac.uk> <1272325001.8722.13.camel@tardis> <019601cae59d$f3edbaf0$dbc930d0$@net.au> Message-ID: <1272451557.7940.8.camel@tardis> Hi Nick, On Tue, 2010-04-27 at 10:09 +1000, Nick Brown wrote: > > I?ve never looked at how MailScanner handles file locking ? however > have seen a similar issue previously where the filesystem was stored > over NFS (Which requires some rejigging to get ?file locking support? > out of the box) however the end user was not aware due to the fact it > was a Virtuozzo VE. > Yep, I looked into this and it is a SAN backend, so should be fine. I consider this to be an openvz problem, not a mailscanner one, so I'm dealing with the vps company to resolve. Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100428/a3357f5c/attachment.html From paulo-m-roncon at ptinovacao.pt Wed Apr 28 12:49:53 2010 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Wed Apr 28 12:50:03 2010 Subject: Mailscanner problem logging to mailwatch In-Reply-To: <201004281102.o3SB0Oic032343@safir.blacknight.ie> References: <201004281102.o3SB0Oic032343@safir.blacknight.ie> Message-ID: Date: Tue, 27 Apr 2010 07:07:32 -0500 From: Alex Neuman Subject: Re: Mailscanner problem logging to mailwatch To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=us-ascii What's the difference between those that are being logged and those that aren't? Did you try the mailwatch list? On Apr 27, 2010, at 6:37 AM, Paulo Roncon wrote: > It seems that mailscanner isn't logging all messages to mailwatch (maillog table). > Has anyone experienced this? The difference varies. A sample with 1500 messages only got logged 1000. In another timeframe I got 16000 messages and 12000 logged... I don't have any mysql errors. I have several servers logging to a single mysql server. From pparsons at columbiafuels.com Wed Apr 28 18:27:10 2010 From: pparsons at columbiafuels.com (Philip Parsons) Date: Wed Apr 28 18:28:57 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> Message-ID: <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> If you are using MailScanner you should look into a program called Vispan. IT scans the maillog and compiles lists of ips to automatically block according to whatever criteria you put in place. The good thing is that it releases the ip after 5 days as most spammers are using DHCP, but if the same machines starts to spam again it then blocks it for 10 days and so for and so long. Also has a nice little web based stats page. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Wednesday, April 28, 2010 12:10 AM To: MailScanner discussion Subject: Re: OT: Blocking persistent spammers using IPTables? Don't see a big issue there. As long as you pick the number of transgressions relatively high and your expiry time reasonable. I've been thinking about this for a while, but don't do it because it would mess up the statistics I provide for management to "prove the need for funding". I am doing this for ssh and pop3/imap, using SEC to auto-create iptables rules, to stop brute force attacks. On Tue, 27 Apr 2010 20:22:08 +0100, Jason Ede wrote: We?re debating blocking (using IPTables) IP?s that register more than a set number of rejections (554 from spamhaus and other blacklists or persistently try random address@domain). Before we actually implement this I?m wondering if there can be any problems with this method? It will only be used for IP?s that try to connect a significant number of times and we?ll have an expiry on each IP so the blocklist doesn?t keep growing indefinitely. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100428/52ab8b40/attachment.html From J.Ede at birchenallhowden.co.uk Wed Apr 28 19:01:26 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Apr 28 19:02:03 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> Message-ID: <1213490F1F316842A544A850422BFA9635C5C7204B@BHLSBS.bhl.local> We already use Vispan and I?m not aware that this can block based on 554?s. I think it can only block based on spam/viruses. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip Parsons Sent: 28 April 2010 18:27 To: MailScanner discussion Subject: RE: OT: Blocking persistent spammers using IPTables? If you are using MailScanner you should look into a program called Vispan. IT scans the maillog and compiles lists of ips to automatically block according to whatever criteria you put in place. The good thing is that it releases the ip after 5 days as most spammers are using DHCP, but if the same machines starts to spam again it then blocks it for 10 days and so for and so long. Also has a nice little web based stats page. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Wednesday, April 28, 2010 12:10 AM To: MailScanner discussion Subject: Re: OT: Blocking persistent spammers using IPTables? Don't see a big issue there. As long as you pick the number of transgressions relatively high and your expiry time reasonable. I've been thinking about this for a while, but don't do it because it would mess up the statistics I provide for management to "prove the need for funding". I am doing this for ssh and pop3/imap, using SEC to auto-create iptables rules, to stop brute force attacks. On Tue, 27 Apr 2010 20:22:08 +0100, Jason Ede wrote: We?re debating blocking (using IPTables) IP?s that register more than a set number of rejections (554 from spamhaus and other blacklists or persistently try random address@domain). Before we actually implement this I?m wondering if there can be any problems with this method? It will only be used for IP?s that try to connect a significant number of times and we?ll have an expiry on each IP so the blocklist doesn?t keep growing indefinitely. Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100428/9facd7fb/attachment.html From mrm at medicine.wisc.edu Wed Apr 28 19:02:49 2010 From: mrm at medicine.wisc.edu (Michael Masse) Date: Wed Apr 28 19:03:10 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> Message-ID: <4BD831F90200003E0000688F@gwmail.medicine.wisc.edu> >>> On 4/28/2010 at 12:27 PM, in message <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com>, "Philip Parsons" wrote: > If you are using MailScanner you should look into a program called Vispan. > IT scans the maillog and compiles lists of ips to automatically block > according to whatever criteria you put in place. The good thing is that it > releases the ip after 5 days as most spammers are using DHCP, but if the same > machines starts to spam again it then blocks it for 10 days and so for and so > long. Also has a nice little web based stats page. > I second this. I've been using VISpan for a long time and it works well at blocking persistent spammer IP's. It blocks at the MTA level and not the network level, but since we're talking about a software firewall (IPTables) my guess is that the difference between the two in cpu utilization and network traffic is negligible even on very busy systems. -Mike From alex at rtpty.com Wed Apr 28 19:45:14 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Apr 28 19:45:32 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <1213490F1F316842A544A850422BFA9635C5C7204B@BHLSBS.bhl.local> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local><7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com><1213490F1F316842A544A850422BFA9635C5C7204B@BHLSBS.bhl.local> Message-ID: <472655814-1272480316-cardhu_decombobulator_blackberry.rim.net-224907112-@bda942.bisx.prod.on.blackberry> Fail2ban. Look into it. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Jason Ede Date: Wed, 28 Apr 2010 19:01:26 To: MailScanner discussion Subject: RE: OT: Blocking persistent spammers using IPTables? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From neilsotheby at hotmail.com Wed Apr 28 22:08:21 2010 From: neilsotheby at hotmail.com (Neil Sotheby) Date: Wed Apr 28 22:08:31 2010 Subject: What creates the quarantine folder each day. In-Reply-To: References: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com>, <4BD6F7A2.80209@ecs.soton.ac.uk>, Message-ID: Do you use mailwatch? I seem to remember there's a way to fix this in one of the tutorials. Seem to think it was an ubuntu issue now I think about it though! Neil > Date: Tue, 27 Apr 2010 15:41:38 +0100 > From: MailScanner@ecs.soton.ac.uk > To: mailscanner@lists.mailscanner.info > Subject: Re: What creates the quarantine folder each day. > > It's created at the start of sub StoreInfections in > /usr/lib/MailScanner/MailScanner/Quarantine.pm. > In other words, MailScanner itself creates the directory. > > On 27/04/2010 15:27, Brad McLean wrote: > > We have been running 2 MailScanner servers for the past 8 months without any > > trouble. Over the past week we have been experiencing trouble with the > > inbound mailq piling up. As best I can tell, at midnight each night some > > process creates the folder /var/spool/MailScanner/quarantine/. > > If the folder does not exist then the MailScanner process all show as > > and the queue builds up. I manually create the folder and set the > > proper ownership and the MailScanner processes start to process the mailq. > > > > We are running CentOs 5.3 with MailScanner 4.75.11 with Postfix MTA. > > > > If I could figure out what creates this folder each day I may be able to > > solve the issue. I suspect that it probably is permissions stopping it from > > being created but I have not found anything in any log. > > > > Any help would be greatly appreciated. > > > > Thanks > > Brad > > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! _________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100428/f7ddae75/attachment.html From brad.mclean at cloudtechinc.com Wed Apr 28 23:04:43 2010 From: brad.mclean at cloudtechinc.com (Brad McLean) Date: Wed Apr 28 23:05:02 2010 Subject: What creates the quarantine folder each day. In-Reply-To: References: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com>, <4BD6F7A2.80209@ecs.soton.ac.uk>, Message-ID: <01e601cae71e$ce7f8820$6b7e9860$@mclean@cloudtechinc.com> I do you mailwatch. I was able to fix the problem. It turns out that the permissions on the folder /var/spool/MailScanner/quarantine were incorrect. Somehow, magically the folder owner and group were not the same as the "run as user" and "run as group" from MailScanner.conf. Once I did a chown on the folder everything has been good. I appreciate everyone's help. Brad From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Neil Sotheby Sent: Wednesday, April 28, 2010 4:08 PM To: MailScanner discussion Subject: RE: What creates the quarantine folder each day. Do you use mailwatch? I seem to remember there's a way to fix this in one of the tutorials. Seem to think it was an ubuntu issue now I think about it though! Neil > Date: Tue, 27 Apr 2010 15:41:38 +0100 > From: MailScanner@ecs.soton.ac.uk > To: mailscanner@lists.mailscanner.info > Subject: Re: What creates the quarantine folder each day. > > It's created at the start of sub StoreInfections in > /usr/lib/MailScanner/MailScanner/Quarantine.pm. > In other words, MailScanner itself creates the directory. > > On 27/04/2010 15:27, Brad McLean wrote: > > We have been running 2 MailScanner servers for the past 8 months without any > > trouble. Over the past week we have been experiencing trouble with the > > inbound mailq piling up. As best I can tell, at midnight each night some > > process creates the folder /var/spool/MailScanner/quarantine/. > > If the folder does not exist then the MailScanner process all show as > > and the queue builds up. I manually create the folder and set the > > proper ownership and the MailScanner processes start to process the mailq. > > > > We are running CentOs 5.3 with MailScanner 4.75.11 with Postfix MTA. > > > > If I could figure out what creates this folder each day I may be able to > > solve the issue. I suspect that it probably is permissions stopping it from > > being created but I have not found anything in any log. > > > > Any help would be greatly appreciated. > > > > Thanks > > Brad > > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ________________________________________ From hvdkooij at vanderkooij.org Thu Apr 29 08:48:42 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Thu Apr 29 08:49:59 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <4BD831F90200003E0000688F@gwmail.medicine.wisc.edu> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> <4BD831F90200003E0000688F@gwmail.medicine.wisc.edu> Message-ID: <6cb8752924ef33bfdeddb26209799269@127.0.0.1> On Wed, 28 Apr 2010 13:02:49 -0500, "Michael Masse" wrote: > I second this. I've been using VISpan for a long time and it works well > at blocking persistent spammer IP's. It blocks at the MTA level and not > the network level, but since we're talking about a software firewall > (IPTables) my guess is that the difference between the two in cpu > utilization and network traffic is negligible even on very busy systems. Blocking based on iptables is very, ver light. Spawning another postfix process to handle the new connection and reject it is much more CPU intensive. I guess the impact with various MTA's may differ but all of them will need to do a lot more then what iptables will do so iptables is much less weight on your server. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From hvdkooij at vanderkooij.org Thu Apr 29 09:14:32 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Thu Apr 29 09:15:48 2010 Subject: What creates the quarantine folder each day. In-Reply-To: <01e601cae71e$ce7f8820$6b7e9860$@mclean@cloudtechinc.com> References: <00db01cae615$bfe94d00$3fbbe700$@mclean@cloudtechinc.com>, <4BD6F7A2.80209@ecs.soton.ac.uk>, <01e601cae71e$ce7f8820$6b7e9860$@mclean@cloudtechinc.com> Message-ID: On Wed, 28 Apr 2010 17:04:43 -0500, "Brad McLean" wrote: > I do you mailwatch. I was able to fix the problem. It turns out that the > permissions on the folder /var/spool/MailScanner/quarantine were incorrect. > > Somehow, magically the folder owner and group were not the same as the "run > as user" and "run as group" from MailScanner.conf. Once I did a chown on > the folder everything has been good. I had the same thing once due to the phishingupdate that did change the owner from postfix:postfix to root:root So perhaps that Jules can look into the issue and prevent the phishingupdate to set the owner incorrectly. (That is: deviating from the settings in the MailScanner.conf file.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From mwen at f-i-ts.net Thu Apr 29 12:01:34 2010 From: mwen at f-i-ts.net (Markus Wennrich) Date: Thu Apr 29 12:01:44 2010 Subject: Filetype/Filename Rules: strip attachment AND forward original mail to third address In-Reply-To: <4BD57E0B.4030304@f-i-ts.net> References: <4BD57E0B.4030304@f-i-ts.net> Message-ID: <4BD9670E.3090602@f-i-ts.net> So no idea? Anybody? Markus Wennrich wrote: > Hi > > # Syntax is allow/deny/deny+delete/email-addresses, then regular expression, > # then log text, then user report text. > # > # The "email-addresses" can be a space or comma-separated list of email > # addresses. If the rule hits, the message will be sent to these address(es) > # instead of the original recipients. > > Is it possible, to deny a attachment (and have the mail sent to the > original recipient without the attachment) AND have the original mail > (with the attachment included) forwarded to another email-address? > > For example: > 1) mail to user@domain.com with "fun.exe" attached comes in > 2) mail is sent to user@domain.com, but "fun.exe" has been replaced by > "stored.filename.message.txt" > 3) a copy of the original mail with fun.exe included is forwarded to > security-admins@example.com > > "clean" mails should not be forwarded > > Is something like this possible? > > Thanks in advance, > > Markus > > > From alex at rtpty.com Thu Apr 29 12:22:02 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Apr 29 12:22:25 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <6cb8752924ef33bfdeddb26209799269@127.0.0.1> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> <4BD831F90200003E0000688F@gwmail.medicine.wisc.edu> <6cb8752924ef33bfdeddb26209799269@127.0.0.1> Message-ID: <7A2A2CDB-B757-48D3-BD58-6CB143C81D83@rtpty.com> I believe Pat Morita put it best in "Karate Kid Part 2" when he said: "Remember, best block, no be there." So yes, using iptables definitely *is* the best way to go... As long as you're blocking smartly. MTA level blocks are better (even though they're more cpu intensive) only where you *need* to tell people "I'm not receiving mail from your IP for X and Y reason". If the definition you're using when blocking through iptables only includes conditions that would make it impossible for a legitimate user to be connecting to your server, then by all means implement it. If there is even a chance that a legitimate user will be connecting to your server from that IP address then dropping the traffic would add some time to the support call since you'd have to determine if the user's IP address is blacklisted at the firewall level. On Apr 29, 2010, at 2:48 AM, hvdkooij wrote: > Blocking based on iptables is very, ver light. Spawning another postfix > process to handle the new connection and reject it is much more CPU > intensive. From MailScanner at ecs.soton.ac.uk Thu Apr 29 12:30:49 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 29 12:30:59 2010 Subject: Filetype/Filename Rules: strip attachment AND forward original mail to third address In-Reply-To: <4BD9670E.3090602@f-i-ts.net> References: <4BD57E0B.4030304@f-i-ts.net> <4BD9670E.3090602@f-i-ts.net> <4BD96DE9.3030006@ecs.soton.ac.uk> Message-ID: On 29/04/2010 12:01, Markus Wennrich wrote: > So no idea? Anybody? > > Markus Wennrich wrote: > >> Hi >> >> # Syntax is allow/deny/deny+delete/email-addresses, then regular expression, >> # then log text, then user report text. >> # >> # The "email-addresses" can be a space or comma-separated list of email >> # addresses. If the rule hits, the message will be sent to these address(es) >> # instead of the original recipients. >> >> Is it possible, to deny a attachment (and have the mail sent to the >> original recipient without the attachment) AND have the original mail >> (with the attachment included) forwarded to another email-address? >> >> For example: >> 1) mail to user@domain.com with "fun.exe" attached comes in >> 2) mail is sent to user@domain.com, but "fun.exe" has been replaced by >> "stored.filename.message.txt" >> 3) a copy of the original mail with fun.exe included is forwarded to >> security-admins@example.com >> >> "clean" mails should not be forwarded >> >> Is something like this possible? >> Not currently, no. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Apr 29 16:03:12 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 29 16:03:52 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> Message-ID: <4BD99FB0.7000700@cnpapers.com> Philip Parsons wrote: > > If you are using MailScanner you should look into a program called > Vispan. IT scans the maillog and compiles lists of ips to > automatically block according to whatever criteria you put in place. > The good thing is that it releases the ip after 5 days as most > spammers are using DHCP, but if the same machines starts to spam again > it then blocks it for 10 days and so for and so long. Also has a nice > little web based stats page. > > Phillip, Since this is labeled OT, hope you don't mind answering a few questions about Vispan, and that the list doesn't mind the out-of-range stuff. I don't really see how or where Vispan creates a list of IP for me. I don't understand what the UseHeuristics parm is supposed to do. And I haven't really found how to set up rbldnsd anywhere. All google searches end in insufficient explanations, although most touch on some of this. At this point in time, I have both UseAccess and UseIPTables set to 0 but have try setting UseHeuristics to both 0 and 1 without any difference I could see. If you have time, could you respond to the above, either online or offline? Thanks, Steve Campbell From ms-list at alexb.ch Thu Apr 29 16:18:34 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Apr 29 16:18:44 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <4BD99FB0.7000700@cnpapers.com> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> <4BD99FB0.7000700@cnpapers.com> Message-ID: <4BD9A34A.50001@alexb.ch> On 2010-04-29 17:03, Steve Campbell wrote: > > > Philip Parsons wrote: >> >> If you are using MailScanner you should look into a program called >> Vispan. IT scans the maillog and compiles lists of ips to >> automatically block according to whatever criteria you put in place. >> The good thing is that it releases the ip after 5 days as most >> spammers are using DHCP, but if the same machines starts to spam again >> it then blocks it for 10 days and so for and so long. Also has a nice >> little web based stats page. >> >> > Phillip, > > Since this is labeled OT, hope you don't mind answering a few questions > about Vispan, and that the list doesn't mind the out-of-range stuff. > > I don't really see how or where Vispan creates a list of IP for me. I > don't understand what the UseHeuristics parm is supposed to do. And I > haven't really found how to set up rbldnsd anywhere. All google searches > end in insufficient explanations, although most touch on some of this. > At this point in time, I have both UseAccess and UseIPTables set to 0 > but have try setting UseHeuristics to both 0 and 1 without any > difference I could see. http://www.google.com/search?q=rbldnsd+&btnG=Google+Search From campbell at cnpapers.com Thu Apr 29 17:35:53 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 29 17:36:25 2010 Subject: OT: Blocking persistent spammers using IPTables? In-Reply-To: <4BD9A34A.50001@alexb.ch> References: <1213490F1F316842A544A850422BFA9635C5C71FCD@BHLSBS.bhl.local> <7C62BFED4DC0CE488F93865D83A61E64020B4872@sprocket.columbiafuels.com> <4BD99FB0.7000700@cnpapers.com> <4BD9A34A.50001@alexb.ch> Message-ID: <4BD9B569.9080602@cnpapers.com> Thanks Alex, I found most of that already, but somehow missed the man page. Sorry to have caused the sigh! steve Alex Broens wrote: > On 2010-04-29 17:03, Steve Campbell wrote: >> >> >> Philip Parsons wrote: >>> >>> If you are using MailScanner you should look into a program called >>> Vispan. IT scans the maillog and compiles lists of ips to >>> automatically block according to whatever criteria you put in >>> place. The good thing is that it releases the ip after 5 days as >>> most spammers are using DHCP, but if the same machines starts to >>> spam again it then blocks it for 10 days and so for and so long. >>> Also has a nice little web based stats page. >>> >>> >> Phillip, >> >> Since this is labeled OT, hope you don't mind answering a few >> questions about Vispan, and that the list doesn't mind the >> out-of-range stuff. >> >> I don't really see how or where Vispan creates a list of IP for me. I >> don't understand what the UseHeuristics parm is supposed to do. And I >> haven't really found how to set up rbldnsd anywhere. All google >> searches end in insufficient explanations, although most touch on >> some of this. At this point in time, I have both UseAccess and >> UseIPTables set to 0 but have try setting UseHeuristics to both 0 and >> 1 without any difference I could see. > > > http://www.google.com/search?q=rbldnsd+&btnG=Google+Search > > From dave.list at pixelhammer.com Wed Apr 21 14:54:13 2010 From: dave.list at pixelhammer.com (DAve) Date: Sat Jun 12 16:21:48 2010 Subject: OT: Goodbye and hosting wanted Message-ID: <4BCF0366.10207@pixelhammer.com> All, I will be unsubscribed to a lot of mail lists this week as my position has been closed. I am uncertain I want to continue with IT. I know some of you from as far back as my Userland Frontier and HyperCard days. I want to thank everyone for their help and assistance over the past 15 years. (Yes this is going out to several lists). I will need to move my hosted domain, email, and DNS this week. I am sure I could continue to host it with my employer but I would rather not. I don't need much, less than a dozen email accounts, simple PHP or perl, and DNS. My wife would like to start a LiveJournal or something like it for her work here if a host can be found that supports that, http://flickr.com/catchoftheday (Feel free to offer to purchase something ;^). Now that I am unemployed, inexpensive would be nice. I am open to suggestions for hosting services. Today, my wife and I are going to play hooky and do nothing. Again, thanks everyone. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org