From MailScanner at ecs.soton.ac.uk Tue Aug 3 11:33:56 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 3 11:36:48 2010 Subject: New beta release 4.81.2 References: <4C57F094.8020501@ecs.soton.ac.uk> Message-ID: I have just released a new beta, with the intention of it becoming a stable release Real Soon Now(tm). Since 4.79, quite a few things have happened: * New Features and Improvements * 1 Upgraded AVG support to AVG version 8. Support no longer guaranteed for older versions. 2 Installers no longer over-write mailscanner.cf in SpamAssassin directory if the file or link exists. 3 Added support for McAfee version 6. Use the virus scanner name "mcafee6" to get this support. Many thanks to Phil Randal and Michael Miller for all their hard work on this. 4 Improved "file" command output processing so it stops at 1st "," to reduce false alarms greatly. 5 Added facility for over-riding MailScanner.conf settings and rulesets with those held in an SQL database. New settings are: DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. See the MailScanner.conf file for more details. 5 Added dependency "Sys::SigAction" Perl modules to installers. 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib dependency. 1 Slight improvement to check_mailscanner script to send some output to /dev/null for Greg Kuhnert. 2 "Scan Messages = virus" will *only* scan mail for viruses and nothing else at all. This makes simple setups where you only want virus scanning a whole lot easier to set up. * Fixes * 1 A minor rewrite of a bit of the TNEF code to handle some systems' odd opinions about tainting data. 1 Minor tweak to avoid warning about insecure dependency in WorkArea.pm. 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. 3 Fixed "MailScanner --lint" to not throw an erroneous error message about "MSlint" directory permissions. 3 Fixed error in MIME boundary checking that stopped a few very rare cases being checked. 5 Fixed issue where zip files in messages were unpacked with incorrect permissions. 5-2 Fixed bug introduced in 5-1. 7 Fixed ruleset-from-function bug introduced in 5-1. 9 Fixed bug where %variables% would not work in ruleset files. 10 Fixed bug on Linux systems where Postfix systems would change the ownership of the queue and work directories every time MailScanner was started. 1 Deny File MIME Types was ignored if new filetype rules used MIME checks. 2 Slightly improvement to phishing trap to handle links with " in them. 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! All available from www.mailscanner.info as usual. I would be very grateful if you could test this release and prove it's okay. In a few days I will release a stable version, if I get enough response that it is indeed all working okay. Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Tue Aug 3 12:13:24 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Aug 3 12:13:43 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45E5F841@HC-MBX01.herefordshire.gov.uk> # MailScanner --lint Missing right curly or square bracket at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1392, at end of line syntax error at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1392, at EOF Compilation failed in require at /usr/sbin/MailScanner line 103. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 103. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 03 August 2010 11:34 To: MailScanner discussion Subject: New beta release 4.81.2 I have just released a new beta, with the intention of it becoming a stable release Real Soon Now(tm). Since 4.79, quite a few things have happened: * New Features and Improvements * 1 Upgraded AVG support to AVG version 8. Support no longer guaranteed for older versions. 2 Installers no longer over-write mailscanner.cf in SpamAssassin directory if the file or link exists. 3 Added support for McAfee version 6. Use the virus scanner name "mcafee6" to get this support. Many thanks to Phil Randal and Michael Miller for all their hard work on this. 4 Improved "file" command output processing so it stops at 1st "," to reduce false alarms greatly. 5 Added facility for over-riding MailScanner.conf settings and rulesets with those held in an SQL database. New settings are: DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. See the MailScanner.conf file for more details. 5 Added dependency "Sys::SigAction" Perl modules to installers. 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib dependency. 1 Slight improvement to check_mailscanner script to send some output to /dev/null for Greg Kuhnert. 2 "Scan Messages = virus" will *only* scan mail for viruses and nothing else at all. This makes simple setups where you only want virus scanning a whole lot easier to set up. * Fixes * 1 A minor rewrite of a bit of the TNEF code to handle some systems' odd opinions about tainting data. 1 Minor tweak to avoid warning about insecure dependency in WorkArea.pm. 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. 3 Fixed "MailScanner --lint" to not throw an erroneous error message about "MSlint" directory permissions. 3 Fixed error in MIME boundary checking that stopped a few very rare cases being checked. 5 Fixed issue where zip files in messages were unpacked with incorrect permissions. 5-2 Fixed bug introduced in 5-1. 7 Fixed ruleset-from-function bug introduced in 5-1. 9 Fixed bug where %variables% would not work in ruleset files. 10 Fixed bug on Linux systems where Postfix systems would change the ownership of the queue and work directories every time MailScanner was started. 1 Deny File MIME Types was ignored if new filetype rules used MIME checks. 2 Slightly improvement to phishing trap to handle links with " in them. 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! All available from www.mailscanner.info as usual. I would be very grateful if you could test this release and prove it's okay. In a few days I will release a stable version, if I get enough response that it is indeed all working okay. Thanks folks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From peter.ong at hypermediasystems.com Tue Aug 3 15:06:38 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Aug 3 15:06:48 2010 Subject: New beta release 4.81.2 In-Reply-To: Message-ID: <893323070.10986.1280844398085.JavaMail.root@mail021.dti> > 4 Improved "file" command output processing so it stops at 1st "," to > > reduce false alarms greatly. When I was a kid, my mom would take me to Bank of America, and I would marvel at how complicated the computers and their networks must have been in order to keep track of every single transaction for every single customer. Then, I got to work for a bank for 6 years as the person responsible for the money transfer system. Now I fear putting money in any bank, especially that one. MailScanner took me a few weeks to tame what with all the "file" command issues we had. Now that I'm seeing the behind the scenes of the upgrade and I'm still licking my wounds, I dread this upgrade. p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 3, 2010 3:33:56 AM > Subject: New beta release 4.81.2 > > I have just released a new beta, with the intention of it becoming a > stable release Real Soon Now(tm). > Since 4.79, quite a few things have happened: > > * New Features and Improvements * > 1 Upgraded AVG support to AVG version 8. Support no longer guaranteed > > for older versions. > 2 Installers no longer over-write mailscanner.cf in SpamAssassin > directory if the file or link exists. > 3 Added support for McAfee version 6. Use the virus scanner name > "mcafee6" to get this support. Many thanks to Phil Randal and Michael > > Miller for all their hard work on this. > 4 Improved "file" command output processing so it stops at 1st "," to > > reduce false alarms greatly. > 5 Added facility for over-riding MailScanner.conf settings and > rulesets > with those held in an SQL database. > New settings are: > DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick > Peek, > SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. > See the MailScanner.conf file for more details. > 5 Added dependency "Sys::SigAction" Perl modules to installers. > 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib > dependency. > 1 Slight improvement to check_mailscanner script to send some output > to > /dev/null for Greg Kuhnert. > 2 "Scan Messages = virus" will *only* scan mail for viruses and > nothing > else at all. This makes simple setups where you only want virus > scanning > a whole lot easier to set up. > > * Fixes * > 1 A minor rewrite of a bit of the TNEF code to handle some systems' > odd > opinions about tainting data. > 1 Minor tweak to avoid warning about insecure dependency in > WorkArea.pm. > 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. > 3 Fixed "MailScanner --lint" to not throw an erroneous error message > about "MSlint" directory permissions. > 3 Fixed error in MIME boundary checking that stopped a few very rare > cases being checked. > 5 Fixed issue where zip files in messages were unpacked with incorrect > > permissions. > 5-2 Fixed bug introduced in 5-1. > 7 Fixed ruleset-from-function bug introduced in 5-1. > 9 Fixed bug where %variables% would not work in ruleset files. > 10 Fixed bug on Linux systems where Postfix systems would change the > ownership of the queue and work directories every time MailScanner was > > started. > 1 Deny File MIME Types was ignored if new filetype rules used MIME > checks. > 2 Slightly improvement to phishing trap to handle links with " in > them. > 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! > > All available from www.mailscanner.info as usual. > > I would be very grateful if you could test this release and prove it's > > okay. In a few days I will release a stable version, if I get enough > response that it is indeed all working okay. > > Thanks folks! > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Hostmaster at computerservicecentre.com Tue Aug 3 15:23:32 2010 From: Hostmaster at computerservicecentre.com (Hostmaster) Date: Tue Aug 3 15:23:43 2010 Subject: New beta release 4.81.2 In-Reply-To: <893323070.10986.1280844398085.JavaMail.root@mail021.dti> References: <893323070.10986.1280844398085.JavaMail.root@mail021.dti> Message-ID: <3D9C92F3075F5144B46AA2C590F48E2A01036C9A@commssrv01.computerservicecentre.com> Peter, At the risk of jinxing it, I do have to jump to MailScanner's defence and say that in three years of updating MailScanner on a system which handles 25-30,000 emails a day, I am yet to encounter an issue during an upgrade. Perhaps I have just been lucky, or you have been especially unlucky? Kind Regards, Richard -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Peter Ong Posted At: 03 August 2010 15:07 Posted To: Hostmaster Conversation: New beta release 4.81.2 Subject: Re: New beta release 4.81.2 > 4 Improved "file" command output processing so it stops at 1st "," to > > reduce false alarms greatly. When I was a kid, my mom would take me to Bank of America, and I would marvel at how complicated the computers and their networks must have been in order to keep track of every single transaction for every single customer. Then, I got to work for a bank for 6 years as the person responsible for the money transfer system. Now I fear putting money in any bank, especially that one. MailScanner took me a few weeks to tame what with all the "file" command issues we had. Now that I'm seeing the behind the scenes of the upgrade and I'm still licking my wounds, I dread this upgrade. p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 3, 2010 3:33:56 AM > Subject: New beta release 4.81.2 > > I have just released a new beta, with the intention of it becoming a > stable release Real Soon Now(tm). > Since 4.79, quite a few things have happened: > > * New Features and Improvements * > 1 Upgraded AVG support to AVG version 8. Support no longer guaranteed > > for older versions. > 2 Installers no longer over-write mailscanner.cf in SpamAssassin > directory if the file or link exists. > 3 Added support for McAfee version 6. Use the virus scanner name > "mcafee6" to get this support. Many thanks to Phil Randal and Michael > > Miller for all their hard work on this. > 4 Improved "file" command output processing so it stops at 1st "," to > > reduce false alarms greatly. > 5 Added facility for over-riding MailScanner.conf settings and > rulesets with those held in an SQL database. > New settings are: > DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick > Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. > See the MailScanner.conf file for more details. > 5 Added dependency "Sys::SigAction" Perl modules to installers. > 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib > dependency. > 1 Slight improvement to check_mailscanner script to send some output > to /dev/null for Greg Kuhnert. > 2 "Scan Messages = virus" will *only* scan mail for viruses and > nothing else at all. This makes simple setups where you only want > virus scanning a whole lot easier to set up. > > * Fixes * > 1 A minor rewrite of a bit of the TNEF code to handle some systems' > odd > opinions about tainting data. > 1 Minor tweak to avoid warning about insecure dependency in > WorkArea.pm. > 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. > 3 Fixed "MailScanner --lint" to not throw an erroneous error message > about "MSlint" directory permissions. > 3 Fixed error in MIME boundary checking that stopped a few very rare > cases being checked. > 5 Fixed issue where zip files in messages were unpacked with incorrect > > permissions. > 5-2 Fixed bug introduced in 5-1. > 7 Fixed ruleset-from-function bug introduced in 5-1. > 9 Fixed bug where %variables% would not work in ruleset files. > 10 Fixed bug on Linux systems where Postfix systems would change the > ownership of the queue and work directories every time MailScanner was > > started. > 1 Deny File MIME Types was ignored if new filetype rules used MIME > checks. > 2 Slightly improvement to phishing trap to handle links with " in > them. > 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! > > All available from www.mailscanner.info as usual. > > I would be very grateful if you could test this release and prove it's > > okay. In a few days I will release a stable version, if I get enough > response that it is indeed all working okay. > > Thanks folks! > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ? ? All E-Mail communications are monitored in addition to being content checked for malicious codes or viruses. The success of scanning products is not guaranteed, therefore the recipient(s) should carry out any checks that they believe to be appropriate in this respect. ? This message (including any attachments and/or related materials) is confidential to and is the property of Computer Service Centre, unless otherwise noted. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ? Any views or opinions presented are solely those of the author and do not necessarily represent those of Computer Service Centre. From peter.ong at hypermediasystems.com Tue Aug 3 15:50:41 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Aug 3 15:50:52 2010 Subject: New beta release 4.81.2 In-Reply-To: <977552146.11113.1280846214350.JavaMail.root@mail021.dti> Message-ID: <1129598436.11173.1280847041640.JavaMail.root@mail021.dti> Oh no, I was just drawing similarities, but not intended as an indictment to MailScanner at all. In fact, I suggested once that its name should be changed to Awesome MailScanner. It's just that the file command was a very hairy situation for me until I got it working the way I wanted it; and I was hardly getting any love from everyone about it. Of course, whether what I did was the right thing remains unknown, but it is now doing what I want it to do. Given the trauma I incurred during that time and seeing the "file" command related fixes in this release, I don't know how they will affect the configurations that were painstakingly borne from the fiery tempers of my users and especially the impatience of my higher ups. And by the way, my servers have a load of over 100K per day too. (o:`, As to my luck, well, the lottery here is up to 42 million again. We'll see. hehehe p ----- Original Message ----- > From: "Hostmaster" > To: "MailScanner discussion" > Sent: Tuesday, August 3, 2010 7:23:32 AM > Subject: RE: New beta release 4.81.2 > > Peter, > At the risk of jinxing it, I do have to jump to MailScanner's defence > and say > that in three years of updating MailScanner on a system which handles > 25-30,000 > emails a day, I am yet to encounter an issue during an upgrade. > > Perhaps I have just been lucky, or you have been especially unlucky? > > Kind Regards, > Richard > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Peter > Ong > Posted At: 03 August 2010 15:07 > Posted To: Hostmaster > Conversation: New beta release 4.81.2 > Subject: Re: New beta release 4.81.2 > > > 4 Improved "file" command output processing so it stops at 1st "," > to > > > > reduce false alarms greatly. > > When I was a kid, my mom would take me to Bank of America, and I would > marvel at > how complicated the computers and their networks must have been in > order to keep > track of every single transaction for every single customer. Then, I > got to work > for a bank for 6 years as the person responsible for the money > transfer system. > Now I fear putting money in any bank, especially that one. > > MailScanner took me a few weeks to tame what with all the "file" > command issues > we had. Now that I'm seeing the behind the scenes of the upgrade and > I'm still > licking my wounds, I dread this upgrade. > > p > > ----- Original Message ----- > > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Tuesday, August 3, 2010 3:33:56 AM > > Subject: New beta release 4.81.2 > > > > I have just released a new beta, with the intention of it becoming > a > > stable release Real Soon Now(tm). > > Since 4.79, quite a few things have happened: > > > > * New Features and Improvements * > > 1 Upgraded AVG support to AVG version 8. Support no longer > guaranteed > > > > for older versions. > > 2 Installers no longer over-write mailscanner.cf in SpamAssassin > > directory if the file or link exists. > > 3 Added support for McAfee version 6. Use the virus scanner name > > "mcafee6" to get this support. Many thanks to Phil Randal and > Michael > > > > Miller for all their hard work on this. > > 4 Improved "file" command output processing so it stops at 1st "," > to > > > > reduce false alarms greatly. > > 5 Added facility for over-riding MailScanner.conf settings and > > rulesets with those held in an SQL database. > > New settings are: > > DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick > > Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. > > See the MailScanner.conf file for more details. > > 5 Added dependency "Sys::SigAction" Perl modules to installers. > > 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib > > dependency. > > 1 Slight improvement to check_mailscanner script to send some > output > > to /dev/null for Greg Kuhnert. > > 2 "Scan Messages = virus" will *only* scan mail for viruses and > > nothing else at all. This makes simple setups where you only want > > virus scanning a whole lot easier to set up. > > > > * Fixes * > > 1 A minor rewrite of a bit of the TNEF code to handle some systems' > > odd > > opinions about tainting data. > > 1 Minor tweak to avoid warning about insecure dependency in > > WorkArea.pm. > > 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. > > 3 Fixed "MailScanner --lint" to not throw an erroneous error > message > > about "MSlint" directory permissions. > > 3 Fixed error in MIME boundary checking that stopped a few very > rare > > cases being checked. > > 5 Fixed issue where zip files in messages were unpacked with > incorrect > > > > permissions. > > 5-2 Fixed bug introduced in 5-1. > > 7 Fixed ruleset-from-function bug introduced in 5-1. > > 9 Fixed bug where %variables% would not work in ruleset files. > > 10 Fixed bug on Linux systems where Postfix systems would change > the > > ownership of the queue and work directories every time MailScanner > was > > > > started. > > 1 Deny File MIME Types was ignored if new filetype rules used MIME > > checks. > > 2 Slightly improvement to phishing trap to handle links with " in > > them. > > 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! > > > > All available from www.mailscanner.info as usual. > > > > I would be very grateful if you could test this release and prove > it's > > > > okay. In a few days I will release a stable version, if I get > enough > > response that it is indeed all working okay. > > > > Thanks folks! > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ? > ? > All E-Mail communications are monitored in addition to being content > checked for malicious codes or viruses. The success of scanning > products is not guaranteed, therefore the recipient(s) should carry > out any checks that they believe to be appropriate in this respect. > ? > This message (including any attachments and/or related materials) is > confidential to and is the property of Computer Service Centre, unless > otherwise noted. If you are not the intended recipient, you should > delete this message and are hereby notified that any disclosure, > copying, or distribution of this message, or the taking of any action > based on it, is strictly prohibited. > ? > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Computer Service Centre. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Tue Aug 3 16:24:55 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 3 16:25:12 2010 Subject: New beta release 4.81.2 In-Reply-To: <1129598436.11173.1280847041640.JavaMail.root@mail021.dti> References: <1129598436.11173.1280847041640.JavaMail.root@mail021.dti> <4C5834C7.3050703@ecs.soton.ac.uk> Message-ID: In case you need to change it back to its old behaviour, you want to look at lines 413 and 414 of SweepOther.pm. Line 413 is the old code (commented out) and line 414 is the new code. Simply move the comment symbol # to the other line to revert to the old behaviour. All it does is only look in the output of the file command (or of "file -i") for all the filetype-desribing text up to, but not including, the first "," instead of until the end of the line. This improves the behaviour with some filetypes, particularly Word documents, where the output of "file" includes loads of information extracted from the file being studied. That extra information may contain all sorts of things which are detected as keywords in your filetype.rules.conf file. Hopefully that will make the upgrade a whole lot easier for you! Jules. On 03/08/2010 15:50, Peter Ong wrote: > Oh no, I was just drawing similarities, but not intended as an indictment to MailScanner at all. In fact, I suggested once that its name should be changed to Awesome MailScanner. > > It's just that the file command was a very hairy situation for me until I got it working the way I wanted it; and I was hardly getting any love from everyone about it. Of course, whether what I did was the right thing remains unknown, but it is now doing what I want it to do. > > Given the trauma I incurred during that time and seeing the "file" command related fixes in this release, I don't know how they will affect the configurations that were painstakingly borne from the fiery tempers of my users and especially the impatience of my higher ups. > > And by the way, my servers have a load of over 100K per day too. (o:`, > > As to my luck, well, the lottery here is up to 42 million again. We'll see. > > hehehe > > p > > > ----- Original Message ----- > > >> From: "Hostmaster" >> To: "MailScanner discussion" >> Sent: Tuesday, August 3, 2010 7:23:32 AM >> Subject: RE: New beta release 4.81.2 >> >> Peter, >> At the risk of jinxing it, I do have to jump to MailScanner's defence >> and say >> that in three years of updating MailScanner on a system which handles >> 25-30,000 >> emails a day, I am yet to encounter an issue during an upgrade. >> >> Perhaps I have just been lucky, or you have been especially unlucky? >> >> Kind Regards, >> Richard >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Peter >> Ong >> Posted At: 03 August 2010 15:07 >> Posted To: Hostmaster >> Conversation: New beta release 4.81.2 >> Subject: Re: New beta release 4.81.2 >> >> >>> 4 Improved "file" command output processing so it stops at 1st "," >>> >> to >> >>> reduce false alarms greatly. >>> >> When I was a kid, my mom would take me to Bank of America, and I would >> marvel at >> how complicated the computers and their networks must have been in >> order to keep >> track of every single transaction for every single customer. Then, I >> got to work >> for a bank for 6 years as the person responsible for the money >> transfer system. >> Now I fear putting money in any bank, especially that one. >> >> MailScanner took me a few weeks to tame what with all the "file" >> command issues >> we had. Now that I'm seeing the behind the scenes of the upgrade and >> I'm still >> licking my wounds, I dread this upgrade. >> >> p >> >> ----- Original Message ----- >> >> >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: Tuesday, August 3, 2010 3:33:56 AM >>> Subject: New beta release 4.81.2 >>> >>> I have just released a new beta, with the intention of it becoming >>> >> a >> >>> stable release Real Soon Now(tm). >>> Since 4.79, quite a few things have happened: >>> >>> * New Features and Improvements * >>> 1 Upgraded AVG support to AVG version 8. Support no longer >>> >> guaranteed >> >>> for older versions. >>> 2 Installers no longer over-write mailscanner.cf in SpamAssassin >>> directory if the file or link exists. >>> 3 Added support for McAfee version 6. Use the virus scanner name >>> "mcafee6" to get this support. Many thanks to Phil Randal and >>> >> Michael >> >>> Miller for all their hard work on this. >>> 4 Improved "file" command output processing so it stops at 1st "," >>> >> to >> >>> reduce false alarms greatly. >>> 5 Added facility for over-riding MailScanner.conf settings and >>> rulesets with those held in an SQL database. >>> New settings are: >>> DB DSN, DB Username, DB Password, SQL Serial Number, SQL Quick >>> Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL Debug. >>> See the MailScanner.conf file for more details. >>> 5 Added dependency "Sys::SigAction" Perl modules to installers. >>> 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib >>> dependency. >>> 1 Slight improvement to check_mailscanner script to send some >>> >> output >> >>> to /dev/null for Greg Kuhnert. >>> 2 "Scan Messages = virus" will *only* scan mail for viruses and >>> nothing else at all. This makes simple setups where you only want >>> virus scanning a whole lot easier to set up. >>> >>> * Fixes * >>> 1 A minor rewrite of a bit of the TNEF code to handle some systems' >>> odd >>> opinions about tainting data. >>> 1 Minor tweak to avoid warning about insecure dependency in >>> WorkArea.pm. >>> 2 Fixed documentation for "Allow Multiple HTML Signatures" setting. >>> 3 Fixed "MailScanner --lint" to not throw an erroneous error >>> >> message >> >>> about "MSlint" directory permissions. >>> 3 Fixed error in MIME boundary checking that stopped a few very >>> >> rare >> >>> cases being checked. >>> 5 Fixed issue where zip files in messages were unpacked with >>> >> incorrect >> >>> permissions. >>> 5-2 Fixed bug introduced in 5-1. >>> 7 Fixed ruleset-from-function bug introduced in 5-1. >>> 9 Fixed bug where %variables% would not work in ruleset files. >>> 10 Fixed bug on Linux systems where Postfix systems would change >>> >> the >> >>> ownership of the queue and work directories every time MailScanner >>> >> was >> >>> started. >>> 1 Deny File MIME Types was ignored if new filetype rules used MIME >>> checks. >>> 2 Slightly improvement to phishing trap to handle links with " in >>> them. >>> 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! >>> >>> All available from www.mailscanner.info as usual. >>> >>> I would be very grateful if you could test this release and prove >>> >> it's >> >>> okay. In a few days I will release a stable version, if I get >>> >> enough >> >>> response that it is indeed all working okay. >>> >>> Thanks folks! >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your >>> >> boss? >> >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner >>> >>> >>> -- >>> This message has been scanned for viruses and dangerous content by >>> MailScanner, and is believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> All E-Mail communications are monitored in addition to being content >> checked for malicious codes or viruses. The success of scanning >> products is not guaranteed, therefore the recipient(s) should carry >> out any checks that they believe to be appropriate in this respect. >> >> This message (including any attachments and/or related materials) is >> confidential to and is the property of Computer Service Centre, unless >> otherwise noted. If you are not the intended recipient, you should >> delete this message and are hereby notified that any disclosure, >> copying, or distribution of this message, or the taking of any action >> based on it, is strictly prohibited. >> >> Any views or opinions presented are solely those of the author and do >> not necessarily represent those of Computer Service Centre. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From thomasl at mtl.mit.edu Tue Aug 3 16:53:42 2010 From: thomasl at mtl.mit.edu (Thomas Lohman) Date: Tue Aug 3 16:54:11 2010 Subject: New beta release 4.81.2 In-Reply-To: <1129598436.11173.1280847041640.JavaMail.root@mail021.dti> References: <1129598436.11173.1280847041640.JavaMail.root@mail021.dti> Message-ID: <4C583B86.5080009@mtl.mit.edu> > Given the trauma I incurred during that time and seeing the "file" > command related fixes in this release, I don't know how they will > affect the configurations that were painstakingly borne from the > fiery tempers of my users and especially the impatience of my higher > ups. Peter, given that, I'd highly recommend setting up a testing server where you can send a "shadow copy" of all your production e-mail in order to run it through the new version and see how things behave. This is what I do here and allows me to run a new version with production data but without having to touch the production server until I'm ready to deploy. This type of set up may alleviate some of your concerns about upgrading to newer versions. But I do know where you are coming from - if it ain't broke, don't fix it, as they say. cheers, --tom From peter.ong at hypermediasystems.com Tue Aug 3 17:03:28 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Aug 3 17:03:38 2010 Subject: New beta release 4.81.2 In-Reply-To: <4C583B86.5080009@mtl.mit.edu> Message-ID: <585958153.11324.1280851408793.JavaMail.root@mail021.dti> Thanks, Thomas. Actually I already do that. In fact, I have a mini-replica of the office at home. I run my own email server at home; trying to avoid getting caught in the next round of warrantless tapping by the next time the Patriot Act is invoked. I know I'll still be all over google's servers, but I'll at least minimize it. Hahaha. In any case, yes, I'll test the upgrade at my crib first, and then see how well that goes. When I get a good feeling about it, I'll deploy in the office. Thanks. p ----- Original Message ----- > From: "Thomas Lohman" > To: "MailScanner discussion" > Sent: Tuesday, August 3, 2010 8:53:42 AM > Subject: Re: New beta release 4.81.2 > > > Given the trauma I incurred during that time and seeing the "file" > > command related fixes in this release, I don't know how they will > > affect the configurations that were painstakingly borne from the > > fiery tempers of my users and especially the impatience of my > higher > > ups. > > Peter, given that, I'd highly recommend setting up a testing server > where you can send a "shadow copy" of all your production e-mail in > order to run it through the new version and see how things behave. > This > is what I do here and allows me to run a new version with production > data but without having to touch the production server until I'm ready > > to deploy. This type of set up may alleviate some of your concerns > about upgrading to newer versions. But I do know where you are coming > > from - if it ain't broke, don't fix it, as they say. > > cheers, > > > --tom > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Tue Aug 3 17:06:16 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Aug 3 17:06:26 2010 Subject: New beta release 4.81.2 In-Reply-To: Message-ID: <1404937248.11326.1280851576926.JavaMail.root@mail021.dti> Thanks Julian. I'm making a note of it. p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, August 3, 2010 8:24:55 AM > Subject: Re: New beta release 4.81.2 > > In case you need to change it back to its old behaviour, you want to > look at lines 413 and 414 of SweepOther.pm. > Line 413 is the old code (commented out) and line 414 is the new > code. > Simply move the comment symbol # to the other line to revert to the > old > behaviour. > > All it does is only look in the output of the file command (or of > "file > -i") for all the filetype-desribing text up to, but not including, the > > first "," instead of until the end of the line. This improves the > behaviour with some filetypes, particularly Word documents, where the > > output of "file" includes loads of information extracted from the file > > being studied. That extra information may contain all sorts of things > > which are detected as keywords in your filetype.rules.conf file. > > Hopefully that will make the upgrade a whole lot easier for you! > > Jules. > > On 03/08/2010 15:50, Peter Ong wrote: > > Oh no, I was just drawing similarities, but not intended as an > indictment to MailScanner at all. In fact, I suggested once that its > name should be changed to Awesome MailScanner. > > > > It's just that the file command was a very hairy situation for me > until I got it working the way I wanted it; and I was hardly getting > any love from everyone about it. Of course, whether what I did was the > right thing remains unknown, but it is now doing what I want it to > do. > > > > Given the trauma I incurred during that time and seeing the "file" > command related fixes in this release, I don't know how they will > affect the configurations that were painstakingly borne from the fiery > tempers of my users and especially the impatience of my higher ups. > > > > And by the way, my servers have a load of over 100K per day too. > (o:`, > > > > As to my luck, well, the lottery here is up to 42 million again. > We'll see. > > > > hehehe > > > > p > > > > > > ----- Original Message ----- > > > > > >> From: "Hostmaster" > >> To: "MailScanner discussion" > >> Sent: Tuesday, August 3, 2010 7:23:32 AM > >> Subject: RE: New beta release 4.81.2 > >> > >> Peter, > >> At the risk of jinxing it, I do have to jump to MailScanner's > defence > >> and say > >> that in three years of updating MailScanner on a system which > handles > >> 25-30,000 > >> emails a day, I am yet to encounter an issue during an upgrade. > >> > >> Perhaps I have just been lucky, or you have been especially > unlucky? > >> > >> Kind Regards, > >> Richard > >> > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Peter > >> Ong > >> Posted At: 03 August 2010 15:07 > >> Posted To: Hostmaster > >> Conversation: New beta release 4.81.2 > >> Subject: Re: New beta release 4.81.2 > >> > >> > >>> 4 Improved "file" command output processing so it stops at 1st > "," > >>> > >> to > >> > >>> reduce false alarms greatly. > >>> > >> When I was a kid, my mom would take me to Bank of America, and I > would > >> marvel at > >> how complicated the computers and their networks must have been in > >> order to keep > >> track of every single transaction for every single customer. Then, > I > >> got to work > >> for a bank for 6 years as the person responsible for the money > >> transfer system. > >> Now I fear putting money in any bank, especially that one. > >> > >> MailScanner took me a few weeks to tame what with all the "file" > >> command issues > >> we had. Now that I'm seeing the behind the scenes of the upgrade > and > >> I'm still > >> licking my wounds, I dread this upgrade. > >> > >> p > >> > >> ----- Original Message ----- > >> > >> > >>> From: "Julian Field" > >>> To: "MailScanner discussion" > >>> Sent: Tuesday, August 3, 2010 3:33:56 AM > >>> Subject: New beta release 4.81.2 > >>> > >>> I have just released a new beta, with the intention of it > becoming > >>> > >> a > >> > >>> stable release Real Soon Now(tm). > >>> Since 4.79, quite a few things have happened: > >>> > >>> * New Features and Improvements * > >>> 1 Upgraded AVG support to AVG version 8. Support no longer > >>> > >> guaranteed > >> > >>> for older versions. > >>> 2 Installers no longer over-write mailscanner.cf in SpamAssassin > >>> directory if the file or link exists. > >>> 3 Added support for McAfee version 6. Use the virus scanner name > >>> "mcafee6" to get this support. Many thanks to Phil Randal and > >>> > >> Michael > >> > >>> Miller for all their hard work on this. > >>> 4 Improved "file" command output processing so it stops at 1st > "," > >>> > >> to > >> > >>> reduce false alarms greatly. > >>> 5 Added facility for over-riding MailScanner.conf settings and > >>> rulesets with those held in an SQL database. > >>> New settings are: > >>> DB DSN, DB Username, DB Password, SQL Serial Number, SQL > Quick > >>> Peek, SQL Config, SQL Ruleset, SQL SpamAssassin Config, SQL > Debug. > >>> See the MailScanner.conf file for more details. > >>> 5 Added dependency "Sys::SigAction" Perl modules to installers. > >>> 6 Updated to Archive::Zip 1.30 and added Compress::Raw::Zlib > >>> dependency. > >>> 1 Slight improvement to check_mailscanner script to send some > >>> > >> output > >> > >>> to /dev/null for Greg Kuhnert. > >>> 2 "Scan Messages = virus" will *only* scan mail for viruses and > >>> nothing else at all. This makes simple setups where you only want > >>> virus scanning a whole lot easier to set up. > >>> > >>> * Fixes * > >>> 1 A minor rewrite of a bit of the TNEF code to handle some > systems' > >>> odd > >>> opinions about tainting data. > >>> 1 Minor tweak to avoid warning about insecure dependency in > >>> WorkArea.pm. > >>> 2 Fixed documentation for "Allow Multiple HTML Signatures" > setting. > >>> 3 Fixed "MailScanner --lint" to not throw an erroneous error > >>> > >> message > >> > >>> about "MSlint" directory permissions. > >>> 3 Fixed error in MIME boundary checking that stopped a few very > >>> > >> rare > >> > >>> cases being checked. > >>> 5 Fixed issue where zip files in messages were unpacked with > >>> > >> incorrect > >> > >>> permissions. > >>> 5-2 Fixed bug introduced in 5-1. > >>> 7 Fixed ruleset-from-function bug introduced in 5-1. > >>> 9 Fixed bug where %variables% would not work in ruleset files. > >>> 10 Fixed bug on Linux systems where Postfix systems would change > >>> > >> the > >> > >>> ownership of the queue and work directories every time > MailScanner > >>> > >> was > >> > >>> started. > >>> 1 Deny File MIME Types was ignored if new filetype rules used > MIME > >>> checks. > >>> 2 Slightly improvement to phishing trap to handle links with " in > >>> them. > >>> 2 Worked around nasty behaviour of Perl's "each()". Thanks > Timofey! > >>> > >>> All available from www.mailscanner.info as usual. > >>> > >>> I would be very grateful if you could test this release and prove > >>> > >> it's > >> > >>> okay. In a few days I will release a stable version, if I get > >>> > >> enough > >> > >>> response that it is indeed all working okay. > >>> > >>> Thanks folks! > >>> > >>> Jules > >>> > >>> -- > >>> Julian Field MEng CITP CEng > >>> www.MailScanner.info > >>> Buy the MailScanner book at www.MailScanner.info/store > >>> > >>> Need help customising MailScanner? > >>> Contact me! > >>> Need help fixing or optimising your systems? > >>> Contact me! > >>> Need help getting you started solving new requirements from your > >>> > >> boss? > >> > >>> Contact me! > >>> > >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner > >>> > >>> > >>> -- > >>> This message has been scanned for viruses and dangerous content > by > >>> MailScanner, and is believed to be clean. > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > >> All E-Mail communications are monitored in addition to being > content > >> checked for malicious codes or viruses. The success of scanning > >> products is not guaranteed, therefore the recipient(s) should > carry > >> out any checks that they believe to be appropriate in this > respect. > >> > >> This message (including any attachments and/or related materials) > is > >> confidential to and is the property of Computer Service Centre, > unless > >> otherwise noted. If you are not the intended recipient, you should > >> delete this message and are hereby notified that any disclosure, > >> copying, or distribution of this message, or the taking of any > action > >> based on it, is strictly prohibited. > >> > >> Any views or opinions presented are solely those of the author and > do > >> not necessarily represent those of Computer Service Centre. > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Tue Aug 3 18:16:24 2010 From: mark at msapiro.net (Mark Sapiro) Date: Tue Aug 3 18:16:34 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> Message-ID: <4C584EE8.6090801@msapiro.net> On 11:59 AM, Julian Field wrote: > I have just released a new beta, with the intention of it becoming a > stable release Real Soon Now(tm). [...] > I would be very grateful if you could test this release and prove it's > okay. In a few days I will release a stable version, if I get enough > response that it is indeed all working okay. Installed about an hour ago. All good so far. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Tue Aug 3 18:25:25 2010 From: mark at msapiro.net (Mark Sapiro) Date: Tue Aug 3 18:25:41 2010 Subject: New beta release 4.81.2 In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45E5F841@HC-MBX01.herefordshire.gov.uk> Message-ID: Randal, Phil wrote: ># MailScanner --lint >Missing right curly or square bracket at >/usr/lib/MailScanner/MailScanner/MessageBatch.pm line 1392, at end of >line >syntax error at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line >1392, at EOF >Compilation failed in require at /usr/sbin/MailScanner line 103. >BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 103. I don't see this on CentOS 5 with the rpm install. Also, in this diff between 4.80.10 and 4.81.2 I don't see any unpaired braces or brackets diff MS-4.80.10/MailScanner/MessageBatch.pm /usr/lib/MailScanner/MailScanner/MessageBatch.pm 5c5 < # $Id: MessageBatch.pm 5028 2010-06-09 21:21:29Z sysjkf $ --- > # $Id: MessageBatch.pm 5048 2010-08-03 11:19:15Z sysjkf $ 51c51 < $VERSION = substr q$Revision: 5028 $, 10; --- > $VERSION = substr q$Revision: 5048 $, 10; 262a263 > next if $message->{scanvirusonly}; # Over-rides Spam Checks setting 443c444,448 < return 0 unless $message->{deleted}; --- > if (!$message->{deleted}) { > # Do not remove the next line, it is vital to reset "each()"! > keys %{$this->{messages}}; > return 0; > } 978c983,987 < return if $posties =~ /^\s*$/; # Return if no opsties defined --- > if ($posties =~ /^\s*$/) { > keys %{$this->{messages}}; # Necessary line to reset "each()" > # Return if no posties defined > return; > } -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From alex at nanogherkin.com Tue Aug 3 18:34:45 2010 From: alex at nanogherkin.com (Alex Crow) Date: Tue Aug 3 18:34:56 2010 Subject: Pyzor issue - error from Mailscanner but not from SA or Pyzor run directly In-Reply-To: <4C54373C.5040602@nanogherkin.com> References: <4C54373C.5040602@nanogherkin.com> Message-ID: <4C585335.6090305@nanogherkin.com> On 31/07/10 15:46, Alex Crow wrote: > Hi all, > > I'm having this issue in MailScanner - when Pyzor check are run from > within ms, I get an error in the logs: > > 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: pyzor is available: > /usr/bin/pyzor > 15:37:52 Jul 31 15:37:52.686 [13270] dbg: dns: entering helper-app run > mode > 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: opening pipe: > /usr/bin/pyzor -d check < /tmp/.spamassassin13270K6yw83tmp > 15:37:52 Jul 31 15:37:52.690 [13272] dbg: util: setuid: ruid=89 euid=89 > 15:37:52 Jul 31 15:37:52.693 [13270] info: pyzor: [13272] error: exit 6 > 15:37:52 Jul 31 15:37:52.693 [13270] dbg: dns: leaving helper-app run > mode > 15:37:52 Jul 31 15:37:52.694 [13270] dbg: pyzor: check failed: no > response > > However, if I run as the postfix user (the one configured in > MailScanner.conf) > > spamassassin -D < /tmp/.spamassassin9936b1QieYtmp > > I get pyzor working: > > Jul 31 15:45:05.186 [13308] dbg: pyzor: pyzor is available: > /usr/bin/pyzor > Jul 31 15:45:05.186 [13308] dbg: dns: entering helper-app run mode > Jul 31 15:45:05.187 [13308] dbg: pyzor: opening pipe: /usr/bin/pyzor > -d check < /tmp/.spamassassin13308yrAHtDtmp > Jul 31 15:45:05.189 [13311] dbg: util: setuid: ruid=89 euid=89 > Jul 31 15:45:05.242 [13308] dbg: pyzor: [13311] finished successfully > Jul 31 15:45:05.242 [13308] dbg: pyzor: got response: sending: 'User: > anonymous\nTime: 1280587505\nSig: > 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: > 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: > 2.0\n\n'\nreceived: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: > 200\nDiag: OK\nPV: 2.0\n\n'\npublic.pyzor.org:24441 (200, 'OK') 5301 0 > Jul 31 15:45:05.243 [13308] dbg: dns: leaving helper-app run mode > Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response > "sending: 'User: anonymous\nTime: 1280587505\nSig: > 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: > 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: 2.0\n\n'" > Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response > "received: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: 200\nDiag: > OK\nPV: 2.0\n\n'" > Jul 31 15:45:05.243 [13308] dbg: pyzor: listed: COUNT=5301/5 WHITELIST=0 > Jul 31 15:45:05.244 [13308] dbg: rules: ran eval rule PYZOR_CHECK > ======> got hit (1) > > I am running Centos 5.5 x64 with the latest ClamAV/SA easy-install > package from the MailScanner site installed. > > Any help gratefully received. > > Thanks > > Alex All, Are there any more details I need to provide for this? TBH I seems like a command parsing issue as with my first test with real messages (copied from another MS server's queue) the error was still in the logs but Pyzor scores were recorded (verified in MailWatch). Cheers Alex From jaearick at colby.edu Tue Aug 3 19:13:50 2010 From: jaearick at colby.edu (jaearick@colby.edu) Date: Tue Aug 3 19:14:02 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> Message-ID: Julian, Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh issues. The previous complaint from 4.80.10 with perl 5.12.1 of: > Using a hash as a reference is deprecated at > /opt/MailScanner/bin/MailScanner line 592. is now gone, thank you. I notice that a lot of the perl pm's in perl-tar haven't been updated, per my previous "bleeding edge" email. I installed with "--nomodules" to keep my newer pms in place. Jeff Earickson Colby College From kkobb at skylinecorp.com Wed Aug 4 13:42:22 2010 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Wed Aug 4 13:42:40 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> Message-ID: <4C59602E.3020906@skylinecorp.com> On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: > Julian, > > Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh > issues. The previous complaint from 4.80.10 with perl 5.12.1 of: > >> Using a hash as a reference is deprecated at >> /opt/MailScanner/bin/MailScanner line 592. > > is now gone, thank you. I notice that a lot of the perl pm's in > perl-tar haven't been updated, per my previous "bleeding edge" > email. I installed with "--nomodules" to keep my newer pms in place. > > Jeff Earickson > Colby College Curious. I just tried to upgrade the FreeBSD port on my test server and get the same message you were getting. mailscanner -v Using a hash as a reference is deprecated at /usr/local/sbin/mailscanner line 592. ... This is Perl version 5.012001 (5.12.1) This is MailScanner version 4.81.2 From damfam at gmail.com Wed Aug 4 13:44:30 2010 From: damfam at gmail.com (Edward Dam) Date: Wed Aug 4 13:44:39 2010 Subject: A (Hopefully easy) Question Message-ID: Hi all, I am hoping someone can answer these (hopefully) easy questions. I know this is possible as I had it working at another facility, but I no longer work for that company and how I did it escapes me right now (it was some time ago) What I need to accomplish is a rule that will forward a copy FROM and TO specific users to another user. For example, if a sales manager wants a copy all messages coming TO his sales team and going FROM his sales team forwarded to the "sales" mailbox. This is a sendmail config, and initially I thought I'd have to do it via the access.db but I distinctly recall making it happen via a mailscanner rule. Can anyone refresh my memory? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100804/8c490160/attachment.html From jaearick at colby.edu Wed Aug 4 13:58:57 2010 From: jaearick at colby.edu (jaearick@colby.edu) Date: Wed Aug 4 13:59:10 2010 Subject: New beta release 4.81.2 In-Reply-To: <4C59602E.3020906@skylinecorp.com> References: <4C57F094.8020501@ecs.soton.ac.uk> <4C59602E.3020906@skylinecorp.com> Message-ID: On Wed, 4 Aug 2010, Kevin Kobb wrote: > Date: Wed, 04 Aug 2010 08:42:22 -0400 > From: Kevin Kobb > Reply-To: MailScanner discussion > To: mailscanner@lists.mailscanner.info > Subject: Re: New beta release 4.81.2 > > On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: >> Julian, >> >> Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh issues. >> The previous complaint from 4.80.10 with perl 5.12.1 of: >> >>> Using a hash as a reference is deprecated at >>> /opt/MailScanner/bin/MailScanner line 592. >> >> is now gone, thank you. I notice that a lot of the perl pm's in >> perl-tar haven't been updated, per my previous "bleeding edge" >> email. I installed with "--nomodules" to keep my newer pms in place. >> >> Jeff Earickson >> Colby College > > Curious. > > I just tried to upgrade the FreeBSD port on my test server and get the same > message you were getting. > > mailscanner -v > Using a hash as a reference is deprecated at /usr/local/sbin/mailscanner line > 592. > ... > This is Perl version 5.012001 (5.12.1) > This is MailScanner version 4.81.2 > I sent the beta list an email on July 12 (subject line contained "bleeding edge") where I noted that I had gone thru the list of perl modules supplied with 4.80.10, and then checked CPAN to see if newer versions were available. There were a bunch of newer versions out there. I downloaded them, created a new perl-tar directory with MailScanner + new perl modules, fixed the install.sh script to use the new module versions, then ran install.sh to shove out 4.80.10 + new perl modules. I saw the "hash as a reference is deprecated" complaint after this work and reported it. When I went to 4.81.2 yesterday, I used the "--nomodules" option on install.sh to only shove out the new beta. The "hash as a reference is deprecated" complaint then vanished; I thought Julian had done something new in 4.81.2 to fix it. Maybe not. So... My beta install is still bleeding edge: latest MS, latest perl modules, latest perl version. Julian may not be so brave in his beta release work. Jeff Earickson Colby College From peter.ong at hypermediasystems.com Wed Aug 4 14:58:38 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Aug 4 14:58:49 2010 Subject: A (Hopefully easy) Question In-Reply-To: Message-ID: <1339511144.12235.1280930318025.JavaMail.root@mail021.dti> Erm, this is more like a forwarding list that is done at the MTA level. Outside of the archiving features of MailScanner, I don't know how you might be able to do this. You could do it at the MTA level, maybe on your /etc/alias If this is just your gateway, you can even do it at the internal MTA level. p ----- Original Message ----- > From: "Edward Dam" > To: mailscanner@lists.mailscanner.info > Sent: Wednesday, August 4, 2010 5:44:30 AM > Subject: A (Hopefully easy) Question > > Hi all, > > I am hoping someone can answer these (hopefully) easy questions. I > know this is possible as I had it working at another facility, but I > no longer work for that company and how I did it escapes me right now > (it was some time ago) > > What I need to accomplish is a rule that will forward a copy FROM and > TO specific users to another user. > > For example, if a sales manager wants a copy all messages coming TO > his sales team and going FROM his sales team forwarded to the "sales" > mailbox. > > This is a sendmail config, and initially I thought I'd have to do it > via the access.db but I distinctly recall making it happen via a > mailscanner rule. > > Can anyone refresh my memory? > > Thanks! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From stef at aoc-uk.com Wed Aug 4 15:07:22 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Aug 4 15:07:44 2010 Subject: A (Hopefully easy) Question In-Reply-To: References: Message-ID: <201008041407.o74E7ZST007313@safir.blacknight.ie> Edward Dam wrote: > Hi all, > > I am hoping someone can answer these (hopefully) easy > questions. I know this is possible as I had it working at > another facility, but I no longer work for that company and > how I did it escapes me right now (it was some time ago) > > What I need to accomplish is a rule that will forward a copy > FROM and TO specific users to another user. > > For example, if a sales manager wants a copy all messages > coming TO his sales team and going FROM his sales team > forwarded to the "sales" mailbox. You might be able to achieve this in the MTA as Peter Ong suggests, but if not, then you probably want a ruleset for the 'Non Spam Actions' setting in MailScanner.conf with the following rules: From: sender@company.com and To: recipient@company.com deliver forward sales@company.com Default: deliver Regards Stef From MailScanner at ecs.soton.ac.uk Wed Aug 4 15:08:25 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Aug 4 15:08:37 2010 Subject: New beta release 4.81.2 In-Reply-To: <4C59602E.3020906@skylinecorp.com> References: <4C57F094.8020501@ecs.soton.ac.uk> <4C59602E.3020906@skylinecorp.com> <4C597459.5080607@ecs.soton.ac.uk> Message-ID: On 04/08/2010 13:42, Kevin Kobb wrote: > On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: >> Julian, >> >> Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh >> issues. The previous complaint from 4.80.10 with perl 5.12.1 of: >> >>> Using a hash as a reference is deprecated at >>> /opt/MailScanner/bin/MailScanner line 592. >> >> is now gone, thank you. I notice that a lot of the perl pm's in >> perl-tar haven't been updated, per my previous "bleeding edge" >> email. I installed with "--nomodules" to keep my newer pms in place. >> >> Jeff Earickson >> Colby College > > Curious. > > I just tried to upgrade the FreeBSD port on my test server and get the > same message you were getting. > > mailscanner -v > Using a hash as a reference is deprecated at > /usr/local/sbin/mailscanner line 592. I don't do the FreeBSD port, so they may not have upgraded their port to the -2 code yet. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From peter.ong at hypermediasystems.com Wed Aug 4 15:22:58 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Aug 4 15:23:08 2010 Subject: A (Hopefully easy) Question In-Reply-To: <201008041407.o74E7ZST007313@safir.blacknight.ie> Message-ID: <901890092.12269.1280931778178.JavaMail.root@mail021.dti> Queuel, didn't know about these tricks. p ----- Original Message ----- > From: "Stef Morrell" > To: "MailScanner discussion" > Sent: Wednesday, August 4, 2010 7:07:22 AM > Subject: RE: A (Hopefully easy) Question > > Edward Dam wrote: > > Hi all, > > > > I am hoping someone can answer these (hopefully) easy > > questions. I know this is possible as I had it working at > > another facility, but I no longer work for that company and > > how I did it escapes me right now (it was some time ago) > > > > What I need to accomplish is a rule that will forward a copy > > FROM and TO specific users to another user. > > > > For example, if a sales manager wants a copy all messages > > coming TO his sales team and going FROM his sales team > > forwarded to the "sales" mailbox. > > You might be able to achieve this in the MTA as Peter Ong suggests, > but > if not, then you probably want a ruleset for the 'Non Spam Actions' > setting in MailScanner.conf with the following rules: > > From: sender@company.com and To: recipient@company.com deliver > forward > sales@company.com > Default: deliver > > Regards > > Stef > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From kkobb at skylinecorp.com Wed Aug 4 15:33:43 2010 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Wed Aug 4 15:33:57 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> <4C59602E.3020906@skylinecorp.com> <4C597459.5080607@ecs.soton.ac.uk> Message-ID: <4C597A47.9050702@skylinecorp.com> On 8/4/2010 10:08 AM, Jules Field wrote: > > > On 04/08/2010 13:42, Kevin Kobb wrote: >> On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: >>> Julian, >>> >>> Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh >>> issues. The previous complaint from 4.80.10 with perl 5.12.1 of: >>> >>>> Using a hash as a reference is deprecated at >>>> /opt/MailScanner/bin/MailScanner line 592. >>> >>> is now gone, thank you. I notice that a lot of the perl pm's in >>> perl-tar haven't been updated, per my previous "bleeding edge" >>> email. I installed with "--nomodules" to keep my newer pms in place. >>> >>> Jeff Earickson >>> Colby College >> >> Curious. >> >> I just tried to upgrade the FreeBSD port on my test server and get the >> same message you were getting. >> >> mailscanner -v >> Using a hash as a reference is deprecated at >> /usr/local/sbin/mailscanner line 592. > I don't do the FreeBSD port, so they may not have upgraded their port to > the -2 code yet. > > Jules > Hi Jules, Yes, I was trying to upgrade the port so when the next stable version comes out, I could file a PR and get it committed. What I fetched was: MailScanner-install-4.81.2-2.tar.gz with MD5 of 7333a27a0a24dc03eb49c7576feea7b0 Is this not the most recent? From MailScanner at ecs.soton.ac.uk Wed Aug 4 16:00:23 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Aug 4 16:00:36 2010 Subject: New beta release 4.81.2 In-Reply-To: <4C597A47.9050702@skylinecorp.com> References: <4C57F094.8020501@ecs.soton.ac.uk> <4C59602E.3020906@skylinecorp.com> <4C597459.5080607@ecs.soton.ac.uk> <4C597A47.9050702@skylinecorp.com> <4C598087.6010301@ecs.soton.ac.uk> Message-ID: On 04/08/2010 15:33, Kevin Kobb wrote: > On 8/4/2010 10:08 AM, Jules Field wrote: >> >> >> On 04/08/2010 13:42, Kevin Kobb wrote: >>> On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: >>>> Julian, >>>> >>>> Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh >>>> issues. The previous complaint from 4.80.10 with perl 5.12.1 of: >>>> >>>>> Using a hash as a reference is deprecated at >>>>> /opt/MailScanner/bin/MailScanner line 592. >>>> >>>> is now gone, thank you. I notice that a lot of the perl pm's in >>>> perl-tar haven't been updated, per my previous "bleeding edge" >>>> email. I installed with "--nomodules" to keep my newer pms in place. >>>> >>>> Jeff Earickson >>>> Colby College >>> >>> Curious. >>> >>> I just tried to upgrade the FreeBSD port on my test server and get the >>> same message you were getting. >>> >>> mailscanner -v >>> Using a hash as a reference is deprecated at >>> /usr/local/sbin/mailscanner line 592. >> I don't do the FreeBSD port, so they may not have upgraded their port to >> the -2 code yet. >> >> Jules >> > > Hi Jules, > > Yes, I was trying to upgrade the port so when the next stable version > comes out, I could file a PR and get it committed. > > What I fetched was: > MailScanner-install-4.81.2-2.tar.gz with MD5 of > 7333a27a0a24dc03eb49c7576feea7b0 > > Is this not the most recent? That was a separate problem, which I have just fixed for you and have release 4.81.2-3. It will also now print slightly more output at the end of the virus scanning when called with "--lint" so you can see for definite what MailScanner thinks the virus scanners said. Thanks for pointing it out! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From damfam at gmail.com Wed Aug 4 16:06:10 2010 From: damfam at gmail.com (Edward Dam) Date: Wed Aug 4 16:06:20 2010 Subject: A (Hopefully easy) Question In-Reply-To: <201008041407.o74E7ZST007313@safir.blacknight.ie> References: <201008041407.o74E7ZST007313@safir.blacknight.ie> Message-ID: Awesome, I'm 99% sure that's what I used before. Thanks a lot Stef! On Wed, Aug 4, 2010 at 10:07 AM, Stef Morrell wrote: > Edward Dam wrote: > > Hi all, > > > > I am hoping someone can answer these (hopefully) easy > > questions. I know this is possible as I had it working at > > another facility, but I no longer work for that company and > > how I did it escapes me right now (it was some time ago) > > > > What I need to accomplish is a rule that will forward a copy > > FROM and TO specific users to another user. > > > > For example, if a sales manager wants a copy all messages > > coming TO his sales team and going FROM his sales team > > forwarded to the "sales" mailbox. > > You might be able to achieve this in the MTA as Peter Ong suggests, but > if not, then you probably want a ruleset for the 'Non Spam Actions' > setting in MailScanner.conf with the following rules: > > From: sender@company.com and To: recipient@company.com deliver forward > sales@company.com > Default: deliver > > Regards > > Stef > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100804/8d4eedc9/attachment.html From kkobb at skylinecorp.com Wed Aug 4 16:17:04 2010 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Wed Aug 4 16:17:20 2010 Subject: New beta release 4.81.2 In-Reply-To: References: <4C57F094.8020501@ecs.soton.ac.uk> <4C59602E.3020906@skylinecorp.com> <4C597459.5080607@ecs.soton.ac.uk> <4C597A47.9050702@skylinecorp.com> <4C598087.6010301@ecs.soton.ac.uk> Message-ID: <4C598470.6090605@skylinecorp.com> On 8/4/2010 11:00 AM, Jules Field wrote: > > > On 04/08/2010 15:33, Kevin Kobb wrote: >> On 8/4/2010 10:08 AM, Jules Field wrote: >>> >>> >>> On 04/08/2010 13:42, Kevin Kobb wrote: >>>> On 8/3/2010 2:13 PM, jaearick@colby.edu wrote: >>>>> Julian, >>>>> >>>>> Just rolled out 4.81.2-2 onto my Solaris box, after the install.sh >>>>> issues. The previous complaint from 4.80.10 with perl 5.12.1 of: >>>>> >>>>>> Using a hash as a reference is deprecated at >>>>>> /opt/MailScanner/bin/MailScanner line 592. >>>>> >>>>> is now gone, thank you. I notice that a lot of the perl pm's in >>>>> perl-tar haven't been updated, per my previous "bleeding edge" >>>>> email. I installed with "--nomodules" to keep my newer pms in place. >>>>> >>>>> Jeff Earickson >>>>> Colby College >>>> >>>> Curious. >>>> >>>> I just tried to upgrade the FreeBSD port on my test server and get the >>>> same message you were getting. >>>> >>>> mailscanner -v >>>> Using a hash as a reference is deprecated at >>>> /usr/local/sbin/mailscanner line 592. >>> I don't do the FreeBSD port, so they may not have upgraded their >>> port to >>> the -2 code yet. >>> >>> Jules >>> >> >> Hi Jules, >> >> Yes, I was trying to upgrade the port so when the next stable version >> comes out, I could file a PR and get it committed. >> >> What I fetched was: >> MailScanner-install-4.81.2-2.tar.gz with MD5 of >> 7333a27a0a24dc03eb49c7576feea7b0 >> >> Is this not the most recent? > That was a separate problem, which I have just fixed for you and have > release 4.81.2-3. It will also now print slightly more output at the > end of the virus scanning when called with "--lint" so you can see for > definite what MailScanner thinks the virus scanners said. > > Thanks for pointing it out! > > Jules > Thanks Jules, I changed my test system back to perl 5.10 (same as production) and did not get any warnings. I'll download 4.81.2-3 and try it with perl 5.12 again. FWIW spamassassin 3.3.1 also has a couple hiccups with perl 5.12, which are supposed to be addressed shortly in a 3.3.2 release. From zaeem.arshad at gmail.com Wed Aug 4 18:48:07 2010 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Wed Aug 4 18:48:18 2010 Subject: Whitelisting doesn't bypass virus scan Message-ID: Hi Folks, I have tried whitelisting an email address which MailScanner correctly picks up and bypasses SA scanning but still hands it over to Clam. I'd like to bypass virus scan altogether for certain addresses. Is that possible? Regards Zaeem From MailScanner at ecs.soton.ac.uk Wed Aug 4 21:54:32 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Aug 4 21:54:50 2010 Subject: Whitelisting doesn't bypass virus scan In-Reply-To: References: <4C59D388.9000503@ecs.soton.ac.uk> Message-ID: Yes, just put a ruleset on the "Virus Scanning" configuration setting in MailScanner.conf. You can build a ruleset for almost any setting in MailScanner.conf. The "spam.whitelist.rules" ruleset is just provided as an example of how to use the facility. Read all the files in /etc/MailScanner/rules and you will see how to use it. There is also plenty of documentation on this subject on the website and the wiki, and also in the book. On 04/08/2010 18:48, Zaeem Arshad wrote: > Hi Folks, > > I have tried whitelisting an email address which MailScanner correctly > picks up and bypasses SA scanning but still hands it over to Clam. I'd > like to bypass virus scan altogether for certain addresses. Is that > possible? > > Regards > > Zaeem > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From zaeem.arshad at gmail.com Thu Aug 5 04:53:40 2010 From: zaeem.arshad at gmail.com (Zaeem Arshad) Date: Thu Aug 5 04:53:50 2010 Subject: Whitelisting doesn't bypass virus scan In-Reply-To: References: <4C59D388.9000503@ecs.soton.ac.uk> Message-ID: Silly me. I should have known that. Thanks Jules and thanks for this wonderful piece of software that makes our lives easy everyday. Best Wishes, Zaeem On Thu, Aug 5, 2010 at 1:54 AM, Jules Field wrote: > Yes, just put a ruleset on the "Virus Scanning" configuration setting in > MailScanner.conf. > You can build a ruleset for almost any setting in MailScanner.conf. The > "spam.whitelist.rules" ruleset is just provided as an example of how to use > the facility. > Read all the files in /etc/MailScanner/rules and you will see how to use it. > There is also plenty of documentation on this subject on the website and the > wiki, and also in the book. > > On 04/08/2010 18:48, Zaeem Arshad wrote: >> >> Hi Folks, >> >> I have tried whitelisting an email address which MailScanner correctly >> picks up and bypasses SA scanning but still hands it over to Clam. I'd >> like to bypass virus scan altogether for certain addresses. Is that >> possible? >> >> Regards >> >> Zaeem >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at nanogherkin.com Thu Aug 5 18:10:16 2010 From: alex at nanogherkin.com (Alex Crow) Date: Thu Aug 5 18:10:27 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? Message-ID: <4C5AF078.8010708@nanogherkin.com> All, I have installed from the RPM-based installer on the MailScanner site (together with the ClamAV/SpamAssassin easy-install package CA:0.96.1 SA:3.31) and the filename rules seem to be ignored. I sent through an attachement named "fintest.doc.rtf.txt.doc.doc" and the log showed they were allowed: Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing 00B222AB0117.AC992 msg-29674-6.txt Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing 00B222AB0117.AC992 msg-29674-6.txt Here are the pertinent entries in my config files: MailScanner.conf: Filename Rules = %etc-dir%/filename.rules filename.rules: From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf FromOrTo: default /etc/MailScanner/filename.rules.conf filename.rules.allowall.conf: allow .* - - filename.rules.conf: # # NOTE: Fields are separated by TAB characters --- Important! # # Syntax is allow/deny/deny+delete/email-addresses, then regular expression, # then log text, then user report text. # # The "email-addresses" can be a space or comma-separated list of email # addresses. If the rule hits, the message will be sent to these address(es) # instead of the original recipients. # Due to a bug in Outlook Express, you can make the 2nd from last extension # be what is used to run the file. So very long filenames must be denied, # regardless of the final extension. deny .{150,} Very long filename, possible OE attack Very long filenames are good signs of attacks against Microsoft e-mail packages # JKF 10/08/2007 Adobe Acrobat nastiness deny \.fdf$ Dangerous Adobe Acrobat data-file Opening this file can cause auto-loading of any file from the internet # JKF 04/01/2005 More Microsoft security vulnerabilities deny \.ico$ Windows icon file security vulnerability Possible buffer overflow in Windows deny \.ani$ Windows animated cursor file security vulnerability Possible buffer overflow in Windows deny \.cur$ Windows cursor file security vulnerability Possible buffer overflow in Windows deny \.hlp$ Windows help file security vulnerability Possible buffer overflow in Windows deny \.wri$ Windows wordpad file security vulnerability Possible buffer overflow in Windows # These are some well known viruses. deny pretty\s+park\.exe$ "Pretty Park" virus "Pretty Park" virus deny happy99\.exe$ "Happy" virus "Happy" virus deny \.ceo$ WinEvar virus attachment Often used by the WinEvar virus deny webpage\.rar$ I-Worm.Yanker virus attachment Often used by the I-Worm.Yanker virus deny your_.*\.zip "W32/SoBig.E" virus "W32/SoBig" virus deny message\.zip "W32/Mimail.A" virus "W32/Mimail" virus # JKF 08/07/2005 Several virus scanners may miss this one deny \.cab$ Possible malicious Microsoft cabinet file Cabinet files may hide viruses # These are in the archives which are Microsoft Office 2007 files (e.g. docx) allow \.xml\d*\.rel$ - - allow \.x\d+\.rel$ - - allow \.rtf$ - - # These are known to be mostly harmless. allow \.odt$ - - allow \.ods$ - - allow \.odp$ - - allow \.jpg$ - - allow \.gif$ - - # .url is arguably dangerous, but I can't just ban it... allow \.url$ - - allow \.vcf$ - - allow \.txt$ - - allow \.zip$ - - allow \.t?gz$ - - allow \.bz2$ - - allow \.Z$ - - allow \.rpm$ - - # PGP and GPG allow \.gpg$ - - allow \.pgp$ - - allow \.sig$ - - allow \.asc$ - - # Macintosh archives allow \.hqx$ - - allow \.sit.bin$ - - allow \.sea$ - - # these are sent by our users all of the time. allow \.pdf$ - - allow \.doc$ - - allow \.xls$ - - # These are known to be dangerous in almost all cases. deny \.reg$ Possible Windows registry attack Windows registry entries are very dangerous in email deny \.chm$ Possible compiled Help file-based virus Compiled help files are very dangerous in email # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for more info. deny \.cnf$ Possible SpeedDial attack SpeedDials are very dangerous in email deny \.hta$ Possible Microsoft HTML archive attack HTML archives are very dangerous in email deny \.ins$ Possible Microsoft Internet Comm. Settings attack Windows Internet Settings are dangerous in email deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email deny \.job$ Possible Microsoft Task Scheduler attack Task Scheduler requests are dangerous in email deny \.lnk$ Possible Eudora *.lnk security hole attack Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack Microsoft Access Shortcuts are dangerous in email deny \.pif$ Possible MS-Dos program shortcut attack Shortcuts to MS-Dos programs are very dangerous in email deny \.scf$ Possible Windows Explorer Command attack Windows Explorer Commands are dangerous in email deny \.sct$ Possible Microsoft Windows Script Component attack Windows Script Components are dangerous in email deny \.shb$ Possible document shortcut attack Shortcuts Into Documents are very dangerous in email deny \.shs$ Possible Shell Scrap Object attack Shell Scrap Objects are very dangerous in email deny \.vb[es]$ Possible Microsoft Visual Basic script attack Visual Basic Scripts are dangerous in email deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack Windows Script Host files are dangerous in email deny \.xnk$ Possible Microsoft Exchange Shortcut attack Microsoft Exchange Shortcuts are dangerous in email # These are new dangerous attachment types according to Microsoft in # http://support.microsoft.com/?kbid=883260 deny \.cer$ Dangerous Security Certificate (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.mau$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.md[az]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.prf$ Dangerous Outlook Profile Settings (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.pst$ Dangerous Office Data File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 #deny \.tmp$ Dangerous Temporary File (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.vsmacros$ Dangerous Visual Studio Macros (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.vs[stw]$ Dangerous attachment type (according to Microsoft) Dangerous attachment according to Microsoft Q883260 deny \.ws$ Dangerous Windows Script (according to Microsoft) Dangerous attachment according to Microsoft Q883260 # These 2 added by popular demand - Very often used by viruses deny \.com$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email deny \.exe$ Windows/DOS Executable Executable DOS/Windows programs are dangerous in email # These are very dangerous and have been used to hide viruses deny \.scr$ Possible virus hidden in a screensaver Windows Screensavers are often used to hide viruses deny \.bat$ Possible malicious batch file script Batch files are often malicious deny \.cmd$ Possible malicious batch file script Batch files are often malicious deny \.cpl$ Possible malicious control panel item Control panel items are often used to hide viruses deny \.mhtml$ Possible Eudora meta-refresh attack MHTML files can be used in an attack against Eudora # Deny filenames containing CLSID's deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real type Files containing CLSID's are trying to hide their real type # Deny filenames with lots of contiguous white space in them. deny \s{10,} Filename contains lots of white space A long gap in a name is often used to hide part of it # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - # Allow days of the week and months in doc names, e.g. blah.wed.doc allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - - allow \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ - - # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Attempt to hide real filename extension Is anyone at all able to help me? Best regards Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) From MailScanner at ecs.soton.ac.uk Thu Aug 5 19:06:45 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Aug 5 19:07:01 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: <4C5AF078.8010708@nanogherkin.com> References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> Message-ID: That is entirely as expected, due to the rule # Allow repeated file extension, e.g. blah.zip.zip allow (\.[a-z0-9]{3})\1$ - - which appears before the double-extension-check rule, as it causes it to allow files where people have accidentally doubled up the same extension. Jules. On 05/08/2010 18:10, Alex Crow wrote: > All, > > I have installed from the RPM-based installer on the MailScanner site > (together with the ClamAV/SpamAssassin easy-install package CA:0.96.1 > SA:3.31) and the filename rules seem to be ignored. I sent through an > attachement named "fintest.doc.rtf.txt.doc.doc" and the log showed > they were allowed: > > > Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing > 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc > Aug 5 14:55:24 mail04 MailScanner[29674]: Filename Checks: Allowing > 00B222AB0117.AC992 msg-29674-6.txt > Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing > 00B222AB0117.AC992 fintest.doc.rtf.txt.doc.doc > Aug 5 14:55:24 mail04 MailScanner[29674]: Filetype Checks: Allowing > 00B222AB0117.AC992 msg-29674-6.txt > > Here are the pertinent entries in my config files: > > MailScanner.conf: > Filename Rules = %etc-dir%/filename.rules > > filename.rules: > From: 127.0.0.1 /etc/MailScanner/filename.rules.allowall.conf > FromOrTo: default /etc/MailScanner/filename.rules.conf > > filename.rules.allowall.conf: > allow .* - - > > filename.rules.conf: > # > # NOTE: Fields are separated by TAB characters --- Important! > # > # Syntax is allow/deny/deny+delete/email-addresses, then regular > expression, > # then log text, then user report text. > # > # The "email-addresses" can be a space or comma-separated list of email > # addresses. If the rule hits, the message will be sent to these > address(es) > # instead of the original recipients. > > # Due to a bug in Outlook Express, you can make the 2nd from last > extension > # be what is used to run the file. So very long filenames must be denied, > # regardless of the final extension. > deny .{150,} Very long filename, possible OE > attack Very long filenames > are good signs of attacks against Microsoft e-mail packages > > # JKF 10/08/2007 Adobe Acrobat nastiness > deny \.fdf$ Dangerous Adobe Acrobat > data-file Opening this > file can cause auto-loading of any file from the internet > > # JKF 04/01/2005 More Microsoft security vulnerabilities > deny \.ico$ Windows icon file security > vulnerability Possible buffer > overflow in Windows > deny \.ani$ Windows animated cursor file security > vulnerability Possible buffer overflow in > Windows > deny \.cur$ Windows cursor file security > vulnerability Possible buffer > overflow in Windows > deny \.hlp$ Windows help file security > vulnerability Possible buffer > overflow in Windows > deny \.wri$ Windows wordpad file security > vulnerability Possible buffer > overflow in Windows > > > # These are some well known viruses. > deny pretty\s+park\.exe$ "Pretty Park" > virus > "Pretty Park" virus > deny happy99\.exe$ "Happy" > virus "Happy" > virus > deny \.ceo$ WinEvar virus > attachment > Often used by the WinEvar virus > deny webpage\.rar$ I-Worm.Yanker virus > attachment Often used > by the I-Worm.Yanker virus > deny your_.*\.zip "W32/SoBig.E" > virus > "W32/SoBig" virus > deny message\.zip "W32/Mimail.A" > virus > "W32/Mimail" virus > > # JKF 08/07/2005 Several virus scanners may miss this one > deny \.cab$ Possible malicious Microsoft cabinet > file Cabinet files may hide viruses > > # These are in the archives which are Microsoft Office 2007 files > (e.g. docx) > allow \.xml\d*\.rel$ - - > allow \.x\d+\.rel$ - - > allow \.rtf$ - - > > # These are known to be mostly harmless. > allow \.odt$ - - > allow \.ods$ - - > allow \.odp$ - - > allow \.jpg$ - - > allow \.gif$ - - > # .url is arguably dangerous, but I can't just ban it... > allow \.url$ - - > allow \.vcf$ - - > allow \.txt$ - - > allow \.zip$ - - > allow \.t?gz$ - - > allow \.bz2$ - - > allow \.Z$ - - > allow \.rpm$ - - > # PGP and GPG > allow \.gpg$ - - > allow \.pgp$ - - > allow \.sig$ - - > allow \.asc$ - - > # Macintosh archives > allow \.hqx$ - - > allow \.sit.bin$ - - > allow \.sea$ - - > > # these are sent by our users all of the time. > allow \.pdf$ - - > allow \.doc$ - - > allow \.xls$ - - > > # These are known to be dangerous in almost all cases. > deny \.reg$ Possible Windows registry > attack Windows registry > entries are very dangerous in email > deny \.chm$ Possible compiled Help file-based > virus Compiled help files are > very dangerous in email > # See http://office.microsoft.com/2000/articles/Out2ksecFAQ.htm for > more info. > deny \.cnf$ Possible SpeedDial > attack > SpeedDials are very dangerous in email > deny \.hta$ Possible Microsoft HTML archive > attack HTML archives are very > dangerous in email > deny \.ins$ Possible Microsoft Internet Comm. Settings > attack Windows Internet Settings are > dangerous in email > deny \.jse?$ Possible Microsoft JScript > attack JScript Scripts > are dangerous in email > deny \.job$ Possible Microsoft Task Scheduler > attack Task Scheduler requests > are dangerous in email > deny \.lnk$ Possible Eudora *.lnk security hole > attack Eudora *.lnk security hole > attack > deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut > attack Microsoft Access Shortcuts are > dangerous in email > deny \.pif$ Possible MS-Dos program shortcut > attack Shortcuts to MS-Dos > programs are very dangerous in email > deny \.scf$ Possible Windows Explorer Command > attack Windows Explorer > Commands are dangerous in email > deny \.sct$ Possible Microsoft Windows Script Component > attack Windows Script Components are > dangerous in email > deny \.shb$ Possible document shortcut > attack Shortcuts Into > Documents are very dangerous in email > deny \.shs$ Possible Shell Scrap Object > attack Shell Scrap > Objects are very dangerous in email > deny \.vb[es]$ Possible Microsoft Visual Basic script > attack Visual Basic Scripts are > dangerous in email > deny \.ws[cfh]$ Possible Microsoft Windows Script Host > attack Windows Script Host files are > dangerous in email > deny \.xnk$ Possible Microsoft Exchange Shortcut > attack Microsoft Exchange > Shortcuts are dangerous in email > > # These are new dangerous attachment types according to Microsoft in > # http://support.microsoft.com/?kbid=883260 > deny \.cer$ Dangerous Security Certificate (according to > Microsoft) Dangerous attachment according to > Microsoft Q883260 > deny \.its$ Dangerous Internet Document Set (according to > Microsoft) Dangerous attachment according to > Microsoft Q883260 > deny \.mau$ Dangerous attachment type (according to > Microsoft) Dangerous attachment according > to Microsoft Q883260 > deny \.md[az]$ Dangerous attachment type (according to > Microsoft) Dangerous attachment according > to Microsoft Q883260 > deny \.prf$ Dangerous Outlook Profile Settings (according > to Microsoft) Dangerous attachment according to > Microsoft Q883260 > deny \.pst$ Dangerous Office Data File (according to > Microsoft) Dangerous attachment according > to Microsoft Q883260 > #deny \.tmp$ Dangerous Temporary File (according to > Microsoft) Dangerous attachment > according to Microsoft Q883260 > deny \.vsmacros$ Dangerous Visual Studio Macros (according to > Microsoft) Dangerous attachment according to > Microsoft Q883260 > deny \.vs[stw]$ Dangerous attachment type (according to > Microsoft) Dangerous attachment according > to Microsoft Q883260 > deny \.ws$ Dangerous Windows Script (according to > Microsoft) Dangerous attachment > according to Microsoft Q883260 > > > # These 2 added by popular demand - Very often used by viruses > deny \.com$ Windows/DOS > Executable > Executable DOS/Windows programs are dangerous in email > deny \.exe$ Windows/DOS > Executable > Executable DOS/Windows programs are dangerous in email > > # These are very dangerous and have been used to hide viruses > deny \.scr$ Possible virus hidden in a > screensaver Windows > Screensavers are often used to hide viruses > deny \.bat$ Possible malicious batch file > script Batch files are > often malicious > deny \.cmd$ Possible malicious batch file > script Batch files are > often malicious > deny \.cpl$ Possible malicious control panel > item Control panel items are > often used to hide viruses > deny \.mhtml$ Possible Eudora meta-refresh > attack MHTML files can be > used in an attack against Eudora > > # Deny filenames containing CLSID's > deny \{[a-hA-H0-9-]{25,}\} Filename trying to hide its real > type Files containing CLSID's are trying to > hide their real type > > # Deny filenames with lots of contiguous white space in them. > deny \s{10,} Filename contains lots of white > space A long gap in a name > is often used to hide part of it > > # Allow repeated file extension, e.g. blah.zip.zip > allow (\.[a-z0-9]{3})\1$ - - > > # Allow days of the week and months in doc names, e.g. blah.wed.doc > allow \.(mon|tue|wed|thu|fri|sat|sun)\.[a-z0-9]{3}$ - - > allow > \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$ > - - > > # Deny all other double file extensions. This catches any hidden > filenames. > deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible > filename hiding Attempt to hide real filename > extension > > Is anyone at all able to help me? > > Best regards > > Alex > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nanogherkin.com Thu Aug 5 19:26:31 2010 From: alex at nanogherkin.com (Alex Crow) Date: Thu Aug 5 19:26:42 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> Message-ID: <4C5B0257.3070500@nanogherkin.com> On 05/08/10 19:06, Jules Field wrote: > That is entirely as expected, due to the rule > > # Allow repeated file extension, e.g. blah.zip.zip > allow (\.[a-z0-9]{3})\1$ - - > > which appears before the double-extension-check rule, as it causes it > to allow files where people have accidentally doubled up the same > extension. > > Jules. > Dear Jules, The trouble is, I also had this with a test such as ".crt.txt", which is certainly not repeated. In fact, I've tried so many combinations and none of them have ever been flagged (unless they've had exe or dll or the like in there somewhere, when they don't trigger on the multiple extension but instead on executable content.) I will try disabling the "repeat" rule and see what happens anyway. Cheers Alex From MailScanner at ecs.soton.ac.uk Thu Aug 5 19:33:19 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Aug 5 19:33:36 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: <4C5B0257.3070500@nanogherkin.com> References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> <4C5B0257.3070500@nanogherkin.com> <4C5B03EF.4010304@ecs.soton.ac.uk> Message-ID: On 05/08/2010 19:26, Alex Crow wrote: > On 05/08/10 19:06, Jules Field wrote: >> That is entirely as expected, due to the rule >> >> # Allow repeated file extension, e.g. blah.zip.zip >> allow (\.[a-z0-9]{3})\1$ - - >> >> which appears before the double-extension-check rule, as it causes it >> to allow files where people have accidentally doubled up the same >> extension. >> >> Jules. >> > Dear Jules, > > The trouble is, I also had this with a test such as " cert>.crt.txt", which is certainly not repeated. Yes, but .txt is probably allowed by a rule further up in the table. > In fact, I've tried so many combinations and none of them have ever > been flagged (unless they've had exe or dll or the like in there > somewhere, when they don't trigger on the multiple extension but > instead on executable content.) > > I will try disabling the "repeat" rule and see what happens anyway. Give that a try. If you still can't get "foobar.abc.abc" stopped, then give me a shout and I'll take a look. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nanogherkin.com Thu Aug 5 19:55:12 2010 From: alex at nanogherkin.com (Alex Crow) Date: Thu Aug 5 19:55:23 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> <4C5B0257.3070500@nanogherkin.com> <4C5B03EF.4010304@ecs.soton.ac.uk> Message-ID: <4C5B0910.7050408@nanogherkin.com> On 05/08/10 19:33, Jules Field wrote: > > > On 05/08/2010 19:26, Alex Crow wrote: >> On 05/08/10 19:06, Jules Field wrote: >>> That is entirely as expected, due to the rule >>> >>> # Allow repeated file extension, e.g. blah.zip.zip >>> allow (\.[a-z0-9]{3})\1$ - - >>> >>> which appears before the double-extension-check rule, as it causes >>> it to allow files where people have accidentally doubled up the same >>> extension. >>> >>> Jules. >>> >> Dear Jules, >> >> The trouble is, I also had this with a test such as "> cert>.crt.txt", which is certainly not repeated. > Yes, but .txt is probably allowed by a rule further up in the table. >> In fact, I've tried so many combinations and none of them have ever >> been flagged (unless they've had exe or dll or the like in there >> somewhere, when they don't trigger on the multiple extension but >> instead on executable content.) >> >> I will try disabling the "repeat" rule and see what happens anyway. > Give that a try. If you still can't get "foobar.abc.abc" stopped, then > give me a shout and I'll take a look. > > Jules > Dear Jules, For the sake of eliminating screwups on my part, I also changed the MailScanner.conf to look at filename.rules.conf directly before I did the following: I commented out the repeated extension rule in the filename.rules.conf and sent an attachment "fintest.doc.rtf.txt" and it was accepted as follows (some info obscured of course): Aug 5 19:43:06 mail04 postfix/cleanup[5318]: 336A82AB0117: message-id=<4C5B0617.7000903@gfasf.dajh9ad.did> Aug 5 19:43:06 mail04 postfix/smtpd[5315]: disconnect from unknown[192.168.20.52] Aug 5 19:43:06 mail04 MailScanner[5013]: New Batch: Scanning 1 messages, 6083596 bytes Aug 5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing 336A82AB0117.AE09B fintest.doc.rtf.txt Aug 5 19:43:07 mail04 MailScanner[5013]: Filename Checks: Allowing 336A82AB0117.AE09B msg-5013-3.txt Aug 5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing 336A82AB0117.AE09B msg-5013-3.txt Aug 5 19:43:07 mail04 MailScanner[5013]: Filetype Checks: Allowing 336A82AB0117.AE09B fintest.doc.rtf.txt But strangely, the original filename I quoted to you /was/ quarantined, under the same configuration (repeated and confirmed just now): Aug 5 19:36:58 mail04 MailScanner[5013]: Filename Checks: Found possible filename hiding (B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc) Aug 5 19:36:58 mail04 MailScanner[5013]: Filetype Checks: Allowing B51322AB0117.AC83F fintest.doc.rtf.txt.doc.doc Aug 5 19:36:59 mail04 MailScanner[5013]: Saved infected "fintest.doc.rtf.txt.doc.doc" to /var/spool/MailScanner/quarantine/20100805/B51322AB0117.AC83F Aug 5 19:50:35 mail04 MailScanner[4999]: New Batch: Scanning 1 messages, 6083615 bytes Aug 5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Found possible filename hiding (38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc) Aug 5 19:50:35 mail04 MailScanner[4999]: Filename Checks: Allowing 38BC02AB0117.AB918 msg-4999-1.txt Aug 5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing 38BC02AB0117.AB918 fintest.doc.rtf.txt.doc.doc Aug 5 19:50:35 mail04 MailScanner[4999]: Filetype Checks: Allowing 38BC02AB0117.AB918 msg-4999-1.txt Aug 5 19:50:35 mail04 MailScanner[4999]: Other Checks: Found 1 problems Aug 5 19:50:35 mail04 MailScanner[4999]: Virus and Content Scanning: Starting Aug 5 19:50:35 mail04 MailScanner[4999]: Saved entire message to /var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918 Aug 5 19:50:36 mail04 postfix/pickup[4885]: 374ED2AB0124: uid=** from= Aug 5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124: hold: header Received: by mail0asdfafaf (Postfix, from userid fasdads)??id 374ED2AB0124; Thu, 5 Aug 2010 19:50:36 +0100 (BST) from local; from= Aug 5 19:50:36 mail04 postfix/cleanup[5353]: 374ED2AB0124: message-id=<20100805185036.374ED2AB0124@sdgs.fjioa> Aug 5 19:50:36 mail04 MailScanner[4999]: Saved infected "fintest.doc.rtf.txt.doc.doc" to /var/spool/MailScanner/quarantine/20100805/38BC02AB0117.AB918 So there is definitely something amiss in at least my installation of MailScanner. I have no idea why this should be! Cheers Alex From alex at nanogherkin.com Thu Aug 5 20:08:12 2010 From: alex at nanogherkin.com (Alex Crow) Date: Thu Aug 5 20:08:23 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> <4C5B0257.3070500@nanogherkin.com> <4C5B03EF.4010304@ecs.soton.ac.uk> Message-ID: <4C5B0C1C.9010900@nanogherkin.com> On 05/08/10 19:33, Jules Field wrote: >> The trouble is, I also had this with a test such as "> cert>.crt.txt", which is certainly not repeated. > Yes, but .txt is probably allowed by a rule further up in the table. Just noticed this line in your reply: doesn't this negate the utility of checking for double extensions? Bear in mind I'm using the filename.rules.conf supplied with MailScanner. This suggests that someone could send, say, malicious HTML file with .html.txt as the extension and it would be passed. I'm sure the ancient version we used to use with Debian Etch (from the repos of that distro) would block such files. I've compared the rules files between the two and .txt is allowed first in both, but the Etch install did catch "blah.foo.txt). Sorry if I'm being blind to something in the docs or FAQs but this does look like a change in behaviour. Alex From brad.mclean at cloudtechinc.com Thu Aug 5 21:06:43 2010 From: brad.mclean at cloudtechinc.com (Brad McLean) Date: Thu Aug 5 21:07:02 2010 Subject: XML-RPC Error: Didn't receive 200 OK from remote server. Message-ID: <008b01cb34d9$b9c9f880$2d5de980$@cloudtechinc.com> We have 2 servers running MailScanner. MX1 and MX2 MX2 is connecting to the mysql database on MX1. Everything for db connections seem are ok. I can manually login to the db from MX2. For every message that is scored as spam on MX2 we see the "XML-RPC Error: Didn't receive 200 OK from remote server" in mailwatch. I've searched the maillist for this message but haven't had much success in determining what is causing the issue. I have updated /var/www/html/mailscanner/conf.php on MX1 and MX2 for the database connections and added the network to the define(RPC_ALLOWED_CLIENTS, 'xxx.xxx.xxx.0/24') Any help in pointing me in a direction would be greatly appreciated. Thanks Brad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100805/83959221/attachment.html From ssilva at sgvwater.com Thu Aug 5 21:17:50 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 5 21:18:09 2010 Subject: XML-RPC Error: Didn't receive 200 OK from remote server. In-Reply-To: <008b01cb34d9$b9c9f880$2d5de980$@cloudtechinc.com> References: <008b01cb34d9$b9c9f880$2d5de980$@cloudtechinc.com> Message-ID: on 8-5-2010 1:06 PM Brad McLean spake the following: > We have 2 servers running MailScanner. MX1 and MX2 > > > > MX2 is connecting to the mysql database on MX1. Everything for db > connections seem are ok. I can manually login to the db from MX2. > > > > For every message that is scored as spam on MX2 we see the ?XML-RPC > Error: Didn't receive 200 OK from remote server? in mailwatch. > > > > I?ve searched the maillist for this message but haven?t had much success > in determining what is causing the issue. > > > > I have updated /var/www/html/mailscanner/conf.php on MX1 and MX2 for the > database connections and added the network to the > define(RPC_ALLOWED_CLIENTS, 'xxx.xxx.xxx.0/24') > > > > Any help in pointing me in a direction would be greatly appreciated. > First pointing... The mailwatch list? From damfam at gmail.com Thu Aug 5 23:33:43 2010 From: damfam at gmail.com (Edward Dam) Date: Thu Aug 5 23:33:52 2010 Subject: A (Hopefully easy) Question In-Reply-To: References: <201008041407.o74E7ZST007313@safir.blacknight.ie> Message-ID: Just wanted to follow up to let the list know that using the Non Spam Actions ruleset worked exactly as I had remembered. Thanks to all who helped! On Wed, Aug 4, 2010 at 11:06 AM, Edward Dam wrote: > Awesome, I'm 99% sure that's what I used before. Thanks a lot Stef! > > > > > On Wed, Aug 4, 2010 at 10:07 AM, Stef Morrell wrote: > >> Edward Dam wrote: >> > Hi all, >> > >> > I am hoping someone can answer these (hopefully) easy >> > questions. I know this is possible as I had it working at >> > another facility, but I no longer work for that company and >> > how I did it escapes me right now (it was some time ago) >> > >> > What I need to accomplish is a rule that will forward a copy >> > FROM and TO specific users to another user. >> > >> > For example, if a sales manager wants a copy all messages >> > coming TO his sales team and going FROM his sales team >> > forwarded to the "sales" mailbox. >> >> You might be able to achieve this in the MTA as Peter Ong suggests, but >> if not, then you probably want a ruleset for the 'Non Spam Actions' >> setting in MailScanner.conf with the following rules: >> >> From: sender@company.com and To: recipient@company.com deliver forward >> sales@company.com >> Default: deliver >> >> Regards >> >> Stef >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100805/4e753aac/attachment.html From alex at nanogherkin.com Fri Aug 6 07:40:36 2010 From: alex at nanogherkin.com (Alex Crow) Date: Fri Aug 6 07:40:45 2010 Subject: Mailscanner 4.79-11-1 for CentOS (5.5 x64) ignoring filename rules? In-Reply-To: <4C5B0C1C.9010900@nanogherkin.com> References: <4C5AF078.8010708@nanogherkin.com> <4C5AFDB5.8070508@ecs.soton.ac.uk> <4C5B0257.3070500@nanogherkin.com> <4C5B03EF.4010304@ecs.soton.ac.uk> <4C5B0C1C.9010900@nanogherkin.com> Message-ID: <4C5BAE64.9030706@nanogherkin.com> > > Sorry if I'm being blind to something in the docs or FAQs but this > does look like a change in behaviour. > > Alex > Just realised what has happened. I looked again at the files on the old machine and found a backup file. A colleague had recently changed the rules on the debian box to allow xml stuff inside zip and those double extensions - a la MS Office and OO.org. The copy was old enough that it wasn't in the default files. Looking at the date of modification, what do I see in my "bad filename" inbox for that date? A sudden drop of in notifications. The same rules are now in the supplied rules. And having thought about html.txt, thats a poor example as html is allowed anyway, and sticking .txt on the end would be counterproductive to a hacker. Apologies for wasting your time! Alex From stratos.td at gmail.com Fri Aug 6 11:21:56 2010 From: stratos.td at gmail.com (Stratos TD) Date: Fri Aug 6 11:22:04 2010 Subject: Virus attachments not replaced with warning text Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- %org-name% = Name # CUSTOM_CONFIG %org-long-name% = Long Name # CUSTOM_CONFIG %web-site% = http://www.example.com # CUSTOM_CONFIG %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/en %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 2 # CUSTOM_CONFIG Run As User = Debian-exim Run As Group = Debian-exim Queue Scan Interval = 30 # CUSTOM_CONFIG Incoming Queue Dir = /var/spool/exim4_incoming/input # CUSTOM_CONFIG Outgoing Queue Dir = /var/spool/exim4/input # CUSTOM_CONFIG Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner/MailScanner.pid Restart Every = 7200 MTA = exim Sendmail = /usr/sbin/exim4 -DOUTGOING # CUSTOM_CONFIG Sendmail2 = /usr/sbin/sendmail -DOUTGOING Incoming Work User = Incoming Work Group = clamav Incoming Work Permissions = 0640 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = %rules-dir%/scan.messages.rules Reject Message = no Maximum Processing Attempts = 6 Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 0 # CUSTOM_CONFIG Find Archives By Content = yes Unpack Microsoft Documents = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Add Text Of Doc = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Unzip Maximum Files Per Archive = 0 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain Virus Scanning = yes Virus Scanners = clamav # CUSTOM_CONFIG Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = yes # CUSTOM_CONFIG Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Zip-Password # CUSTOM_CONFIG Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = no Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.ctl Clamd Lock File = /var/run/clamav/clamd.pid Clamd Use Threads = no ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = yes Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = no # CUSTOM_CONFIG Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.example.com/img/1x1spacer.gif # CUSTOM_CONFIG Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Archives Are = zip rar ole Allow Filenames = \.txt$ \.pdf$ # CUSTOM_CONFIG Deny Filenames = \.com$ \.exe$ \.cpl$ \.pif$ # CUSTOM_CONFIG Filename Rules = %etc-dir%/filename.rules.conf Allow Filetypes = Allow File MIME Types = text/plain text/html # CUSTOM_CONFIG Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Archives: Allow Filenames = Archives: Deny Filenames = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Allow Filetypes = Archives: Allow File MIME Types = Archives: Deny Filetypes = Archives: Deny File MIME Types = Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: ID Header = X-%org-name%-MailScanner-ID: IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes # CUSTOM_CONFIG Multiple Headers = replace # CUSTOM_CONFIG Place New Headers At Top Of Message = no Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = no # CUSTOM_CONFIG Attach Image To Signature = no Attach Image To HTML Message Only = yes Allow Multiple HTML Signatures = no Dont Sign HTML If Headers Exist = # In-Reply-To: References: Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = yes # CUSTOM_CONFIG Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Blocked Size Attachments = yes # CUSTOM_CONFIG Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Filename?} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = start Disarmed Subject Text = {Disarmed} Phishing Modify Subject = no Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {Spam?} {_SCORE_} # CUSTOM_CONFIG Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = Missing Mail Archive Is = directory Send Notices = no # CUSTOM_CONFIG Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = MailScanner Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam List = SBL+XBL # CUSTOM_CONFIG Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = no Definite Spam Is High Scoring = no Ignore Spam Whitelist If Recipients Exceed = 20 Max Spam Check Size = 200k Use Watermarking = yes # CUSTOM_CONFIG Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = spam # CUSTOM_CONFIG Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-fbcae1bc915e7044945e1075 Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 6 High SpamAssassin Score = 10 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 0 Wait During Bayes Rebuild = yes # CUSTOM_CONFIG Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = attachment deliver header "X-Spam-Status: Yes" #CUSTOM_CONFIG High Scoring Spam Actions = forward spam@localhost attachment deliver header "X-Spam-Status: Yes" # CUSTOM_CONFIG Non Spam Actions = deliver header "X-Spam-Status: No" SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Delivery And Non-Delivery = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = yes SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = /var/lib/MailScanner SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = MCP Checks = no First Check = spam MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = deliver High Scoring MCP Actions = deliver Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {MCP?} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Read IP Address From Received Header = no Spam Score Number Format = %d MailScanner Version Number = 4.79.11 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = no Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /var/lock/subsys/MailScanner Custom Functions Dir = /etc/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported From stratos.td at gmail.com Fri Aug 6 11:33:46 2010 From: stratos.td at gmail.com (Stratos TD) Date: Fri Aug 6 11:33:56 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: Message-ID: For some reason the message text was stripped out (thanks Google...) On 6 August 2010 11:21, wrote: > Hello, > > I seem to have a problem with my mailscanner configuration: the virus > attachments do not get replaced with the warning text file. The message > itself is correctly flagged as {Virus?}. > > It used to work fine in the past but broke when I upgraded. Current version > is 4.79.11-2~bpo50+1 (Debian Lenny backport). Previous versions was from > Debian Etch proper. > > I attach the config file (any deviations from the standard Debian config > file are marked). > > > Thanks in advance, > > Steve. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100806/3ef6c351/attachment.html From MailScanner at ecs.soton.ac.uk Fri Aug 6 11:59:17 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 6 11:59:37 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: <4C5BEB05.5050408@ecs.soton.ac.uk> Message-ID: I cannot reproduce your problem. Please can you try the latest beta and see if it works there? Many thanks, Jules. On 06/08/2010 11:21, Stratos TD wrote: > Hello, > > I seem to have a problem with my mailscanner configuration: the virus > attachments do not get replaced with the warning text file. The > message itself is correctly flagged as {Virus?}. > > It used to work fine in the past but broke when I upgraded. Current > version is 4.79.11-2~bpo50+1 (Debian Lenny backport). Previous > versions was from Debian Etch proper. > > I attach the config file (any deviations from the standard Debian > config file are marked). > > > Thanks in advance, > > Steve. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Aug 6 12:36:17 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Fri Aug 6 12:40:29 2010 Subject: A (Hopefully easy) Question In-Reply-To: <201008041407.o74E7ZST007313@safir.blacknight.ie> References: <201008041407.o74E7ZST007313@safir.blacknight.ie> Message-ID: <3632dff213a8761265b47307e4d948e9@127.0.0.1> On Wed, 4 Aug 2010 15:07:22 +0100, "Stef Morrell" wrote: > From: sender@company.com and To: recipient@company.com deliver forward > sales@company.com > Default: deliver Shouldn't this Default: read like this? FromOrTo: default deliver Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From stratos.td at gmail.com Fri Aug 6 13:22:32 2010 From: stratos.td at gmail.com (Steve) Date: Fri Aug 6 13:22:42 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: <4C5BEB05.5050408@ecs.soton.ac.uk> Message-ID: On 6 August 2010 11:59, Julian Field wrote: > I cannot reproduce your problem. > Please can you try the latest beta and see if it works there? > I'll give it a go... Are there any debug logging options for the AV work (like the one for spamassassin)? Thanks, Steve. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100806/acf41a32/attachment.html From damfam at gmail.com Fri Aug 6 13:24:52 2010 From: damfam at gmail.com (Edward Dam) Date: Fri Aug 6 13:25:02 2010 Subject: A (Hopefully easy) Question In-Reply-To: <3632dff213a8761265b47307e4d948e9@127.0.0.1> References: <201008041407.o74E7ZST007313@safir.blacknight.ie> <3632dff213a8761265b47307e4d948e9@127.0.0.1> Message-ID: That is correct Hugo. On Fri, Aug 6, 2010 at 7:36 AM, hvdkooij wrote: > > On Wed, 4 Aug 2010 15:07:22 +0100, "Stef Morrell" wrote: > > > From: sender@company.com and To: recipient@company.com deliver forward > > sales@company.com > > Default: deliver > > Shouldn't this Default: read like this? > > FromOrTo: default deliver > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100806/7a4a641b/attachment.html From MailScanner at ecs.soton.ac.uk Fri Aug 6 13:52:31 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 6 13:52:45 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: <4C5BEB05.5050408@ecs.soton.ac.uk> <4C5C058F.5070501@ecs.soton.ac.uk> Message-ID: On 06/08/2010 13:22, Steve wrote: > On 6 August 2010 11:59, Julian Field > wrote: > > I cannot reproduce your problem. > Please can you try the latest beta and see if it works there? > > > I'll give it a go... Thank you. > > Are there any debug logging options for the AV work (like the one for > spamassassin)? No, sorry. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stef at aoc-uk.com Fri Aug 6 14:06:14 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Aug 6 14:35:08 2010 Subject: A (Hopefully easy) Question In-Reply-To: References: <201008041407.o74E7ZST007313@safir.blacknight.ie> Message-ID: <201008061335.o76DZ0H7008958@safir.blacknight.ie> Hugo wrote: > On Wed, 4 Aug 2010 15:07:22 +0100, "Stef Morrell" > wrote: > > > From: sender@company.com and To: recipient@company.com > deliver forward > > sales@company.com > > Default: deliver > > Shouldn't this Default: read like this? > > FromOrTo: default deliver Yes. Of course it should. *facepalm* Stef From sonidhaval at gmail.com Fri Aug 6 20:00:40 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Fri Aug 6 20:00:50 2010 Subject: Domain hosted with cPanel problem.... Message-ID: Dear All, We have couple of domains hosted on Linux VPS server with cPanel. We want to filter all emails of those domains and want to deliver it to webmail.domainname.com. But we are not able to deliver those filtered emails. So is there anything extra to do in MailScanner for it? I am using MailScanner version : 4.79.11-1 RPM version on Centos 5.4 with sendmail. Let me inform, if required extra information. Thank you and waiting for reply, -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100807/89588fdc/attachment.html From glenn.steen at gmail.com Mon Aug 9 08:41:07 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 9 08:41:19 2010 Subject: Pyzor issue - error from Mailscanner but not from SA or Pyzor run directly In-Reply-To: <4C585335.6090305@nanogherkin.com> References: <4C54373C.5040602@nanogherkin.com> <4C585335.6090305@nanogherkin.com> Message-ID: On 3 August 2010 19:34, Alex Crow wrote: > On 31/07/10 15:46, Alex Crow wrote: >> >> Hi all, >> >> I'm having this issue in MailScanner - when Pyzor check are run from >> within ms, I get an error in the logs: >> >> 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: pyzor is available: >> /usr/bin/pyzor >> 15:37:52 Jul 31 15:37:52.686 [13270] dbg: dns: entering helper-app run >> mode >> 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: opening pipe: >> /usr/bin/pyzor -d check < /tmp/.spamassassin13270K6yw83tmp >> 15:37:52 Jul 31 15:37:52.690 [13272] dbg: util: setuid: ruid=89 euid=89 >> 15:37:52 Jul 31 15:37:52.693 [13270] info: pyzor: [13272] error: exit 6 >> 15:37:52 Jul 31 15:37:52.693 [13270] dbg: dns: leaving helper-app run mode >> 15:37:52 Jul 31 15:37:52.694 [13270] dbg: pyzor: check failed: no response >> >> However, if I run as the postfix user (the one configured in >> MailScanner.conf) >> >> spamassassin -D < /tmp/.spamassassin9936b1QieYtmp >> >> I get pyzor working: >> >> Jul 31 15:45:05.186 [13308] dbg: pyzor: pyzor is available: /usr/bin/pyzor >> Jul 31 15:45:05.186 [13308] dbg: dns: entering helper-app run mode >> Jul 31 15:45:05.187 [13308] dbg: pyzor: opening pipe: /usr/bin/pyzor -d >> check < /tmp/.spamassassin13308yrAHtDtmp >> Jul 31 15:45:05.189 [13311] dbg: util: setuid: ruid=89 euid=89 >> Jul 31 15:45:05.242 [13308] dbg: pyzor: [13311] finished successfully >> Jul 31 15:45:05.242 [13308] dbg: pyzor: got response: sending: 'User: >> anonymous\nTime: 1280587505\nSig: >> 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: >> 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: >> 2.0\n\n'\nreceived: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: >> 200\nDiag: OK\nPV: 2.0\n\n'\npublic.pyzor.org:24441 (200, 'OK') 5301 0 >> Jul 31 15:45:05.243 [13308] dbg: dns: leaving helper-app run mode >> Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response >> "sending: 'User: anonymous\nTime: 1280587505\nSig: >> 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: >> 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: 2.0\n\n'" >> Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response >> "received: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: 200\nDiag: OK\nPV: >> 2.0\n\n'" >> Jul 31 15:45:05.243 [13308] dbg: pyzor: listed: COUNT=5301/5 WHITELIST=0 >> Jul 31 15:45:05.244 [13308] dbg: rules: ran eval rule PYZOR_CHECK ======> >> got hit (1) >> >> I am running Centos 5.5 x64 with the latest ClamAV/SA easy-install package >> from the MailScanner site installed. >> >> Any help gratefully received. >> >> Thanks >> >> Alex > > All, > > Are there any more details I need to provide for this? > > TBH I seems like a command parsing issue as with my first test with real > messages (copied from another MS server's queue) the error was still in the > logs but Pyzor scores were recorded (verified in MailWatch). > > Cheers > > Alex > Did you do your pyzor tests as the user postfix is running as? Probably not;). Do "su - postfix -s /bin/bash" and then redo the SA test from there... It'll likely fail. My guess is that your postfix user cannot get at the correct pyzor config (amoung other things), so fixing that config/permission issue will likely make things hum along a bit better:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paulo-m-roncon at ptinovacao.pt Mon Aug 9 13:04:39 2010 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Mon Aug 9 13:04:51 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <201008091102.o79B0LEY006311@safir.blacknight.ie> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> Message-ID: Hello, Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. I'm going to upgrade to ext4. Any ideias? Change the quarantine function to create directories per hour also? Paulo From martyn at invictawiz.com Mon Aug 9 14:32:45 2010 From: martyn at invictawiz.com (Martyn Routley) Date: Mon Aug 9 14:33:00 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> Message-ID: <4C60037D.5080309@invictawiz.com> On 09/08/2010 13:04, Paulo Roncon wrote: > Hello, > > Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. > Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. > I'm going to upgrade to ext4. > > Any ideias? Change the quarantine function to create directories per hour also? > > > Paulo > How about be really radical and delete some of the old quarantine messages? They are almost certainly not wanted by end users otherwise you would be spending your entire day releasing messages from quarantine? -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- From alex at rtpty.com Mon Aug 9 14:52:07 2010 From: alex at rtpty.com (Alex Neuman) Date: Mon Aug 9 14:54:52 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C60037D.5080309@invictawiz.com> References: <201008091102.o79B0LEY006311@safir.blacknight.ie><4C60037D.5080309@invictawiz.com> Message-ID: <1388381537-1281362079-cardhu_decombobulator_blackberry.rim.net-683657150-@bda957.bisx.prod.on.blackberry> You could run "find" with options to delete the oldest files, or you could run "ls" to list the files by date and only keep the newest 30000 or so. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Martyn Routley Sender: mailscanner-bounces@lists.mailscanner.info Date: Mon, 09 Aug 2010 14:32:45 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Quarantine problem: Ext3 directory limit to 32000 files On 09/08/2010 13:04, Paulo Roncon wrote: > Hello, > > Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. > Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. > I'm going to upgrade to ext4. > > Any ideias? Change the quarantine function to create directories per hour also? > > > Paulo > How about be really radical and delete some of the old quarantine messages? They are almost certainly not wanted by end users otherwise you would be spending your entire day releasing messages from quarantine? -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Mon Aug 9 15:13:44 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Mon Aug 9 15:18:02 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C60037D.5080309@invictawiz.com> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> Message-ID: On Mon, 09 Aug 2010 14:32:45 +0100, Martyn Routley wrote: > On 09/08/2010 13:04, Paulo Roncon wrote: >> Hello, >> >> Yesterday I got a problem with my mailscanner server. The messages >> stopped being processed and the mailscanner would crash attempting to >> process the messages. >> Some troubleshooting later and: The problem was with the file per >> directory limit = 32000 of the ext3. >> I'm going to upgrade to ext4. >> >> Any ideias? Change the quarantine function to create directories per >> hour also? > > How about be really radical and delete some of the old quarantine messages? > > They are almost certainly not wanted by end users otherwise you would be > spending your entire day releasing messages from quarantine? Perhaps the end-users can do this themselves through mailwatch or a similar solution. Or end-users need the messages to finetune the bayesian database. So that solution is propably too radical. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From bonivart at opencsw.org Mon Aug 9 15:35:39 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon Aug 9 15:36:10 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> Message-ID: On Mon, Aug 9, 2010 at 4:13 PM, hvdkooij wrote: > > On Mon, 09 Aug 2010 14:32:45 +0100, Martyn Routley > wrote: >> On 09/08/2010 13:04, Paulo Roncon wrote: >>> Hello, >>> >>> Yesterday I got a problem with my mailscanner server. The messages >>> stopped being processed and the mailscanner would crash attempting to >>> process the messages. >>> Some troubleshooting later and: The problem was with the file per >>> directory limit = 32000 of the ext3. >>> I'm going to upgrade to ext4. >>> >>> Any ideias? Change the quarantine function to create directories per >>> hour also? >> >> How about be really radical and delete some of the old quarantine > messages? >> >> They are almost certainly not wanted by end users otherwise you would be >> spending your entire day releasing messages from quarantine? > > Perhaps the end-users can do this themselves through mailwatch or a > similar solution. Or end-users need the messages to finetune the bayesian > database. > > So that solution is propably too radical. Especially since this guy quarantines more than 32,000 mail per day. To delete "old" stuff then is making the users have less than a day to retrieve their blocked mail. That's poor service. His own suggestion of creating hourly catalogs sounded good to me. -- /peter From hvdkooij at vanderkooij.org Mon Aug 9 15:44:10 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Mon Aug 9 15:48:26 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> Message-ID: On Mon, 9 Aug 2010 16:35:39 +0200, Peter Bonivart wrote: > Especially since this guy quarantines more than 32,000 mail per day. > To delete "old" stuff then is making the users have less than a day to > retrieve their blocked mail. That's poor service. > > His own suggestion of creating hourly catalogs sounded good to me. Also keep in mind that 32000 files in a directory will be less efficient to work through. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From paul.welsh.3 at googlemail.com Mon Aug 9 15:51:22 2010 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Mon Aug 9 15:51:32 2010 Subject: Turn off recipient messages on file size rule In-Reply-To: References: Message-ID: Hi all I posted this back on 23 July and was wondering if anyone had any comments or suggestions. Cheers Paul I have mailscanner 4.74.16 acting as a relay for an MS Exchange server. Inbound and outbound mail goes via the mailscanner server. I know the current version is 4.79 so mine's a bit old but I use Postini to do the virus and spam scanning so mailscanner has spamassassin turned off and no anti-virus scanners configured. So the mail flow for outbound is Exchange -> mailscanner -> Postini. Using sendmail on the mailscanner box and sendmail uses Postini as a smart relay host. I want to restrict the size of outbound Internet email only (not inbound Internet mail, not internal mail) and mailscanner's max.message.size.rules file allows considerable granularity; more than Exchange itself, despite being able to change mail size settings in several places in Exchange and Active Directory. Anyhow, it took me a while to get it working because I didn't realise I needed to set: Dangerous Content Scanning = yes Other relevant settings: Notify Senders = yes Notify Senders Of Blocked Size Attachments = yes Size Modify Subject = no The sender gets sent sender.size.report.txt because of this setting, which is just what I want: # Set where to find the messages that are delivered to the sender, when they # sent an email containing either an error, banned content, a banned filename # or a virus infection. # These can also be the filenames of rulesets. Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt However, the recipient of the message that's too large is getting sent the contents of deleted.size.message.txt because, presumably of the following setting, even though the comments indicate that the sender gets this message: # Set where to find the message text sent to users when one of their # attachments has been deleted from a message. # These can also be the filenames of rulesets. Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Is there a way I can prevent the recipient getting sent a message? Thanks Paul From peter at farrows.org Mon Aug 9 17:55:32 2010 From: peter at farrows.org (Peter Farrow) Date: Mon Aug 9 17:55:42 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> Message-ID: <4C603304.308@farrows.org> On 09/08/2010 15:44, hvdkooij wrote: > On Mon, 9 Aug 2010 16:35:39 +0200, Peter Bonivart > wrote: > > >> Especially since this guy quarantines more than 32,000 mail per day. >> To delete "old" stuff then is making the users have less than a day to >> retrieve their blocked mail. That's poor service. >> >> His own suggestion of creating hourly catalogs sounded good to me. >> > Also keep in mind that 32000 files in a directory will be less efficient > to work through. > > Hugo. > > Here is a thought: Prevention is better than cure. Why not adjust your mailscanner settings so that it quarantines more strictly, I can't possibly envisage quaranting 32000 messages being useful under any circumstances, one of my larger clients with several tens of thousands users still only gets 10 or so messages a day in the quarantine, so my guess is, rightly or wrongly, that your configuration is far too keen to qaurantine and needs to throw more away, at MTA level and in Mailscanner, this is easily achievable and still keep false positives to virtually zero. P. From martyn at invictawiz.com Mon Aug 9 18:01:14 2010 From: martyn at invictawiz.com (Martyn Routley) Date: Mon Aug 9 18:01:28 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> Message-ID: <4C60345A.4000400@invictawiz.com> On 09/08/2010 15:35, Peter Bonivart wrote: > On Mon, Aug 9, 2010 at 4:13 PM, hvdkooij wrote: >> >> On Mon, 09 Aug 2010 14:32:45 +0100, Martyn Routley >> wrote: >>> On 09/08/2010 13:04, Paulo Roncon wrote: >>>> Hello, >>>> >>>> Yesterday I got a problem with my mailscanner server. The messages >>>> stopped being processed and the mailscanner would crash attempting to >>>> process the messages. >>>> Some troubleshooting later and: The problem was with the file per >>>> directory limit = 32000 of the ext3. >>>> I'm going to upgrade to ext4. >>>> >>>> Any ideias? Change the quarantine function to create directories per >>>> hour also? >>> >>> How about be really radical and delete some of the old quarantine >> messages? >>> >>> They are almost certainly not wanted by end users otherwise you would be >>> spending your entire day releasing messages from quarantine? >> >> Perhaps the end-users can do this themselves through mailwatch or a >> similar solution. Or end-users need the messages to finetune the bayesian >> database. >> >> So that solution is propably too radical. > > Especially since this guy quarantines more than 32,000 mail per day. > To delete "old" stuff then is making the users have less than a day to > retrieve their blocked mail. That's poor service. > > His own suggestion of creating hourly catalogs sounded good to me. > Nope, his email doesn't say that he quarantines 32,000+/day. He says that he has run out of diretory entries. To me, that means he has 32,000 in total over an indeterminate period, perhaps since he installed MailScanner? -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- From bonivart at opencsw.org Mon Aug 9 18:22:31 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon Aug 9 18:23:02 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C60345A.4000400@invictawiz.com> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C60345A.4000400@invictawiz.com> Message-ID: On Mon, Aug 9, 2010 at 7:01 PM, Martyn Routley wrote: > Nope, his email doesn't say that he quarantines 32,000+/day. He says > that he has run out of diretory entries. To me, that means he has 32,000 > in total over an indeterminate period, perhaps since he installed > MailScanner? Why would he himself suggest hourly catalogs as a cure then? It only makes sense if he hits 32,000 entries per day or, as you suggest, if he has 32,000 date catalogs in his quarantine catalog but that would mean he has run MailScanner for almost 100 years and I doubt that. -- /peter From jase at sensis.com Mon Aug 9 18:31:25 2010 From: jase at sensis.com (Desai, Jason) Date: Mon Aug 9 18:33:09 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C603304.308@farrows.org> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> Message-ID: > >> Especially since this guy quarantines more than 32,000 mail per day. > >> To delete "old" stuff then is making the users have less than a day to > >> retrieve their blocked mail. That's poor service. > >> > >> His own suggestion of creating hourly catalogs sounded good to me. > >> > > Also keep in mind that 32000 files in a directory will be less efficient > > to work through. > > > > Hugo. > > > > > Here is a thought: > > Prevention is better than cure. > > Why not adjust your mailscanner settings so that it quarantines more > strictly, I can't possibly envisage quaranting 32000 messages being > useful under any circumstances, one of my larger clients with several > tens of thousands users still only gets 10 or so messages a day in the > quarantine, so my guess is, rightly or wrongly, that your configuration > is far too keen to qaurantine and needs to throw more away, at MTA > level and in Mailscanner, this is easily achievable and still keep false > positives to virtually zero. Are you sure there is a limit of 32,000 files in a directory? I think there is a limit of 32,000 subdirectories. I'm not sure about 32,000 files though. Jase - This message is intended only for the addressee and may contain information that is company confidential or privileged. Any technical data in this message may be exported only in accordance with the U.S. International Traffic in Arms Regulations (22 CFR Parts 120-130) or the Export Administration Regulations (15 CFR Parts 730-774). Unauthorized use is strictly prohibited and may be unlawful. If you are not the intended recipient, or the person responsible for delivering to the intended recipient, you should not read, copy, disclose or otherwise use this message. If you have received this email in error, please delete it, and advise the sender immediately. - From MailScanner at ecs.soton.ac.uk Mon Aug 9 23:32:39 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Mon Aug 9 23:32:57 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk> Message-ID: On 09/08/2010 18:31, Desai, Jason wrote: >>>> Especially since this guy quarantines more than 32,000 mail per day. >>>> To delete "old" stuff then is making the users have less than a day to >>>> retrieve their blocked mail. That's poor service. >>>> >>>> His own suggestion of creating hourly catalogs sounded good to me. >>>> >>>> >>> Also keep in mind that 32000 files in a directory will be less efficient >>> to work through. >>> >>> Hugo. >>> >>> >>> >>> >> > Are you sure there is a limit of 32,000 files in a directory? I think there is a limit of 32,000 subdirectories. I'm not sure about 32,000 files though. > The limit is actually 32,000 links to any inode. And I have hit it too. It just hasn't caused me a major problem yet. Unfortunately counting the number of entries in a directory is a slow operation (effectively equivalent to an unsorted "ls") so I don't want to do it every time I write a file. Which is why I haven't addressed it before. Can you think of any *fast* ways of overcoming this limit? Other filesystems such as xfs handle a million or so files in a dir without breaking a sweat, it's just a severe limitation of ext3 :-( Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From peter at farrows.org Tue Aug 10 00:03:45 2010 From: peter at farrows.org (Peter Farrow) Date: Tue Aug 10 00:03:55 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk> Message-ID: <4C608951.7030903@farrows.org> On 09/08/2010 23:32, Jules Field wrote: > > > On 09/08/2010 18:31, Desai, Jason wrote: >>>>> Especially since this guy quarantines more than 32,000 mail per day. >>>>> To delete "old" stuff then is making the users have less than a >>>>> day to >>>>> retrieve their blocked mail. That's poor service. >>>>> >>>>> His own suggestion of creating hourly catalogs sounded good to me. >>>>> >>>> Also keep in mind that 32000 files in a directory will be less >>>> efficient >>>> to work through. >>>> >>>> Hugo. >>>> >>>> >>>> >> Are you sure there is a limit of 32,000 files in a directory? I >> think there is a limit of 32,000 subdirectories. I'm not sure about >> 32,000 files though. > The limit is actually 32,000 links to any inode. And I have hit it > too. It just hasn't caused me a major problem yet. > Unfortunately counting the number of entries in a directory is a slow > operation (effectively equivalent to an unsorted "ls") so I don't want > to do it every time I write a file. Which is why I haven't addressed > it before. > > Can you think of any *fast* ways of overcoming this limit? Other > filesystems such as xfs handle a million or so files in a dir without > breaking a sweat, it's just a severe limitation of ext3 :-( > > Jules > Ext4 has double the limit of ext3, backup the data, unmount the volume, reformat to ext4 copy it back, or add extra storage and mount it at the quarantine directory formatted as ext4 -- horizontal ruler Peter Farrow avatar ______________________ Home: 01249 654183 Fax: 01249 461 548 Mobile: 07799605617 Skype: peter_farrow Web: www.peterfarrow.com -------------- next part -------------- Skipped content of type multipart/related From peter at farrows.org Tue Aug 10 00:06:14 2010 From: peter at farrows.org (Peter Farrow) Date: Tue Aug 10 00:06:22 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk> Message-ID: <4C6089E6.2040607@farrows.org> On 09/08/2010 23:32, Jules Field wrote: > > > On 09/08/2010 18:31, Desai, Jason wrote: >>>>> Especially since this guy quarantines more than 32,000 mail per day. >>>>> To delete "old" stuff then is making the users have less than a >>>>> day to >>>>> retrieve their blocked mail. That's poor service. >>>>> >>>>> His own suggestion of creating hourly catalogs sounded good to me. >>>>> >>>> Also keep in mind that 32000 files in a directory will be less >>>> efficient >>>> to work through. >>>> >>>> Hugo. >>>> >>>> >>>> >> Are you sure there is a limit of 32,000 files in a directory? I >> think there is a limit of 32,000 subdirectories. I'm not sure about >> 32,000 files though. > The limit is actually 32,000 links to any inode. And I have hit it > too. It just hasn't caused me a major problem yet. > Unfortunately counting the number of entries in a directory is a slow > operation (effectively equivalent to an unsorted "ls") so I don't want > to do it every time I write a file. Which is why I haven't addressed > it before. > > Can you think of any *fast* ways of overcoming this limit? Other > filesystems such as xfs handle a million or so files in a dir without > breaking a sweat, it's just a severe limitation of ext3 :-( > > Jules > or if your brave, convert it to ext4 on the fly with a command like this: |tune2fs -O extents,uninit_bg,dir_index /dev/ | -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100810/7a64f49f/attachment.html From alex at rtpty.com Tue Aug 10 00:17:01 2010 From: alex at rtpty.com (Alex Neuman) Date: Tue Aug 10 00:19:55 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C6089E6.2040607@farrows.org> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk><4C6089E6.2040607@farrows.org> Message-ID: <1936035178-1281395979-cardhu_decombobulator_blackberry.rim.net-1441454218-@bda957.bisx.prod.on.blackberry> For the cautious adventurer, would this work on an otherwisee "out of the box" centos 5.5? Would "auto" in fstab pick up the change? Any expected increase (or decrease) in performance? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Peter Farrow Sender: mailscanner-bounces@lists.mailscanner.info Date: Tue, 10 Aug 2010 00:06:14 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Quarantine problem: Ext3 directory limit to 32000 files -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From wolfgang at sweet-haven.com Tue Aug 10 00:49:38 2010 From: wolfgang at sweet-haven.com (Lew Wolfgang) Date: Tue Aug 10 00:50:23 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk> Message-ID: <4C609412.20601@sweet-haven.com> On 08/09/2010 03:32 PM, Jules Field wrote: > The limit is actually 32,000 links to any inode. And I have hit it too. It just hasn't caused me a major problem yet. > Unfortunately counting the number of entries in a directory is a slow operation (effectively equivalent to an unsorted "ls") so I don't want to do it every time I write a file. Which is why I haven't addressed it before. > > Can you think of any *fast* ways of overcoming this limit? Other filesystems such as xfs handle a million or so files in a dir without breaking a sweat, it's just a severe limitation of ext3 :-( We switched many years ago, first to Reiserfs and then to XFS, and haven't looked back since. Support for both comes out-of-the-box with SuSE distributions, but I don't know about the others. We even use XFS as the standard filesystem for desktops these days. Regards, Lew Wolfgang From paulo-m-roncon at ptinovacao.pt Tue Aug 10 12:25:09 2010 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Tue Aug 10 12:25:19 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <201008101103.o7AB0R0q001148@safir.blacknight.ie> References: <201008101103.o7AB0R0q001148@safir.blacknight.ie> Message-ID: On 09/08/2010 13:04, Paulo Roncon wrote: > Hello, > > Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. > Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. > I'm going to upgrade to ext4. > > Any ideias? Change the quarantine function to create directories per hour also? > > > Paulo > I think I need to clarify things: -The 32000 messages ARE PER DAY -I DO have a very, very, very busy server -I DO have Bayes, AV, etc, etc, etc in place -I have to obey to client rules as to what to do with spam - the delete a message the threshold must be very high -End users DO NOT have access to the quarantine My post was more a warning to all of you who might have a server as busy as mine. -A watchdog for this problem could be: cron.d: ls /var/spool/MailScanner/quarantine/[TODAY] | wc -l if > 25000 then move all subdirs between 0h00AM - 4h00AM to other DIR and send notification -Other solutions, as I already proposed would be to extend the structure to /var/spool/MailScanner/quarantine/[TODAY]/[HOUR] But this would have impact in MailWatch (I think... not sure) and every other script buildt around quarantine management -The best, I think would be to upgrade to EXT4. Thanks, Paulo From hvdkooij at vanderkooij.org Tue Aug 10 12:23:21 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Tue Aug 10 12:27:39 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C609412.20601@sweet-haven.com> References: <201008091102.o79B0LEY006311@safir.blacknight.ie> <4C60037D.5080309@invictawiz.com> <4C603304.308@farrows.org> <4C608207.6080700@ecs.soton.ac.uk> <4C609412.20601@sweet-haven.com> Message-ID: <38318a23ad717f5cbaac3b79de38d4fe@127.0.0.1> On Mon, 09 Aug 2010 16:49:38 -0700, Lew Wolfgang wrote: > On 08/09/2010 03:32 PM, Jules Field wrote: >> The limit is actually 32,000 links to any inode. And I have hit it too. >> It just hasn't caused me a major problem yet. >> Unfortunately counting the number of entries in a directory is a slow >> operation (effectively equivalent to an unsorted "ls") so I don't want to >> do it every time I write a file. Which is why I haven't addressed it >> before. >> >> Can you think of any *fast* ways of overcoming this limit? Other >> filesystems such as xfs handle a million or so files in a dir without >> breaking a sweat, it's just a severe limitation of ext3 :-( > > We switched many years ago, first to Reiserfs and then to XFS, and haven't > looked back since. Support for both comes out-of-the-box with SuSE > distributions, but I don't know about the others. We even use XFS as > the standard filesystem for desktops these days. As the OP is using Centos 5 I would recommend to invest some time and choose XFS instead of EXT4. See also: http://www.google.com/search?q=centos+5+xfs I recall it being relative simple when I needed Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From paul.hutchings at mira.co.uk Wed Aug 11 08:44:17 2010 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Aug 11 08:44:30 2010 Subject: Scanning attachments for content? Message-ID: I have a box running Postfix & MailScanner. I'd like to be able to say "If a message comes from XYZ and has Word or PDF attachments and they contain the word ABC, ". I'm sure this can be done but I'm not knowledgeable enough to know how. Any pointers would be appreciated. -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From edward.prendergast at netring.co.uk Wed Aug 11 10:40:06 2010 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Wed Aug 11 10:38:40 2010 Subject: end-of-day digest per user messages caught Message-ID: <4C626FF6.1000503@netring.co.uk> Hi, I recall there being a feature to send a user an end-of-day email summarising any messages for them that got caught as spam. Is this a figment of my imagination or is such a feature actually available? Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From tjones at isthmus.com Thu Aug 12 20:31:22 2010 From: tjones at isthmus.com (Thom Jones) Date: Thu Aug 12 20:31:39 2010 Subject: Redirecting after spam/virus scan Message-ID: <201008121431.22638.tjones@isthmus.com> Running MailScanner with sendmail on a CentOS 4 box. I currently have an alias file set up with sendmail that works great in redirecting email either to external recipients or as an email group (webmaster goes to multiple people for example). The problem with this setup, obviously, is that all mail gets redirected, spam and all. I've been trying to find a way to use a ruleset to do this. And I am 99.99995% sure that it can be done via that method - I just can't wrap my head around it enough to figure it out. Nor could I find a good clue in the mailing list archives. In MailScanner.conf, I have a ruleset specified for: Non Spam Actions = %rules-dir%/nospam.action.rules And in the nospam.action.rules file, I have a entries similar to: To: me@d1.com forward me@d2.com header "X-Spam-Status: No" To: default deliver I would think this should function to redirect email to me and simply deliver as normal to everyone else. But, instead, it seems to take any email to me and /dev/null it Any ideas or direction? Thanks for any input!! Thom From MailScanner at ecs.soton.ac.uk Fri Aug 13 12:14:08 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 12:14:21 2010 Subject: Scanning attachments for content? In-Reply-To: References: <4C652900.4080103@ecs.soton.ac.uk> Message-ID: Unfortunately, I don't know a way of doing this currently. Sorry. On 11/08/2010 08:44, Paul Hutchings wrote: > I have a box running Postfix& MailScanner. > > I'd like to be able to say "If a message comes from XYZ and has Word or > PDF attachments and they contain the word ABC,". > > I'm sure this can be done but I'm not knowledgeable enough to know how. > Any pointers would be appreciated. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 13 12:16:32 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 12:16:50 2010 Subject: Redirecting after spam/virus scan In-Reply-To: <201008121431.22638.tjones@isthmus.com> References: <201008121431.22638.tjones@isthmus.com> <4C652990.7030100@ecs.soton.ac.uk> Message-ID: On 12/08/2010 20:31, Thom Jones wrote: > Running MailScanner with sendmail on a CentOS 4 box. I currently have an > alias file set up with sendmail that works great in redirecting email either > to external recipients or as an email group (webmaster goes to multiple people > for example). > The problem with this setup, obviously, is that all mail gets redirected, spam > and all. > I've been trying to find a way to use a ruleset to do this. And I am > 99.99995% sure that it can be done via that method - I just can't wrap my head > around it enough to figure it out. Nor could I find a good clue in the mailing > list archives. > > In MailScanner.conf, I have a ruleset specified for: > Non Spam Actions = %rules-dir%/nospam.action.rules > > And in the nospam.action.rules file, I have a entries similar to: > To: me@d1.com forward me@d2.com header "X-Spam-Status: No" > To: default deliver > > I would think this should function to redirect email to me and simply deliver > as normal to everyone else. But, instead, it seems to take any email to me > and /dev/null it > Any ideas or direction? > Not sure why it would do that. Have you tried with other addresses in place of "me@d2.com"? You might also want to add a "not-deliver" onto the long line in that ruleset too, or else it will still try to deliver to me@d1.com as well. Your "To: default deliver" line should be "FromOrTo: default deliver" as well. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 13 12:17:12 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 12:17:27 2010 Subject: end-of-day digest per user messages caught In-Reply-To: <4C626FF6.1000503@netring.co.uk> References: <4C626FF6.1000503@netring.co.uk> <4C6529B8.1090800@ecs.soton.ac.uk> Message-ID: You would have to write a script to do this, based on logfile analysis would be the easiest way I suspect. On 11/08/2010 10:40, Edward Prendergast wrote: > Hi, > > I recall there being a feature to send a user an end-of-day email > summarising any messages for them that got caught as spam. Is this a > figment of my imagination or is such a feature actually available? > > Thanks, > Edward > > ************ > The information in this email is confidential and may be legally > privileged. > It is intended solely for the addressee. Access to this email by > anyone else > is unauthorised. If you are not the intended recipient, any action > taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please > notify > us immediately. Please also destroy and delete the message from your > computer. > ************ > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Aug 13 12:18:56 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 12:19:16 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008101103.o7AB0R0q001148@safir.blacknight.ie> <4C652A20.9040000@ecs.soton.ac.uk> Message-ID: But before you upgrade your filesystem to EXT4, make sure your distro actually has EXT4 filesystem support in it :-) On 10/08/2010 12:25, Paulo Roncon wrote: > On 09/08/2010 13:04, Paulo Roncon wrote: > >> Hello, >> >> Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. >> Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. >> I'm going to upgrade to ext4. >> >> Any ideias? Change the quarantine function to create directories per hour also? >> >> >> Paulo >> >> > I think I need to clarify things: > -The 32000 messages ARE PER DAY > -I DO have a very, very, very busy server > -I DO have Bayes, AV, etc, etc, etc in place > -I have to obey to client rules as to what to do with spam - the delete a message the threshold must be very high > -End users DO NOT have access to the quarantine > > My post was more a warning to all of you who might have a server as busy as mine. > > -A watchdog for this problem could be: > cron.d: > ls /var/spool/MailScanner/quarantine/[TODAY] | wc -l > if> 25000 then move all subdirs between 0h00AM - 4h00AM to other DIR and send notification > > -Other solutions, as I already proposed would be to extend the structure to /var/spool/MailScanner/quarantine/[TODAY]/[HOUR] > But this would have impact in MailWatch (I think... not sure) and every other script buildt around quarantine management > -The best, I think would be to upgrade to EXT4. > > Thanks, > Paulo > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mikael at syska.dk Fri Aug 13 12:40:46 2010 From: mikael at syska.dk (Mikael Syska) Date: Fri Aug 13 12:40:59 2010 Subject: end-of-day digest per user messages caught In-Reply-To: References: <4C6529B8.1090800@ecs.soton.ac.uk> <4C626FF6.1000503@netring.co.uk> Message-ID: Hi, Maybe you are thinking of MailWatch, think that have a feature to mail a list of messages that have been caught. mvh Mikael Syska On Fri, Aug 13, 2010 at 1:17 PM, Julian Field wrote: > You would have to write a script to do this, based on logfile analysis would > be the easiest way I suspect. > > On 11/08/2010 10:40, Edward Prendergast wrote: >> >> ?Hi, >> >> I recall there being a feature to send a user an end-of-day email >> summarising any messages for them that got caught as spam. Is this a figment >> of my imagination or is such a feature actually available? >> >> Thanks, >> Edward >> >> ************ >> The information in this email is confidential and may be legally >> privileged. >> It is intended solely for the addressee. Access to this email by anyone >> else >> is unauthorised. If you are not the intended recipient, any action taken >> or >> omitted to be taken in reliance on it, any form of reproduction, >> dissemination, copying, disclosure, modification, distribution and/or >> publication of this E-mail message is strictly prohibited and may be >> unlawful. If you have received this E-mail message in error, please notify >> us immediately. Please also destroy and delete the message from your >> computer. >> ************ >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From edward.prendergast at netring.co.uk Fri Aug 13 13:18:06 2010 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Fri Aug 13 13:16:47 2010 Subject: end-of-day digest per user messages caught In-Reply-To: References: <4C6529B8.1090800@ecs.soton.ac.uk> <4C626FF6.1000503@netring.co.uk> Message-ID: <4C6537FE.6050103@netring.co.uk> On 13/08/2010 12:40, Mikael Syska wrote: > Hi, > > Maybe you are thinking of MailWatch, think that have a feature to mail > a list of messages that have been caught. > > mvh > Mikael Syska > > On Fri, Aug 13, 2010 at 1:17 PM, Julian Field > wrote: >> You would have to write a script to do this, based on logfile analysis would >> be the easiest way I suspect. >> >> On 11/08/2010 10:40, Edward Prendergast wrote: >>> Hi, >>> >>> I recall there being a feature to send a user an end-of-day email >>> summarising any messages for them that got caught as spam. Is this a figment >>> of my imagination or is such a feature actually available? >>> >>> Thanks, >>> Edward Julian - thanks for your feedback. Mikeal - ah yes that's it! In MailWatch you can add a new user, then under 'Quaratine Report:' you can check 'Send Daily Report?'. Thanks. ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From sandrews at andrewscompanies.com Fri Aug 13 14:03:53 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Aug 13 14:04:03 2010 Subject: recipient notification on blocked files Message-ID: We get a ton of bogus exe files inside of zip files and of course that generates a blocked filename notification to the end user. Is there way to NOT notify for certain file types? We'll never except an exe so I don't really care to notify for it. Steven R. Andrews, President Andrews Companies Incorporated Small Business Information Technology Consultants sandrews@andrewscompanies.com Phone: 317.536.1807 "If your only tool is a hammer, every problem looks like a nail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100813/40709caf/attachment.html From MailScanner at ecs.soton.ac.uk Fri Aug 13 14:35:00 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 14:35:16 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> Message-ID: Look in the top of the example filename.rules.conf or filetype.rules.conf file. Instead of "allow" or "deny" you can put "deny+delete" which will do what you want, if my memory serves me correctly. Jules. On 13/08/2010 14:03, Steven Andrews wrote: > > We get a ton of bogus exe files inside of zip files and of course that > generates a blocked filename notification to the end user. Is there > way to NOT notify for certain file types? We?ll never except an exe so > I don?t really care to notify for it. > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Fri Aug 13 15:10:16 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Aug 13 15:10:27 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> Message-ID: Yes, it does serve you correctly. This is perfect. Thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 13, 2010 9:35 AM To: MailScanner discussion Subject: Re: recipient notification on blocked files Look in the top of the example filename.rules.conf or filetype.rules.conf file. Instead of "allow" or "deny" you can put "deny+delete" which will do what you want, if my memory serves me correctly. Jules. On 13/08/2010 14:03, Steven Andrews wrote: > > We get a ton of bogus exe files inside of zip files and of course that > generates a blocked filename notification to the end user. Is there > way to NOT notify for certain file types? We'll never except an exe so > I don't really care to notify for it. > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tjones at isthmus.com Fri Aug 13 15:30:18 2010 From: tjones at isthmus.com (Thom Jones) Date: Fri Aug 13 15:30:41 2010 Subject: Redirecting after spam/virus scan In-Reply-To: References: <201008121431.22638.tjones@isthmus.com> <4C652990.7030100@ecs.soton.ac.uk> Message-ID: <201008130930.18233.tjones@isthmus.com> On Friday 13 August 2010 06:16:32 am Julian Field wrote: > > In MailScanner.conf, I have a ruleset specified for: > > Non Spam Actions = %rules-dir%/nospam.action.rules > > > > And in the nospam.action.rules file, I have a entries similar to: > > To: me@d1.com forward me@d2.com header "X-Spam-Status: > > No" To: default deliver > > > > I would think this should function to redirect email to me and simply > > deliver as normal to everyone else. But, instead, it seems to take any > > email to me and /dev/null it > > Any ideas or direction? > > Not sure why it would do that. Have you tried with other addresses in > place of "me@d2.com"? > You might also want to add a "not-deliver" onto the long line in that > ruleset too, or else it will still try to deliver to me@d1.com as well. > Your "To: default deliver" line should be "FromOrTo: default deliver" as > well. Thanks, Jules - now things seem to be better so maybe it was the FromOrTo syntax (or I had something punctuated badly!). I am getting delivery still to both the original and the forwarded addresses - should 'not-deliver' actually be 'delete' in the ruleset? -- Stress is when you wake up screaming & you realize you haven't fallen asleep yet From sandrews at andrewscompanies.com Fri Aug 13 15:41:50 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Aug 13 15:42:00 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> Message-ID: Hmmmm....I tried deny+delete in filename.rules.conf AND filetype.rules.conf and the message still flows to the user. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 13, 2010 9:35 AM To: MailScanner discussion Subject: Re: recipient notification on blocked files Look in the top of the example filename.rules.conf or filetype.rules.conf file. Instead of "allow" or "deny" you can put "deny+delete" which will do what you want, if my memory serves me correctly. Jules. On 13/08/2010 14:03, Steven Andrews wrote: > > We get a ton of bogus exe files inside of zip files and of course that > generates a blocked filename notification to the end user. Is there > way to NOT notify for certain file types? We'll never except an exe so > I don't really care to notify for it. > > *Steven R. Andrews*, President > Andrews Companies Incorporated > /Small Business Information Technology Consultants/ > sandrews@andrewscompanies.com > Phone: 317.536.1807 > > "If your only tool is a hammer, every problem looks like a nail." > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Aug 13 16:23:12 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 16:23:30 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> <4C656360.1020004@ecs.soton.ac.uk> Message-ID: It might just delete the attachment, not the whole message. The bogus exe files inside zip files should be caught by your virus scanner anyway. Jules. On 13/08/2010 15:41, Steven Andrews wrote: > Hmmmm....I tried deny+delete in filename.rules.conf AND filetype.rules.conf and the message still flows to the user. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, August 13, 2010 9:35 AM > To: MailScanner discussion > Subject: Re: recipient notification on blocked files > > Look in the top of the example filename.rules.conf or > filetype.rules.conf file. > Instead of "allow" or "deny" you can put "deny+delete" which will do > what you want, if my memory serves me correctly. > > Jules. > > On 13/08/2010 14:03, Steven Andrews wrote: > >> We get a ton of bogus exe files inside of zip files and of course that >> generates a blocked filename notification to the end user. Is there >> way to NOT notify for certain file types? We'll never except an exe so >> I don't really care to notify for it. >> >> *Steven R. Andrews*, President >> Andrews Companies Incorporated >> /Small Business Information Technology Consultants/ >> sandrews@andrewscompanies.com >> Phone: 317.536.1807 >> >> "If your only tool is a hammer, every problem looks like a nail." >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Fri Aug 13 16:24:32 2010 From: ka at pacific.net (Ken A) Date: Fri Aug 13 16:24:44 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: References: <201008101103.o7AB0R0q001148@safir.blacknight.ie> Message-ID: <4C6563B0.4020403@pacific.net> On 8/10/2010 6:25 AM, Paulo Roncon wrote: > On 09/08/2010 13:04, Paulo Roncon wrote: >> Hello, >> >> Yesterday I got a problem with my mailscanner server. The messages stopped being processed and the mailscanner would crash attempting to process the messages. >> Some troubleshooting later and: The problem was with the file per directory limit = 32000 of the ext3. >> I'm going to upgrade to ext4. >> >> Any ideias? Change the quarantine function to create directories per hour also? >> >> >> Paulo >> > > I think I need to clarify things: > -The 32000 messages ARE PER DAY > -I DO have a very, very, very busy server > -I DO have Bayes, AV, etc, etc, etc in place > -I have to obey to client rules as to what to do with spam - the delete a message the threshold must be very high > -End users DO NOT have access to the quarantine > > My post was more a warning to all of you who might have a server as busy as mine. > > -A watchdog for this problem could be: > cron.d: > ls /var/spool/MailScanner/quarantine/[TODAY] | wc -l > if> 25000 then move all subdirs between 0h00AM - 4h00AM to other DIR and send notification > > -Other solutions, as I already proposed would be to extend the structure to /var/spool/MailScanner/quarantine/[TODAY]/[HOUR] > But this would have impact in MailWatch (I think... not sure) and every other script buildt around quarantine management > -The best, I think would be to upgrade to EXT4. "Quarantine Dir - # This can also be the filename of a ruleset." So, you could just use MailScanner to put them in various dirs based on To: or whatever, right? You'd have to modify MailWatch if it didn't handle rulesets here. Maybe I'm missing something? Ken > > Thanks, > Paulo > > -- Ken Anderson Pacific Internet - http://www.pacific.net From doc at maddoc.net Fri Aug 13 16:25:11 2010 From: doc at maddoc.net (Doc Schneider) Date: Fri Aug 13 16:25:21 2010 Subject: [Clamav-announce] announcing ClamAV 0.96.2] Message-ID: <4C6563D7.1020201@maddoc.net> FYI ClamAV 0.96.2 has been released. This version brings a new PDF parser, performance and memory improvements, and a number of bugfixes and minor enhancements. All users are recommended to upgrade. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From MailScanner at ecs.soton.ac.uk Fri Aug 13 17:16:17 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 13 17:16:29 2010 Subject: Quarantine problem: Ext3 directory limit to 32000 files In-Reply-To: <4C6563B0.4020403@pacific.net> References: <201008101103.o7AB0R0q001148@safir.blacknight.ie> <4C6563B0.4020403@pacific.net> <4C656FD1.70606@ecs.soton.ac.uk> Message-ID: On 13/08/2010 16:24, Ken A wrote: > > > On 8/10/2010 6:25 AM, Paulo Roncon wrote: >> On 09/08/2010 13:04, Paulo Roncon wrote: >>> Hello, >>> >>> Yesterday I got a problem with my mailscanner server. The messages >>> stopped being processed and the mailscanner would crash attempting >>> to process the messages. >>> Some troubleshooting later and: The problem was with the file per >>> directory limit = 32000 of the ext3. >>> I'm going to upgrade to ext4. >>> >>> Any ideias? Change the quarantine function to create directories per >>> hour also? >>> >>> >>> Paulo >>> >> >> I think I need to clarify things: >> -The 32000 messages ARE PER DAY >> -I DO have a very, very, very busy server >> -I DO have Bayes, AV, etc, etc, etc in place >> -I have to obey to client rules as to what to do with spam - the >> delete a message the threshold must be very high >> -End users DO NOT have access to the quarantine >> >> My post was more a warning to all of you who might have a server as >> busy as mine. >> >> -A watchdog for this problem could be: >> cron.d: >> ls /var/spool/MailScanner/quarantine/[TODAY] | wc -l >> if> 25000 then move all subdirs between 0h00AM - 4h00AM to other DIR >> and send notification >> >> -Other solutions, as I already proposed would be to extend the >> structure to /var/spool/MailScanner/quarantine/[TODAY]/[HOUR] >> But this would have impact in MailWatch (I think... not sure) and >> every other script buildt around quarantine management >> -The best, I think would be to upgrade to EXT4. > > "Quarantine Dir - # This can also be the filename of a ruleset." > So, you could just use MailScanner to put them in various dirs based > on To: or whatever, right? You'd have to modify MailWatch if it didn't > handle rulesets here. Maybe I'm missing something? A Custom Function would be better, but I have just added the "_HOUR_" token to the list of available tokens in the settings for "Archive Mail", "Spam Actions", "High-Scoring Spam Actions" and "Non-Spam Actions". This will be in the next release, which I can do for you tomorrow if you like. Should solve your problem quite neatly. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Fri Aug 13 18:41:10 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Aug 13 18:41:20 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> <4C656360.1020004@ecs.soton.ac.uk> Message-ID: They not caught by clam, well, when they're actual viruses, yes; but we get a fair amount come in that are caught as bad content. It does block the file, but the message, sans attachment, flows to the recipient. Looking for a way to make it NOT flow to the recipient. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 13, 2010 11:23 AM To: MailScanner discussion Subject: Re: recipient notification on blocked files It might just delete the attachment, not the whole message. The bogus exe files inside zip files should be caught by your virus scanner anyway. Jules. On 13/08/2010 15:41, Steven Andrews wrote: > Hmmmm....I tried deny+delete in filename.rules.conf AND filetype.rules.conf and the message still flows to the user. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, August 13, 2010 9:35 AM > To: MailScanner discussion > Subject: Re: recipient notification on blocked files > > Look in the top of the example filename.rules.conf or > filetype.rules.conf file. > Instead of "allow" or "deny" you can put "deny+delete" which will do > what you want, if my memory serves me correctly. > > Jules. > > On 13/08/2010 14:03, Steven Andrews wrote: > >> We get a ton of bogus exe files inside of zip files and of course that >> generates a blocked filename notification to the end user. Is there >> way to NOT notify for certain file types? We'll never except an exe so >> I don't really care to notify for it. >> >> *Steven R. Andrews*, President >> Andrews Companies Incorporated >> /Small Business Information Technology Consultants/ >> sandrews@andrewscompanies.com >> Phone: 317.536.1807 >> >> "If your only tool is a hammer, every problem looks like a nail." >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Sun Aug 15 14:15:00 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Aug 15 14:15:18 2010 Subject: 4.81.3 released References: <4C67E854.4020506@ecs.soton.ac.uk> Message-ID: I have just released a new beta, 4.81.3. The only notable change from the previous beta is the addition of a new token keyword available in the paths for "Archive Mail", "Spam Actions", "High-Scoring Spam Actions" and "Non-Spam Actions". The new keyword is "_HOUR_" which is the number of the hour in which MailScanner received the message, padded with a leading zero if necessary to make it 2 digits. This is to work around a problem caused by limitations in the ext3 and ext4 filesystems on busy MailScanner servers, where you are quarantining or archiving messages and you have more than 32,000 messages (or 64,000 on ext4) archived in any one day. By storing separate hours in different directories, you raise the maximum limit of archived/quarantined messages from 32,000 to 768,000 messages per day (or 1.5 million messages per day on ext4). If you still need more than that, then you will need to write a Custom Function that uses extra information to increase the number of directories in which a day's messages are stored. Download as usual from www.mailscanner.info. This will become a stable release in a few days unless anyone reports any problems, which I will fix immediately. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Aug 15 15:02:58 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Sun Aug 15 15:07:25 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> <4C656360.1020004@ecs.soton.ac.uk> Message-ID: On Fri, 13 Aug 2010 13:41:10 -0400, Steven Andrews wrote: > They not caught by clam, well, when they're actual viruses, yes; but we > get a fair amount come in that are caught as bad content. It does block > the file, but the message, sans attachment, flows to the recipient. > > Looking for a way to make it NOT flow to the recipient. Write your own small script to detect them and use that script as a virusfilter. Hugo. PS: I think it would be nice if people could remove non essential stuff from their replies. (7Kb to add this little content seems a bit like overkill.) -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From noel.butler at ausics.net Sun Aug 15 23:35:56 2010 From: noel.butler at ausics.net (Noel Butler) Date: Sun Aug 15 23:36:13 2010 Subject: 4.81.3 released In-Reply-To: References: <4C67E854.4020506@ecs.soton.ac.uk> Message-ID: <1281911756.10275.2.camel@tardis> On Sun, 2010-08-15 at 14:15 +0100, Jules Field wrote: > I have just released a new beta, 4.81.3. > > The only notable change from the previous beta is the addition of a new > token keyword available in the paths for "Archive Mail", "Spam Actions", > "High-Scoring Spam Actions" and "Non-Spam Actions". > The new keyword is "_HOUR_" which is the number of the hour in which > MailScanner received the message, padded with a leading zero if > necessary to make it 2 digits. Thanks for this -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100816/c1d953ad/attachment.html From mrebsamen at unimatrix0.ch Mon Aug 16 13:18:17 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Mon Aug 16 13:23:14 2010 Subject: Mailsystem Migration Message-ID: Hello Everybody I'm currently migrating my Mail System from Suse 10.3 to 11.3. I'm realy confused about the Spamassassin stuff. I can't figure out what I need to move and where I have to place it. I would appreciate if someone could give me a vice how to figure this out, or even can tell me what I have to move. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100816/8064492e/attachment.html From jaearick at colby.edu Mon Aug 16 18:32:11 2010 From: jaearick at colby.edu (Jeff Earickson) Date: Mon Aug 16 18:32:43 2010 Subject: upgrading MailScanner via rpm, stupid question. Message-ID: Julian, I am moving from Solaris with tar files to Redhat with rpms. When I upgrade MailScanner, do I do an "rpm -e" of the previous MailScanner version, or just go ahead and run install.sh for the new version and overlay (?) the MailScanner version? Jeff Earickson Colby College From lists at macscr.com Mon Aug 16 19:07:15 2010 From: lists at macscr.com (Mark Chaney) Date: Mon Aug 16 19:06:40 2010 Subject: missing Mail::ClamAV Message-ID: <4C697E53.9070003@macscr.com> When I checked the MailScanner version this morning i noticed a few perl modules were missing, such as: missing IP::Country missing Mail::ClamAV missing Mail::SPF::Quer missing Parse::RecDescent missing SAVI missing Test::Manifest missing Mail::SPF::Query missing Inline missing Encode::Detect missing Business::ISBN missing Business::ISBN::Data missing Data::Dump missing Test::Pod What really bothered me was the missing ClamAV one. Because that module is missing, is my MailScanner setup lacking ClamAV support? Also, should I be installing the rest of those as well? Thanks, Mark From alex at rtpty.com Mon Aug 16 19:18:49 2010 From: alex at rtpty.com (Alex Neuman) Date: Mon Aug 16 19:19:04 2010 Subject: missing Mail::ClamAV In-Reply-To: <4C697E53.9070003@macscr.com> References: <4C697E53.9070003@macscr.com> Message-ID: Mail::ClamAV is only needed AFAIK if you're using clamavmodule, which is also, AFAIK, deprecated in favor of using clamd. On Aug 16, 2010, at 1:07 PM, Mark Chaney wrote: > When I checked the MailScanner version this morning i noticed a few perl modules were missing, such as: > > missing IP::Country > missing Mail::ClamAV > missing Mail::SPF::Quer > missing Parse::RecDescent > missing SAVI > missing Test::Manifest > missing Mail::SPF::Query > missing Inline > missing Encode::Detect > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > missing Test::Pod > > What really bothered me was the missing ClamAV one. Because that module is missing, is my MailScanner setup lacking ClamAV support? Also, should I be installing the rest of those as well? > > Thanks, > Mark > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Mon Aug 16 19:39:12 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Aug 16 19:39:25 2010 Subject: Mailsystem Migration In-Reply-To: References: Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D1873A@city-exchange07> Hi Marco, You shouldn't have to move anything, unless you've created your own rules, or are using 3rd party rules such as the KAM ruleset. Your local spamassassin files normally live in /etc/mail/spamassassin. Check there - anything that isn't part of the stock installation will (should) be there and can be copied over. When I'm building a new MailScanner gateway I generally copy the existing /etc/MailScanner and /etc/mail/spamassassin directory over to the new machine. Then I install Jules' ClamAV & Spamassassin combo package. That makes upgrading easier as he's more consistant to release an install package when a newer version comes out than openSUSE is. If you don't have any home rolled rules in the spamassasin directory you probably don't need to copy it. Next I install the latest MailScanner package for SUSE. The advantage of copying the files over first before the install is the install routine will see the old .conf files, and use them. If there are changes you'll get the .rpmnew files created. Makes editing the .conf files much easier. The install routine will create the appropriate hooks to spamassassin Spamassassin itself will be installed in /var/lib/spamassassin/X.00Y00Z where XYZ is the version numbers. You shouldn't need to do anything with that. Be sure to run sa-update after you install spamassassin so that it pulls down the rules. They aren't installed by default IIRC. Hope this helps... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marco Rebsamen Sent: Monday, August 16, 2010 4:18 AM To: mailscanner@lists.mailscanner.info Subject: Mailsystem Migration Hello Everybody I'm currently migrating my Mail System from Suse 10.3 to 11.3. I'm realy confused about the Spamassassin stuff. I can't figure out what I need to move and where I have to place it. I would appreciate if someone could give me a vice how to figure this out, or even can tell me what I have to move. Thanks From mrebsamen at unimatrix0.ch Tue Aug 17 14:14:05 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Tue Aug 17 14:17:40 2010 Subject: AW: Mailsystem Migration References: <4A09477D575C2C4B86497161427DD94C15B0D1873A@city-exchange07> Message-ID: Hi Kevin So you say everything I need is in /etc/mail/spamassassin ? Also the things I teached it with sa-learn ? Greets Marco -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Kevin Miller Gesendet: Montag, 16. August 2010 20:39 An: 'MailScanner discussion' Betreff: RE: Mailsystem Migration Hi Marco, You shouldn't have to move anything, unless you've created your own rules, or are using 3rd party rules such as the KAM ruleset. Your local spamassassin files normally live in /etc/mail/spamassassin. Check there - anything that isn't part of the stock installation will (should) be there and can be copied over. When I'm building a new MailScanner gateway I generally copy the existing /etc/MailScanner and /etc/mail/spamassassin directory over to the new machine. Then I install Jules' ClamAV & Spamassassin combo package. That makes upgrading easier as he's more consistant to release an install package when a newer version comes out than openSUSE is. If you don't have any home rolled rules in the spamassasin directory you probably don't need to copy it. Next I install the latest MailScanner package for SUSE. The advantage of copying the files over first before the install is the install routine will see the old .conf files, and use them. If there are changes you'll get the .rpmnew files created. Makes editing the .conf files much easier. The install routine will create the appropriate hooks to spamassassin Spamassassin itself will be installed in /var/lib/spamassassin/X.00Y00Z where XYZ is the version numbers. You shouldn't need to do anything with that. Be sure to run sa-update after you install spamassassin so that it pulls down the rules. They aren't installed by default IIRC. Hope this helps... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Marco Rebsamen Sent: Monday, August 16, 2010 4:18 AM To: mailscanner@lists.mailscanner.info Subject: Mailsystem Migration Hello Everybody I'm currently migrating my Mail System from Suse 10.3 to 11.3. I'm realy confused about the Spamassassin stuff. I can't figure out what I need to move and where I have to place it. I would appreciate if someone could give me a vice how to figure this out, or even can tell me what I have to move. Thanks -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Aug 17 18:08:17 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Aug 17 18:08:32 2010 Subject: Mailsystem Migration In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C15B0D1873A@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D1873F@city-exchange07> Marco Rebsamen wrote: > Hi Kevin > > So you say everything I need is in /etc/mail/spamassassin ? Also the > things I teached it with sa-learn ? Mostly. Since you're using MailScanner, I presume you also have a bayes database where the spamassassin data is stored. Per recommended practice, I keep mine in /etc/MailScanner/bayes/ so, as I mentioned below, if you copy over your entire /etc/MailScanner directory before installing (in addition to the /etc/mail/spamassassin directory) the bayes data will come with it. If your bayes data is located in another location, such as /var/spool/bayes or somewhere like that you'll need to copy that over. Look in your existing mailscanner.cf file (aka spam.assassin.prefs.conf) and search for bayes_path. That will tell you where you're storing your bayes (spamassassin data) database. Be sure to copy it over as well. Note that I'm using sendmail, hence the /etc/mail directory. SUSE now defaults to Postfix, so I'm not sure what the directory structure looks like for that. I'd expect however that the spamassassin directory will be located under whatever it uses in the /etc/ directory. Perhaps a Postfix user could chime in here if it is much different. > Greets Marco > > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von > Kevin Miller > Gesendet: Montag, 16. August 2010 20:39 > An: 'MailScanner discussion' > Betreff: RE: Mailsystem Migration > > Hi Marco, > > You shouldn't have to move anything, unless you've created your own > rules, or are using 3rd party rules such as the KAM ruleset. Your > local spamassassin files normally live in /etc/mail/spamassassin. > Check there - anything that isn't part of the stock installation will > (should) be there and can be copied over. > > When I'm building a new MailScanner gateway I generally copy the > existing /etc/MailScanner and /etc/mail/spamassassin directory over > to the new machine. Then I install Jules' ClamAV & Spamassassin > combo package. That makes upgrading easier as he's more consistant > to release an install package when a newer version comes out than > openSUSE is. If you don't have any home rolled rules in the > spamassasin directory you probably don't need to copy it. > > Next I install the latest MailScanner package for SUSE. The > advantage of copying the files over first before the install is the > install routine will see the old .conf files, and use them. If there > are changes you'll get the .rpmnew files created. Makes editing the > .conf files much easier. The install routine will create the > appropriate hooks to spamassassin > > Spamassassin itself will be installed in > /var/lib/spamassassin/X.00Y00Z where XYZ is the version numbers. You > shouldn't need to do anything with that. > > Be sure to run sa-update after you install spamassassin so that it > pulls down the rules. They aren't installed by default IIRC. > ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From sandrews at andrewscompanies.com Tue Aug 17 18:32:18 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Aug 17 18:32:30 2010 Subject: recipient notification on blocked files In-Reply-To: References: <4C654A04.9060303@ecs.soton.ac.uk> <4C656360.1020004@ecs.soton.ac.uk> Message-ID: I was able to somewhat get this to do what I wanted. Instead of using deny+delete, I used an email address instead and I'm sending a select few of these (exe and com) to another email address, that I just dump the contents of. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Friday, August 13, 2010 1:41 PM To: 'MailScanner discussion' Subject: RE: recipient notification on blocked files They not caught by clam, well, when they're actual viruses, yes; but we get a fair amount come in that are caught as bad content. It does block the file, but the message, sans attachment, flows to the recipient. Looking for a way to make it NOT flow to the recipient. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, August 13, 2010 11:23 AM To: MailScanner discussion Subject: Re: recipient notification on blocked files It might just delete the attachment, not the whole message. The bogus exe files inside zip files should be caught by your virus scanner anyway. Jules. On 13/08/2010 15:41, Steven Andrews wrote: > Hmmmm....I tried deny+delete in filename.rules.conf AND filetype.rules.conf and the message still flows to the user. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Friday, August 13, 2010 9:35 AM > To: MailScanner discussion > Subject: Re: recipient notification on blocked files > > Look in the top of the example filename.rules.conf or > filetype.rules.conf file. > Instead of "allow" or "deny" you can put "deny+delete" which will do > what you want, if my memory serves me correctly. > > Jules. > > On 13/08/2010 14:03, Steven Andrews wrote: > >> We get a ton of bogus exe files inside of zip files and of course that >> generates a blocked filename notification to the end user. Is there >> way to NOT notify for certain file types? We'll never except an exe so >> I don't really care to notify for it. >> >> *Steven R. Andrews*, President >> Andrews Companies Incorporated >> /Small Business Information Technology Consultants/ >> sandrews@andrewscompanies.com >> Phone: 317.536.1807 >> >> "If your only tool is a hammer, every problem looks like a nail." >> >> > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lists at macscr.com Wed Aug 18 07:55:00 2010 From: lists at macscr.com (Mark Chaney) Date: Wed Aug 18 07:54:06 2010 Subject: exclude email address from scanning/logging Message-ID: <4C6B83C4.6000403@macscr.com> Ok, so i setup the following in /etc/MailScanner/rules/scan.messages.rules: From test@yourdomain.com no FromOrTo: default yes Then restarted mailscanner, but it doesnt seem to to make a difference, I still saw the email logged in "mailwatch". In my MailScanner.conf, I do have: Scan Messages = %rules-dir%/scan.messages.rules Any ideas on what I am doing wrong? My end game is to process the email with script before piping it back to another email address so that its analyzed with mailscanner with the new changes. Thanks, Mark -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100818/4db1c94b/attachment.html From stef at aoc-uk.com Wed Aug 18 12:30:30 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Aug 18 12:30:44 2010 Subject: exclude email address from scanning/logging In-Reply-To: References: Message-ID: <201008181130.o7IBUa3u018653@safir.blacknight.ie> Mark Chaney wrote: > Ok, so i setup the following in > /etc/MailScanner/rules/scan.messages.rules: > > From test@yourdomain.com no > FromOrTo: default yes If that's a direct cut and paste, you are missing a colon after the first 'From'. > Then restarted mailscanner, but it doesnt seem to to make a > difference, I still saw the email logged in "mailwatch". In > my MailScanner.conf, I do have: > > Scan Messages = %rules-dir%/scan.messages.rules Mailwatch will log any message which passes though MailScanner, including those specifically excluded in a 'Scan Messages' ruleset. You should see it logged as clean with a blank SA score. Stef From lists at macscr.com Wed Aug 18 14:20:09 2010 From: lists at macscr.com (Mark Chaney) Date: Wed Aug 18 14:19:11 2010 Subject: exclude email address from scanning/logging In-Reply-To: <201008181130.o7IBUa3u018653@safir.blacknight.ie> References: <201008181130.o7IBUa3u018653@safir.blacknight.ie> Message-ID: <4C6BDE09.4080607@macscr.com> Unfortunately thats not a cut and paste, so i dont have that mistake in my rules. Also, from what i have read, that exclude list is supposed have it completely bypass mailscanner and not be included in the scans. Though that doesnt seem to be the case. If thats not the way to do it, what way is? Thanks, Mark On 08/18/2010 06:30 AM, Stef Morrell wrote: > Mark Chaney wrote: >> Ok, so i setup the following in >> /etc/MailScanner/rules/scan.messages.rules: >> >> From test@yourdomain.com no >> FromOrTo: default yes > If that's a direct cut and paste, you are missing a colon after the > first 'From'. > >> Then restarted mailscanner, but it doesnt seem to to make a >> difference, I still saw the email logged in "mailwatch". In >> my MailScanner.conf, I do have: >> >> Scan Messages = %rules-dir%/scan.messages.rules > Mailwatch will log any message which passes though MailScanner, > including those specifically excluded in a 'Scan Messages' ruleset. You > should see it logged as clean with a blank SA score. > > Stef From stef at aoc-uk.com Wed Aug 18 14:33:51 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Aug 18 14:34:06 2010 Subject: exclude email address from scanning/logging In-Reply-To: References: <201008181130.o7IBUa3u018653@safir.blacknight.ie> Message-ID: <201008181334.o7IDXxq6024359@safir.blacknight.ie> Mark Chaney wrote: > Unfortunately thats not a cut and paste, so i dont have > that mistake > in my rules. Also, from what i have read, that exclude list > is supposed > have it completely bypass mailscanner and not be included in > the scans. > Though that doesnt seem to be the case. If thats not the way > to do it, > what way is? At a bare minimum, MailScanner has to pick up the mail from one queue, where it is waiting for processing and put it into a different queue so it can be delivered, so it's impossible to completely bypass MailScanner from within MailScanner. You'll see in your mail log something like: Aug 18 14:26:57 fedecks-1 MailScanner[7638]: New Batch: Forwarding 1 unscanned messages, 1539 bytes Showing it dealing with unscanned email. Without this step, mail will be held indefinately, waiting for some process to help it into the outbound queue. To 100% avoid MailScanner, you need to find a solution in the MTA, rather than within MailScanner itself. Stef > > On 08/18/2010 06:30 AM, Stef Morrell wrote: > > Mark Chaney wrote: > >> Ok, so i setup the following in > >> /etc/MailScanner/rules/scan.messages.rules: > >> > >> From test@yourdomain.com no > >> FromOrTo: default yes > > If that's a direct cut and paste, you are missing a colon after the > > first 'From'. > > > >> Then restarted mailscanner, but it doesnt seem to to make a > >> difference, I still saw the email logged in "mailwatch". In > >> my MailScanner.conf, I do have: > >> > >> Scan Messages = %rules-dir%/scan.messages.rules > > Mailwatch will log any message which passes though MailScanner, > > including those specifically excluded in a 'Scan Messages' > ruleset. You > > should see it logged as clean with a blank SA score. > > > > Stef > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This email has been scanned by the Alpha Omega Computers MailCrusader > for viruses, spam and dangerous content. > For more information please visit http://www.aoc-uk.com > > From james.raines at heartland-ins.com Wed Aug 18 15:51:01 2010 From: james.raines at heartland-ins.com (james.raines@heartland-ins.com) Date: Wed Aug 18 15:51:22 2010 Subject: Looking for a good test to see that MailScanner is calling SpamAssassin properly Message-ID: <4C6BF355.8090102@heartland-ins.com> Hello all, MailScanner -v output states: This is CentOS release 5.5 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.81.3 I would like to prove that the MailScanner application is properly calling SpamAssassin. I am trying to find a way to test (from command line) to see that MailScanner is calling my implementation of SpamAssassin. Is there a good way to do this or am I going about it the wrong way? Thank you. Jamey -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100818/73885290/attachment.html From stef at aoc-uk.com Wed Aug 18 15:59:26 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Wed Aug 18 15:59:43 2010 Subject: Looking for a good test to see that MailScanner is calling SpamAssassin properly In-Reply-To: References: Message-ID: <201008181459.o7IExZl5028122@safir.blacknight.ie> James Raines wrote: > I am trying to find a way to > test (from command line) to see that MailScanner is calling > my implementation of SpamAssassin. Is there a good way to do > this or am I going about it the wrong way? Thank you. In MailScanner.conf set both # Set Debug to "yes" to stop it running as a daemon and just process # one batch of messages and then exit. Debug = no # Do you want to debug SpamAssassin from within MailScanner? Debug SpamAssassin = no to yes and run a test batch. You'll be able to see the full output from a spamassassin lint, which should give you all the info you need for your test. Stef From mark at alpha2.com Wed Aug 18 16:59:12 2010 From: mark at alpha2.com (Mark L. Wise) Date: Wed Aug 18 16:59:26 2010 Subject: Problems sending mail after MailScanner install Message-ID: <4C6C0350.2090201@alpha2.com> Hello all! I recently installed MailScanner on a server that I am responsible for to help reduce virus infections. Things seemed to be working great, but then I started getting calls that outbound mail was not being delivered just to a select group of e-mail addresses. Since these select group of e-mail addresses represented their significant customers, I turned MailScanner off. My questions are: 1) Is there a way to exclude certain e-mail domains from outbound e-mail checks? 2) How would I diagnose why the mail was not being delivered? (I think my maillog files show them leaving my server... could be that something on the scanned files shows up as problems to the incoming servers at the domains? 3) Any thoughts on why only certain domains would not get mail delivered? Fedora release 8 (Werewolf) Perl version 5.008008 (5.8.8) MailScanner version 4.79.11 Thanks! -- Mark L. Wise Alpha II Service, Inc. 1312 Epworth Ave Reynoldsburg, Ohio 43068-2116 USA Office: (614) 868-5033 Fax: (614) 868-1060 Email: mark@alpha2.com WEB: www.alpha2.com "People do not quit playing because they grow old; they grow old because they quit playing." Oliver Wendell Holmes From james.raines at heartland-ins.com Wed Aug 18 17:11:20 2010 From: james.raines at heartland-ins.com (james.raines@heartland-ins.com) Date: Wed Aug 18 17:11:39 2010 Subject: Looking for a good test to see that MailScanner is calling SpamAssassin properly In-Reply-To: <201008181459.o7IExZl5028122@safir.blacknight.ie> References: <201008181459.o7IExZl5028122@safir.blacknight.ie> Message-ID: <4C6C0628.6040006@heartland-ins.com> On 8/18/2010 10:59 AM, Stef Morrell wrote: > James Raines wrote: >> I am trying to find a way to >> test (from command line) to see that MailScanner is calling >> my implementation of SpamAssassin. Is there a good way to do >> this or am I going about it the wrong way? Thank you. > In MailScanner.conf set both > > # Set Debug to "yes" to stop it running as a daemon and just process > # one batch of messages and then exit. > Debug = no > > # Do you want to debug SpamAssassin from within MailScanner? > Debug SpamAssassin = no > > to yes and run a test batch. > > You'll be able to see the full output from a spamassassin lint, which > should give you all the info you need for your test. > > Stef > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Thanks. I just found the Troubleshooting MailScanner section in the documentation as well. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From peter.ong at hypermediasystems.com Wed Aug 18 17:50:48 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Aug 18 17:50:59 2010 Subject: Looking for a good test to see that MailScanner is calling SpamAssassin properly In-Reply-To: <4C6C0628.6040006@heartland-ins.com> Message-ID: <1583425631.2966.1282150248588.JavaMail.root@mail021.dti> This might be of interest to you: "gfi email security test" pop this into your favorite search engine. p ----- Original Message ----- > From: "james raines" > To: "MailScanner discussion" > Sent: Wednesday, August 18, 2010 9:11:20 AM > Subject: Re: Looking for a good test to see that MailScanner is calling SpamAssassin properly > > On 8/18/2010 10:59 AM, Stef Morrell wrote: > > James Raines wrote: > >> I am trying to find a way to > >> test (from command line) to see that MailScanner is calling > >> my implementation of SpamAssassin. Is there a good way to do > >> this or am I going about it the wrong way? Thank you. > > In MailScanner.conf set both > > > > # Set Debug to "yes" to stop it running as a daemon and just > process > > # one batch of messages and then exit. > > Debug = no > > > > # Do you want to debug SpamAssassin from within MailScanner? > > Debug SpamAssassin = no > > > > to yes and run a test batch. > > > > You'll be able to see the full output from a spamassassin lint, > which > > should give you all the info you need for your test. > > > > Stef > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > Thanks. I just found the Troubleshooting MailScanner section in the > documentation as well. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Aug 18 18:37:12 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Aug 18 18:37:22 2010 Subject: Domain hosted with cPanel problem.... In-Reply-To: References: Message-ID: Hi that's and MTA's job not mailscanners Martin Hepworth Oxford, UK On 6 August 2010 20:00, Dhaval Soni wrote: > Dear All, > > We have couple of domains hosted on Linux VPS server with cPanel. We want > to filter all emails of those domains and want to deliver it to > webmail.domainname.com. But we are not able to deliver those filtered > emails. So is there anything extra to do in MailScanner for it? > > I am using MailScanner version : 4.79.11-1 RPM version on Centos 5.4 with > sendmail. > > Let me inform, if required extra information. > > Thank you and waiting for reply, > > > -- > Kind regards, > Dhaval Soni > Red Hat Certified Architect > ID: 804 007 900 325 939 > > M: +91-9662029620 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100818/383e0132/attachment.html From maxsec at gmail.com Wed Aug 18 18:54:40 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Aug 18 18:54:50 2010 Subject: Problems sending mail after MailScanner install In-Reply-To: <4C6C0350.2090201@alpha2.com> References: <4C6C0350.2090201@alpha2.com> Message-ID: Olivier check the maillog (or whatever log file for the MTA you use) try a test message by hand from the machine (telnet "mailserver.domain.com25" etc) talk to the admins at the remote end to see if that can spot anything in their logs Martin Hepworth Oxford, UK On 18 August 2010 16:59, Mark L. Wise wrote: > Hello all! > > I recently installed MailScanner on a server that I am responsible for to > help reduce virus infections. > > Things seemed to be working great, but then I started getting calls that > outbound mail was not being delivered just to a select group of e-mail > addresses. Since these select group of e-mail addresses represented their > significant customers, I turned MailScanner off. > > My questions are: > > 1) Is there a way to exclude certain e-mail domains from outbound e-mail > checks? > 2) How would I diagnose why the mail was not being delivered? (I think my > maillog files show them leaving my server... could be that something on the > scanned files shows up as problems to the incoming servers at the domains? > 3) Any thoughts on why only certain domains would not get mail delivered? > > Fedora release 8 (Werewolf) > Perl version 5.008008 (5.8.8) > MailScanner version 4.79.11 > > Thanks! > > -- > Mark L. Wise > > Alpha II Service, Inc. > 1312 Epworth Ave > Reynoldsburg, Ohio 43068-2116 > USA > > Office: (614) 868-5033 > Fax: (614) 868-1060 > Email: mark@alpha2.com > WEB: www.alpha2.com > > "People do not quit playing because they grow old; they grow old because > they quit playing." > > Oliver Wendell Holmes > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100818/62d3f7bb/attachment.html From agross at gcpsite.com Wed Aug 18 19:37:38 2010 From: agross at gcpsite.com (Adam Gross) Date: Wed Aug 18 19:40:48 2010 Subject: Problems sending mail after MailScanner install In-Reply-To: References: <4C6C0350.2090201@alpha2.com>, Message-ID: <93B4D13F118B8244B2A34197EFFF196401559FDEED74@gcpex01.gcpsite.local> I have a quick question just for my own clarification... My MailScanner lint is below. Far as I can tell it looks great, but I don't understand the line "Other Checks: Found 1 problems." I see that pops up during the virus scanner check. Is this line telling me the problem identified is the eicar test, which is what I should be seeing if that's the case, or is it telling me I have something loopy on the clamav side? Thanks in advance. /--- Trying to setlogsock(unix) Reading configuration file /opt/MailScanner/etc/MailScanner.conf Reading configuration file /opt/MailScanner/etc/conf.d/README Read 865 hostnames from the phishing whitelist Read 4525 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 0 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 14 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.79.11) is correct. MailScannersetting GID to (114) MailScannersetting UID to (105) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassinreported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.confsays "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist /--- Adam Gross -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100818/cfaad86d/attachment.html From Kevin_Miller at ci.juneau.ak.us Wed Aug 18 20:00:21 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 18 20:00:36 2010 Subject: SUSE updates: heads up campers... Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D18747@city-exchange07> Novell just put out security updates for the kernel and perl. Installing the perl updates required unlocking the perl modules that are germain to MailScanner. The modules that came down from Novell were older than those included with MailScanner. After upgrading the kernel and perl I had to rerun the MailScanner install. Probably could have just upgraded the three perl modules that were problematic but ./install was easier. Wasn't much of an issue for me as I'm running three MailScanner gateways so that I can take any one of them down w/impunity but if you don't have that luxury plan on a short outage. Just a heads up for those that will be upgrading in the near future... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From alex at rtpty.com Wed Aug 18 20:16:18 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Aug 18 20:16:42 2010 Subject: SUSE updates: heads up campers... In-Reply-To: <4A09477D575C2C4B86497161427DD94C15B0D18747@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C15B0D18747@city-exchange07> Message-ID: <1214181987-1282158987-cardhu_decombobulator_blackberry.rim.net-877518726-@bda957.bisx.prod.on.blackberry> Germain? Is that like Tito? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Kevin Miller Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 18 Aug 2010 11:00:21 To: 'MailScanner discussion' Reply-To: MailScanner discussion Subject: SUSE updates: heads up campers... Novell just put out security updates for the kernel and perl. Installing the perl updates required unlocking the perl modules that are germain to MailScanner. The modules that came down from Novell were older than those included with MailScanner. After upgrading the kernel and perl I had to rerun the MailScanner install. Probably could have just upgraded the three perl modules that were problematic but ./install was easier. Wasn't much of an issue for me as I'm running three MailScanner gateways so that I can take any one of them down w/impunity but if you don't have that luxury plan on a short outage. Just a heads up for those that will be upgrading in the near future... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Wed Aug 18 22:32:56 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 18 22:33:25 2010 Subject: SUSE updates: heads up campers... In-Reply-To: <1214181987-1282158987-cardhu_decombobulator_blackberry.rim.net-877518726-@bda957.bisx.prod.on.blackberry> References: <4A09477D575C2C4B86497161427DD94C15B0D18747@city-exchange07> <1214181987-1282158987-cardhu_decombobulator_blackberry.rim.net-877518726-@bda957.bisx.prod.on.blackberry> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D18748@city-exchange07> Alex Neuman wrote: > Germain? Germane then. I'm sorry. English is only my first language. > Is that like Tito? No. He was Yugoslavian... :-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From alex at rtpty.com Wed Aug 18 22:43:05 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Aug 18 22:44:20 2010 Subject: SUSE updates: heads up campers... Message-ID: <156895200-1282167847-cardhu_decombobulator_blackberry.rim.net-785876137-@bda957.bisx.prod.on.blackberry> Ah! No relation to Latoya then... ------Original Message------ From: Kevin Miller Sender: mailscanner-bounces@lists.mailscanner.info To: 'MailScanner discussion' ReplyTo: MailScanner discussion Subject: RE: SUSE updates: heads up campers... Sent: Aug 18, 2010 4:32 PM Alex Neuman wrote: > Germain? Germane then. I'm sorry. English is only my first language. > Is that like Tito? No. He was Yugoslavian... :-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com From Kevin_Miller at ci.juneau.ak.us Wed Aug 18 23:39:47 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Aug 18 23:40:05 2010 Subject: SUSE updates: heads up campers... In-Reply-To: <156895200-1282167847-cardhu_decombobulator_blackberry.rim.net-785876137-@bda957.bisx.prod.on.blackberry> References: <156895200-1282167847-cardhu_decombobulator_blackberry.rim.net-785876137-@bda957.bisx.prod.on.blackberry> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D18749@city-exchange07> Alex Neuman wrote: > Ah! No relation to Latoya then... LOL. None that they'll discuss publicly... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From sonidhaval at gmail.com Thu Aug 19 09:04:42 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Thu Aug 19 09:04:54 2010 Subject: Domain hosted with cPanel problem.... In-Reply-To: References: Message-ID: Hi, Thanks for your mail. We have few domains on windows mail server. Those are working well on receiving emails from filtration gateway. But not working with domains which are hosted on Linux with cPanel. Thank you, On Wed, Aug 18, 2010 at 11:07 PM, Martin Hepworth wrote: > Hi > > that's and MTA's job not mailscanners > > Martin Hepworth > Oxford, UK > > > On 6 August 2010 20:00, Dhaval Soni wrote: > >> Dear All, >> >> We have couple of domains hosted on Linux VPS server with cPanel. We want >> to filter all emails of those domains and want to deliver it to >> webmail.domainname.com. But we are not able to deliver those filtered >> emails. So is there anything extra to do in MailScanner for it? >> >> I am using MailScanner version : 4.79.11-1 RPM version on Centos 5.4 with >> sendmail. >> >> Let me inform, if required extra information. >> >> Thank you and waiting for reply, >> >> >> -- >> Kind regards, >> Dhaval Soni >> Red Hat Certified Architect >> ID: 804 007 900 325 939 >> >> M: +91-9662029620 >> >> -- >> >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100819/22e25759/attachment.html From glenn.steen at gmail.com Thu Aug 19 14:24:24 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 14:24:34 2010 Subject: upgrading MailScanner via rpm, stupid question. In-Reply-To: References: Message-ID: On 16 August 2010 19:32, Jeff Earickson wrote: > Julian, > > I am moving from Solaris with tar files to Redhat with rpms. ?When I > upgrade MailScanner, > do I do an "rpm -e" of the previous MailScanner version, or just go > ahead and run install.sh > for the new version and overlay (?) the MailScanner version? > Just do the install.sh ... Couldn't be easier.-). Unless you like to do things from a repo only (like Kay S always recommend, and Hugo v. d. K. ...), in which case you'd likely do a rpm -Uvh (or -Fvh ...:-). Although the MAQ doesn't change much, there's an excellent bit in it about upgrading. Cheers -- -- Glenn (finally back, trying to catch up with the list...) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 19 14:31:44 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 14:31:53 2010 Subject: missing Mail::ClamAV In-Reply-To: References: <4C697E53.9070003@macscr.com> Message-ID: On 16 August 2010 20:18, Alex Neuman wrote: > Mail::ClamAV is only needed AFAIK if you're using clamavmodule, which is also, AFAIK, deprecated in favor of using clamd. > Indeed. Same for SAVI, if you use Sophos, and if you have configured it to use the perl module, then you need SAVI...:-). The rest are optional, but ... If you have configured your SA to use SPF, but haven't got the SPF perl modules installed... you will get no SPF checks. Etc etc. Installing them likely won't hurt you. > On Aug 16, 2010, at 1:07 PM, Mark Chaney wrote: > >> When I checked the MailScanner version this morning i noticed a few perl modules were missing, such as: >> >> missing ? ?IP::Country >> missing ? ?Mail::ClamAV >> missing ? ?Mail::SPF::Quer >> missing ? ?Parse::RecDescent >> missing ? ?SAVI >> missing ? ?Test::Manifest >> missing ? ?Mail::SPF::Query >> missing ? ?Inline >> missing ? ?Encode::Detect >> missing ? ?Business::ISBN >> missing ? ?Business::ISBN::Data >> missing ? ?Data::Dump >> missing ? ?Test::Pod >> >> What really bothered me was the missing ClamAV one. Because that module is missing, is my MailScanner setup lacking ClamAV support? Also, should I be installing the rest of those as well? >> >> Thanks, >> Mark >> >> Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 19 14:46:46 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 14:46:56 2010 Subject: Problems sending mail after MailScanner install In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDEED74@gcpex01.gcpsite.local> References: <4C6C0350.2090201@alpha2.com> <93B4D13F118B8244B2A34197EFFF196401559FDEED74@gcpex01.gcpsite.local> Message-ID: On 18 August 2010 20:37, Adam Gross wrote: > I have a quick question just for my own clarification...? My?MailScanner > lint is below.? Far as I can tell it looks great, but I don't understand the > line "Other Checks: Found 1 problems."? I see that pops up during the virus > scanner check.? Is this line telling me the problem identified is the?eicar > test, which is what I should be seeing if that's the case, or is it telling > me I have something loopy on the?clamav side?? Thanks in advance. > It tells you that MailScanner has found an executable (well...:-), namely the eicar.com file (-name). Nothing to worry about. (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 19 15:04:29 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 15:04:39 2010 Subject: Problems sending mail after MailScanner install In-Reply-To: <4C6C0350.2090201@alpha2.com> References: <4C6C0350.2090201@alpha2.com> Message-ID: On 18 August 2010 17:59, Mark L. Wise wrote: > Hello all! > > I recently installed MailScanner on a server that I am responsible for to > help reduce virus infections. > > Things seemed to be working great, but then I started getting calls that > outbound mail was not being delivered just to a select group of e-mail > addresses. ?Since these select group of e-mail addresses represented their > significant customers, I turned MailScanner off. > A bit drastic... And not really necessary. Look below. > My questions are: > > 1) Is there a way to exclude certain e-mail domains from outbound e-mail > checks? Yes. Read up on rulesets. They can be used on almost all settings in MailScanner.conf, so you can very selectively do/don't do specific things. Look at: The example file in the rules directory (/etc/MailScanner/rules for the RPM install), the wiki (including the MAQ, IIRC), the www.mailscanner.info site has some more on it all (among other things a very nice "webified" config option page that detail exactly where you can have rulesets, and what the respective settings can be), search the list archive (gmane is good for this, and yes... we've talked a lot about how this is done on this list:-), and finally the Book (buy it from the official site, it is worth every penny!). > 2) How would I diagnose why the mail was not being delivered? ?(I think my > maillog files show them leaving my server... could be that something on the > scanned files shows up as problems to the incoming servers at the domains? The log will contain all relevant information, usually. The tricky bit is to see exactly what happened to a specific message:-). Many of us use MailWatch to do logging to a database... and more. Look at http://mailwatch.sf.net for more. > 3) Any thoughts on why only certain domains would not get mail delivered? > Misconfigurations? Who knows... In all likelihood, you are the only one who has the answers... in your logs;-) > Fedora release 8 (Werewolf) > Perl version 5.008008 (5.8.8) > MailScanner version 4.79.11 > > Thanks! > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 19 15:58:36 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 15:58:46 2010 Subject: Any objections to a new stable release? In-Reply-To: References: <4C5454E0.60205@ecs.soton.ac.uk> Message-ID: On 31 July 2010 18:52, Jules Field wrote: > Anyone got any strong objections to me putting out a new stable release of > MailScanner (4.81)? > > There are very few changes from 4.80 but the code rarely changes at all now > and I feel a new release now should keep you going for quite a while. > > Thanks! > > Jules > The resounding silence speaks volumes.... There are no objections, and yes please, can we have one?! As is, I opted to upgrade to the latest beta, on my production host... The PHB would likely object less if that one (4.81.3) was called "stable":-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 19 16:00:48 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 19 16:01:02 2010 Subject: Any objections to a new stable release? In-Reply-To: References: <4C5454E0.60205@ecs.soton.ac.uk> Message-ID: On 19 August 2010 16:58, Glenn Steen wrote: > On 31 July 2010 18:52, Jules Field wrote: >> Anyone got any strong objections to me putting out a new stable release of >> MailScanner (4.81)? >> >> There are very few changes from 4.80 but the code rarely changes at all now >> and I feel a new release now should keep you going for quite a while. >> >> Thanks! >> >> Jules >> > The resounding silence speaks volumes.... There are no objections, and > yes please, can we have one?! As is, I opted to upgrade to the latest > beta, on my production host... The PHB would likely object less if > that one (4.81.3) was called "stable":-). > > Cheers BTW.... could you update the Clam+SA package too, pretty please? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mark at alpha2.com Thu Aug 19 17:24:54 2010 From: mark at alpha2.com (Mark L. Wise) Date: Thu Aug 19 17:25:15 2010 Subject: Problems sending mail after MailScanner install In-Reply-To: References: <4C6C0350.2090201@alpha2.com> Message-ID: <4C6D5AD6.8080600@alpha2.com> Thanks for all the help! I have implemented a ruleset to exclude the affected sites and I am communicating with the managers of those sites to see what they have in their logs... my logs say the messages were sent. I will turn MailScanner back on to test shortly. Thanks again. Mark On 8/19/2010 10:04 AM, Glenn Steen wrote: > On 18 August 2010 17:59, Mark L. Wise wrote: >> Hello all! >> >> I recently installed MailScanner on a server that I am responsible for to >> help reduce virus infections. >> >> Things seemed to be working great, but then I started getting calls that >> outbound mail was not being delivered just to a select group of e-mail >> addresses. Since these select group of e-mail addresses represented their >> significant customers, I turned MailScanner off. >> > > A bit drastic... And not really necessary. Look below. >> My questions are: >> >> 1) Is there a way to exclude certain e-mail domains from outbound e-mail >> checks? > Yes. Read up on rulesets. They can be used on almost all settings in > MailScanner.conf, so you can very selectively do/don't do specific > things. > Look at: The example file in the rules directory > (/etc/MailScanner/rules for the RPM install), the wiki (including the > MAQ, IIRC), the www.mailscanner.info site has some more on it all > (among other things a very nice "webified" config option page that > detail exactly where you can have rulesets, and what the respective > settings can be), search the list archive (gmane is good for this, and > yes... we've talked a lot about how this is done on this list:-), and > finally the Book (buy it from the official site, it is worth every > penny!). > >> 2) How would I diagnose why the mail was not being delivered? (I think my >> maillog files show them leaving my server... could be that something on the >> scanned files shows up as problems to the incoming servers at the domains? > The log will contain all relevant information, usually. The tricky bit > is to see exactly what happened to a specific message:-). Many of us > use MailWatch to do logging to a database... and more. Look at > http://mailwatch.sf.net for more. > >> 3) Any thoughts on why only certain domains would not get mail delivered? >> > Misconfigurations? Who knows... In all likelihood, you are the only > one who has the answers... in your logs;-) > >> Fedora release 8 (Werewolf) >> Perl version 5.008008 (5.8.8) >> MailScanner version 4.79.11 >> >> Thanks! >> > > Cheers -- Mark L. Wise Alpha II Service, Inc. 1312 Epworth Ave Reynoldsburg, Ohio 43068-2116 USA Office: (614) 868-5033 Fax: (614) 868-1060 Email: mark@alpha2.com WEB: www.alpha2.com "People do not quit playing because they grow old; they grow old because they quit playing." Oliver Wendell Holmes From correo at miguelangelnieto.net Fri Aug 20 11:39:48 2010 From: correo at miguelangelnieto.net (Miguel Angel Nieto) Date: Fri Aug 20 11:40:18 2010 Subject: problem with NO_RECEIVED and MISSING_SUBJECT Message-ID: Hi, I have a problem with Relay_Country plugin and I guess that its related with the following problem: All e-mails I get have these scores: MISSING _SUBJECT 1.76 NO_RECEIVED -0.00 But the mail actually has these headers. Received-SPF: None (no SPF record) identity=helo; client-ip=212.87.167.106; helo=matrix-358c86bf; envelope-from=<>; receiver=xalmandoz@xxxxx.net Received: from matrix-358c86bf (unknown [212.87.167.106]) by smtp.xxxxx.com (Postfix) with ESMTP id AC25753BDE for ; Fri, 20 Aug 2010 12:27:53 +0200 (CEST) Received: from TXBJVDG ([192.233.66.43]) by Zxigyqp (8.13.4/8.13.4) with SMTP id a448026037937k2Ok011296 for ; Fri, 20 Aug 2010 13:29:58 +0200 (CDT) (envelope-from xchump@sympatico.ca) Message-ID: <00d601cb4052$a38b4360$6aa757d4@TXBJVDG> From: "xchump@sympatico.ca" To: "xalmandoz" Subject: cHEAP MEDS FOR SEX Date: Fri, 20 Aug 2010 05:29:12 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D3_01CB406B.C8CE6940" X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Information about my system: [root@xxxxx MailScanner]# MailScanner -v Running on Linux xxxxx.com 2.6.18-194.11.1.el5 #1 SMP Tue Jul 27 05:44:43 EDT 2010 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux Server release 5.5 (Tikanga) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.75.11 spamassassin-3.2.5-1.el5 Thank you. -- Lo que har?a ser?a hacerme pasar por sordomudo y as? no tendr?a que hablar. Si quer?an decirme algo, tendr?an que escribirlo en un papelito y ense??rmelo. Al final se hartar?an y ya no tendr?a que hablar el resto de mi vida. J. D. Salinger El guardi?n entre el centeno -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/e6a62d75/attachment.html From hvdkooij at vanderkooij.org Fri Aug 20 11:49:59 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Fri Aug 20 11:54:34 2010 Subject: exclude email address from scanning/logging In-Reply-To: <4C6B83C4.6000403@macscr.com> References: <4C6B83C4.6000403@macscr.com> Message-ID: <26455f5c8e8d8dcffd0f752d25797cf8@127.0.0.1> On Wed, 18 Aug 2010 01:55:00 -0500, Mark Chaney wrote: Ok, so i setup the following in /etc/MailScanner/rules/scan.messages.rules: From test@yourdomain.com [1] no FromOrTo: default yes Then restarted mailscanner, but it doesnt seem to to make a difference, I still saw the email logged in "mailwatch". In my MailScanner.conf, I do have: Scan Messages = %rules-dir%/scan.messages.rules Any ideas on what I am doing wrong? My end game is to process the email with script before piping it back to another email address so that its analyzed with mailscanner with the new changes. Well. You still let MailScanner pick up the message. So the mere fact that a line is listed in MailWatch is to be expected. But does it or doesn't it scan the message itself? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc Links: ------ [1] mailto:test@yourdomain.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/4106d230/attachment.html From sonidhaval at gmail.com Fri Aug 20 12:23:17 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Fri Aug 20 12:23:28 2010 Subject: Per domains / per email ID wise scanning in MailScanner Message-ID: Dear All, We have one option in MailScanner.conf file which is "Scan Messages =yes / no". This will scan all incoming emails if yes is set otherwise not. Now suppose, If Scan Messages = %rules-dir%/scan.messages.rules set with default = no and it contains all email IDs which are required to filter via mailscanner. So my question is that, can we add whole domain instead of email IDs in %rules-dir%/scan.messages.rules file for scanning ? I am using MailScanner 4.79, Centos 5.5 with sendmail. Let me update, if required more information. Thank you, -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/4bed4f1c/attachment.html From maxsec at gmail.com Fri Aug 20 12:38:25 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Aug 20 12:38:34 2010 Subject: Per domains / per email ID wise scanning in MailScanner In-Reply-To: References: Message-ID: Sure, have a look in the wiki. Search on the word 'overloading' for some wonderful things you can do with rulesets. I'd be careful of just doing domain wise as many spam have from:fred@domain.com and to:fred@domain.comto try and get around domain level whitelists. Martin Hepworth Oxford, UK On 20 August 2010 12:23, Dhaval Soni wrote: > Dear All, > > We have one option in MailScanner.conf file which is "Scan Messages =yes / > no". This will scan all incoming emails if yes is set otherwise not. Now > suppose, If Scan Messages = %rules-dir%/scan.messages.rules set with default > = no and it contains all email IDs which are required to filter via > mailscanner. So my question is that, can we add whole domain instead of > email IDs in %rules-dir%/scan.messages.rules file for scanning ? > > I am using MailScanner 4.79, Centos 5.5 with sendmail. > > Let me update, if required more information. > > Thank you, > > -- > Kind regards, > Dhaval Soni > Red Hat Certified Architect > ID: 804 007 900 325 939 > > M: +91-9662029620 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/7c17e977/attachment.html From sonidhaval at gmail.com Fri Aug 20 13:01:01 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Fri Aug 20 13:01:11 2010 Subject: Per domains / per email ID wise scanning in MailScanner In-Reply-To: References: Message-ID: HI, On Fri, Aug 20, 2010 at 5:08 PM, Martin Hepworth wrote: > Sure, have a look in the wiki. Search on the word 'overloading' for some > wonderful things you can do with rulesets. > > I'd be careful of just doing domain wise as many spam have > from:fred@domain.com and to:fred@domain.comto try and get around domain level whitelists. > Can we use "To: @123.com yes" to scan all emails instead of mentioning all email IDs of that domain? Thank you, > Martin Hepworth > Oxford, UK > > > On 20 August 2010 12:23, Dhaval Soni wrote: > >> Dear All, >> >> We have one option in MailScanner.conf file which is "Scan Messages =yes / >> no". This will scan all incoming emails if yes is set otherwise not. Now >> suppose, If Scan Messages = %rules-dir%/scan.messages.rules set with default >> = no and it contains all email IDs which are required to filter via >> mailscanner. So my question is that, can we add whole domain instead of >> email IDs in %rules-dir%/scan.messages.rules file for scanning ? >> >> I am using MailScanner 4.79, Centos 5.5 with sendmail. >> >> Let me update, if required more information. >> >> Thank you, >> >> -- >> Kind regards, >> Dhaval Soni >> Red Hat Certified Architect >> ID: 804 007 900 325 939 >> >> M: +91-9662029620 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/7f68ef14/attachment.html From Denis.Beauchemin at USherbrooke.ca Fri Aug 20 14:05:17 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 20 14:05:35 2010 Subject: Tip: Bayes check Message-ID: <4C6E7D8D.8040309@USherbrooke.ca> Hello all, Yesterday I checked on my Bayes files and I found something weird: the bayes_seen file was way old (2 years) on most of my MS gateways. I could see Bayes scoring emails on all of them but somewhat was amiss. I corrected the situation with the following commands: # become the user that scans your emails in MS (root, postfix, etc) cd .spamassassin/ # or wherever your Bayes files are located ls -l bay* # if any of your Bayes files don't have the same timestamp as the others (1-2 mins drift is ok if your server is mostly idle), then go ahead: sa-learn --sync mkdir backup-$(date +%Y%m%d) cp bay* backup-$(date +%Y%m%d) sa-learn --backup > backup.$(date +%Y%m%d).txt sa-learn --clear sa-learn --restore backup.$(date +%Y%m%d).txt l bay* I now have better working Bayes engines everywhere. I think what was happening was Bayes did not learn any new patterns (hence the unmodified bayes_seen file). Now it will be able to autolearn + learn from my manual corrections. Hope this could help someone else. Denis PS: if you can afford it, it would be better to stop MS before reconstructing Bayes. -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From sonidhaval at gmail.com Fri Aug 20 15:51:03 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Fri Aug 20 15:51:12 2010 Subject: Per domains / per email ID wise scanning in MailScanner In-Reply-To: References: Message-ID: Dear All, On Fri, Aug 20, 2010 at 5:31 PM, Dhaval Soni wrote: > HI, > > On Fri, Aug 20, 2010 at 5:08 PM, Martin Hepworth wrote: > >> Sure, have a look in the wiki. Search on the word 'overloading' for some >> wonderful things you can do with rulesets. >> >> I'd be careful of just doing domain wise as many spam have >> from:fred@domain.com and to:fred@domain.comto try and get around domain level whitelists. >> > > Can we use "To: @123.com yes" to scan all emails instead of mentioning > all email IDs of that domain? > Above rule I have tested and it is working well... > > Thank you, > > >> Martin Hepworth >> Oxford, UK >> >> >> On 20 August 2010 12:23, Dhaval Soni wrote: >> >>> Dear All, >>> >>> We have one option in MailScanner.conf file which is "Scan Messages =yes >>> / no". This will scan all incoming emails if yes is set otherwise not. Now >>> suppose, If Scan Messages = %rules-dir%/scan.messages.rules set with default >>> = no and it contains all email IDs which are required to filter via >>> mailscanner. So my question is that, can we add whole domain instead of >>> email IDs in %rules-dir%/scan.messages.rules file for scanning ? >>> >>> I am using MailScanner 4.79, Centos 5.5 with sendmail. >>> >>> Let me update, if required more information. >>> >>> Thank you, >>> >>> -- >>> Kind regards, >>> Dhaval Soni >>> Red Hat Certified Architect >>> ID: 804 007 900 325 939 >>> >>> M: +91-9662029620 >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > Kind regards, > Dhaval Soni > Red Hat Certified Architect > ID: 804 007 900 325 939 > > M: +91-9662029620 > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100820/8c05638e/attachment.html From agross at gcpsite.com Sat Aug 21 06:33:41 2010 From: agross at gcpsite.com (Adam Gross) Date: Sat Aug 21 06:34:38 2010 Subject: Quarantine dirs not being created In-Reply-To: References: Message-ID: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> On a daily basis I have to create /var/spool/MailScanner/quarantine/ dirs matching the date, then spam/nonspam folders under there? assign permissions postfix:www-data and then everything is hunky dorey. This system is about 10 days old and ran with no issues for the first 8. Yesterday and now again today I?ve had to create the folders. I verified the run-as user and group for MailScanner and quarantine as postfix for the user and www-data for the group. This is a Ubuntu 10.04 box? I remember some weird stuff with Ubuntu 8 but haven?t been able to locate any information about 10. Thanks in advance! Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100821/d763c9b5/attachment.html From maxsec at gmail.com Sat Aug 21 15:03:12 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Aug 21 15:03:22 2010 Subject: Quarantine dirs not being created In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> Message-ID: Adam anything perms further up the directory tree that mean postfix can't create the dir? have you tried su-ing to postfix and then mkdir-ing to check postfix can indeed create the dir? Martin Hepworth Oxford, UK On 21 August 2010 06:33, Adam Gross wrote: > On a daily basis I have to create /var/spool/MailScanner/quarantine/ dirs > matching the date, then spam/nonspam folders under there? assign > permissions postfix:www-data and then everything is hunky dorey. This > system is about 10 days old and ran with no issues for the first 8. > Yesterday and now again today I?ve had to create the folders. I verified > the run-as user and group for MailScanner and quarantine as postfix for the > user and www-data for the group. This is a Ubuntu 10.04 box? I remember > some weird stuff with Ubuntu 8 but haven?t been able to locate any > information about 10. Thanks in advance! > > > > Adam > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100821/b58ccf17/attachment.html From agross at gcpsite.com Sat Aug 21 17:11:35 2010 From: agross at gcpsite.com (Adam Gross) Date: Sat Aug 21 17:12:42 2010 Subject: Quarantine dirs not being created In-Reply-To: References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> Message-ID: <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> Permissions look good. I've compared all of that, new box versus old box. I just ran 'su postfix; mkdir 20100822' and received 'mkdir: cannot create directory `20100822': Permission denied' I ran the command in /var/spool/MailScanner/quarantine which is owned by postfix:www-data. drwxr-xr-x 20 postfix www-data 4096 2010-08-21 12:07 quarantine Adam Gross | agross@gcpsite.com | 859.630.8722 From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Saturday, August 21, 2010 10:03 AM To: MailScanner discussion Subject: Re: Quarantine dirs not being created Adam anything perms further up the directory tree that mean postfix can't create the dir? have you tried su-ing to postfix and then mkdir-ing to check postfix can indeed create the dir? Martin Hepworth Oxford, UK On 21 August 2010 06:33, Adam Gross > wrote: On a daily basis I have to create /var/spool/MailScanner/quarantine/ dirs matching the date, then spam/nonspam folders under there... assign permissions postfix:www-data and then everything is hunky dorey. This system is about 10 days old and ran with no issues for the first 8. Yesterday and now again today I've had to create the folders. I verified the run-as user and group for MailScanner and quarantine as postfix for the user and www-data for the group. This is a Ubuntu 10.04 box... I remember some weird stuff with Ubuntu 8 but haven't been able to locate any information about 10. Thanks in advance! Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100821/7e746871/attachment.html From alex at rtpty.com Sat Aug 21 17:20:27 2010 From: alex at rtpty.com (Alex Neuman) Date: Sat Aug 21 17:20:44 2010 Subject: Quarantine dirs not being created In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local><93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> Message-ID: <1831058630-1282407630-cardhu_decombobulator_blackberry.rim.net-953803628-@bda957.bisx.prod.on.blackberry> Sounds like a permissions problem - no matter how good the permissions look! ;-) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Adam Gross Sender: mailscanner-bounces@lists.mailscanner.info Date: Sat, 21 Aug 2010 12:11:35 To: 'MailScanner discussion' Reply-To: MailScanner discussion Subject: RE: Quarantine dirs not being created -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Sat Aug 21 17:59:11 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Sat Aug 21 17:59:25 2010 Subject: Quarantine dirs not being created In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> Message-ID: <4C7005DF.1000505@fsl.com> On 21/08/10 17:11, Adam Gross wrote: > Permissions look good. I?ve compared all of that, new box versus old box. > > I just ran ?su postfix; mkdir 20100822? and received ?mkdir: cannot > create directory `20100822': Permission denied? I ran the command in > /var/spool/MailScanner/quarantine which is owned by postfix:www-data. > > drwxr-xr-x 20 postfix www-data 4096 2010-08-21 12:07 quarantine Are Policykit or SELinux installed and enabled?? Regards, Steve. From glenn.steen at gmail.com Sat Aug 21 23:57:55 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Aug 21 23:58:05 2010 Subject: Quarantine dirs not being created In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> Message-ID: There you go! Martin is correct. You need check further up the tree... That it suddenly stopped working, kind of implies some cronjob or similar mixed things up for you. On 21/08/2010, Adam Gross wrote: > Permissions look good. I've compared all of that, new box versus old box. > > I just ran 'su postfix; mkdir 20100822' and received 'mkdir: cannot create > directory `20100822': Permission denied' I ran the command in > /var/spool/MailScanner/quarantine which is owned by postfix:www-data. > > drwxr-xr-x 20 postfix www-data 4096 2010-08-21 12:07 quarantine > > Adam Gross | agross@gcpsite.com | 859.630.8722 > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: Saturday, August 21, 2010 10:03 AM > To: MailScanner discussion > Subject: Re: Quarantine dirs not being created > > Adam > > anything perms further up the directory tree that mean postfix can't create > the dir? > > have you tried su-ing to postfix and then mkdir-ing to check postfix can > indeed create the dir? > > Martin Hepworth > Oxford, UK > > On 21 August 2010 06:33, Adam Gross > > wrote: > On a daily basis I have to create /var/spool/MailScanner/quarantine/ dirs > matching the date, then spam/nonspam folders under there... assign > permissions postfix:www-data and then everything is hunky dorey. This > system is about 10 days old and ran with no issues for the first 8. > Yesterday and now again today I've had to create the folders. I verified > the run-as user and group for MailScanner and quarantine as postfix for the > user and www-data for the group. This is a Ubuntu 10.04 box... I remember > some weird stuff with Ubuntu 8 but haven't been able to locate any > information about 10. Thanks in advance! > > Adam > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From agross at gcpsite.com Sun Aug 22 19:51:18 2010 From: agross at gcpsite.com (Adam Gross) Date: Sun Aug 22 19:52:18 2010 Subject: Quarantine dirs not being created In-Reply-To: References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> Message-ID: <93B4D13F118B8244B2A34197EFFF196401559FDFA019@gcpex01.gcpsite.local> I couldn't locate anything that needed changing so I tried the good old fashioned Windows fix-all... Everything is working fine at present. Before that I tried just cycling services but no change. I'll keep digging, I have a hard time believing a reboot fixed it. Adam Gross | agross@gcpsite.com | 859.630.8722 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Saturday, August 21, 2010 6:58 PM To: MailScanner discussion Subject: Re: Quarantine dirs not being created There you go! Martin is correct. You need check further up the tree... That it suddenly stopped working, kind of implies some cronjob or similar mixed things up for you. On 21/08/2010, Adam Gross wrote: > Permissions look good. I've compared all of that, new box versus old box. > > I just ran 'su postfix; mkdir 20100822' and received 'mkdir: cannot create > directory `20100822': Permission denied' I ran the command in > /var/spool/MailScanner/quarantine which is owned by postfix:www-data. > > drwxr-xr-x 20 postfix www-data 4096 2010-08-21 12:07 quarantine > > Adam Gross | agross@gcpsite.com | 859.630.8722 > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: Saturday, August 21, 2010 10:03 AM > To: MailScanner discussion > Subject: Re: Quarantine dirs not being created > > Adam > > anything perms further up the directory tree that mean postfix can't create > the dir? > > have you tried su-ing to postfix and then mkdir-ing to check postfix can > indeed create the dir? > > Martin Hepworth > Oxford, UK > > On 21 August 2010 06:33, Adam Gross > > wrote: > On a daily basis I have to create /var/spool/MailScanner/quarantine/ dirs > matching the date, then spam/nonspam folders under there... assign > permissions postfix:www-data and then everything is hunky dorey. This > system is about 10 days old and ran with no issues for the first 8. > Yesterday and now again today I've had to create the folders. I verified > the run-as user and group for MailScanner and quarantine as postfix for the > user and www-data for the group. This is a Ubuntu 10.04 box... I remember > some weird stuff with Ubuntu 8 but haven't been able to locate any > information about 10. Thanks in advance! > > Adam > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Aug 23 02:12:28 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 23 02:12:37 2010 Subject: Quarantine dirs not being created In-Reply-To: <93B4D13F118B8244B2A34197EFFF196401559FDFA019@gcpex01.gcpsite.local> References: <93B4D13F118B8244B2A34197EFFF196401559FDFA017@gcpex01.gcpsite.local> <93B4D13F118B8244B2A34197EFFF196401559FDFA018@gcpex01.gcpsite.local> <93B4D13F118B8244B2A34197EFFF196401559FDFA019@gcpex01.gcpsite.local> Message-ID: On 22 August 2010 20:51, Adam Gross wrote: > I couldn't locate anything that needed changing so I tried the good old fashioned Windows fix-all... ?Everything is working fine at present. ?Before that I tried just cycling services but no change. ?I'll keep digging, I have a hard time believing a reboot fixed it. Well, there are a few possibilities... None that wouldn't leave at least some "log residue", but then ... sometimes one miss things:-) One thing could've been a filesystem gone bad ... might make it read only until fixed.... And a reboot might've done the necessary fsck. If that had been the case, none could've written to your partiton containing the filesystem though... Cheers (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Milind.Patil at newswire18.com Wed Aug 25 08:17:27 2010 From: Milind.Patil at newswire18.com (Milind Patil) Date: Wed Aug 25 08:17:42 2010 Subject: Getting spams via whitelisted domains Message-ID: Hi We have recently implemented mailscanner with clamAV and sendmail we also have implemented the spam.whitelist.rules functionality. Recently we are getting some spam from the domains which have been marked in whitelist. How do we prevent this, one way is to add the mx server name of the domain which we want to whitelist instead of the domain name itself. But this solution involves keeping a track of the MX server changes for that domain. I think earlier also people must have faced this problem, but was not able to find any proper solution. Any suggestions. Thanks in advance. Regards Milind Patil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100825/9848c5a5/attachment.html From mikael at syska.dk Wed Aug 25 08:49:36 2010 From: mikael at syska.dk (Mikael Syska) Date: Wed Aug 25 08:49:49 2010 Subject: Getting spams via whitelisted domains In-Reply-To: References: Message-ID: Hi, On Wed, Aug 25, 2010 at 9:17 AM, Milind Patil wrote: > Hi > > > > ??????????????? We have recently implemented mailscanner with clamAV and > sendmail we also have implemented the spam.whitelist.rules functionality. > Recently we are getting some spam from the domains which have been marked in > whitelist. How do we prevent this, one way is to add the mx server name of > the domain which we want to whitelist instead of the domain name itself. But > this solution involves keeping a track of the MX server changes for that > domain. > > > > ??????????????? I think earlier also people must have faced this problem, > but was not able to find any proper solution. > > > > ??????????????? Any suggestions. > > >From the spam.whitelist.rules.sample file: # If you are basing a blacklist on this then you can refer to # a null (empty) sender address with "/^$/" as the address to match. # # This is where you can build a Spam WhiteList # Addresses matching in here, with the value # "yes" will never be marked as spam. #From: 152.78. yes #From: 130.246. yes #From: host:soton.ac.uk yes # Note this is slower than using the IP FromOrTo: default no So if you know hostname, you can use the "host" option, or just whitelist the whole hostname "domain.tld" mvh > > ??????????????? Thanks in advance. > > > > Regards > > Milind Patil > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From nick.hudson at gmail.com Wed Aug 25 18:26:30 2010 From: nick.hudson at gmail.com (Nick Hudson) Date: Wed Aug 25 18:26:40 2010 Subject: Blackberry emails Message-ID: I know this has been discussed in past emails on the list. I've looked though all the old emails and tried all the solutions but nothing is working. This is a constant headache for me and I would like to get it solved once and for all. The ETP.DAT files are passing though without any problems, the issue is that the email shows up in my Inbox and I was under the impression that the email server should be processing the email to activate the Blackberry device. So saying that does Mailscanner convert the email in any way that would cause it not to be read by the Exchange server and show up in my Inbox only? Any help would be appreciated. Thanks! -- Nick Hudson nick.hudson@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100825/60db44c0/attachment.html From alex at rtpty.com Wed Aug 25 18:36:15 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Aug 25 18:36:24 2010 Subject: Blackberry emails In-Reply-To: References: Message-ID: More likely the Exchange server is processing them wrongly. On Wed, Aug 25, 2010 at 12:26 PM, Nick Hudson wrote: > I know this has been discussed in past emails on the list. I've looked > though all the old emails and tried all the solutions but nothing is > working. This is a constant headache for me and I would like to get it > solved once and for all. > > The ETP.DAT files are passing though without any problems, the issue is > that the email shows up in my Inbox and I was under the impression that the > email server should be processing the email to activate the Blackberry > device. So saying that does Mailscanner convert the email in any way that > would cause it not to be read by the Exchange server and show up in my Inbox > only? > > Any help would be appreciated. > > Thanks! > > -- > Nick Hudson > nick.hudson@gmail.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 BB Pin: 20EA17C5 alex@rtpty.com Skype: alexneuman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100825/cee70cb7/attachment.html From ssilva at sgvwater.com Wed Aug 25 19:18:00 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 25 19:18:18 2010 Subject: Getting spams via whitelisted domains In-Reply-To: References: Message-ID: on 8-25-2010 12:17 AM Milind Patil spake the following: > Hi > > > > We have recently implemented mailscanner with clamAV and > sendmail we also have implemented the spam.whitelist.rules functionality. > Recently we are getting some spam from the domains which have been marked in > whitelist. How do we prevent this, one way is to add the mx server name of the > domain which we want to whitelist instead of the domain name itself. But this > solution involves keeping a track of the MX server changes for that domain. > > > > I think earlier also people must have faced this problem, but > was not able to find any proper solution. > > > > Any suggestions. > > > > Thanks in advance. > > > > Regards > > Milind Patil > If you whitelist by name, you will get spam... You would need to whitelist by ip address, or write custom spamassassin rules that fire on something they have in their headers that is unique to them... From nick.hudson at gmail.com Wed Aug 25 19:59:49 2010 From: nick.hudson at gmail.com (Nick Hudson) Date: Wed Aug 25 19:59:59 2010 Subject: Blackberry emails In-Reply-To: References: Message-ID: On Wed, Aug 25, 2010 at 12:36 PM, Alex Neuman wrote: > More likely the Exchange server is processing them wrongly. > Well not really it was an issue with my BES server that I installed. It's fixed now and working fine. Thanks! > > On Wed, Aug 25, 2010 at 12:26 PM, Nick Hudson wrote: > >> I know this has been discussed in past emails on the list. I've looked >> though all the old emails and tried all the solutions but nothing is >> working. This is a constant headache for me and I would like to get it >> solved once and for all. >> >> The ETP.DAT files are passing though without any problems, the issue is >> that the email shows up in my Inbox and I was under the impression that the >> email server should be processing the email to activate the Blackberry >> device. So saying that does Mailscanner convert the email in any way that >> would cause it not to be read by the Exchange server and show up in my Inbox >> only? >> >> Any help would be appreciated. >> >> Thanks! >> >> -- >> Nick Hudson >> nick.hudson@gmail.com >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > -- > > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > BB Pin: 20EA17C5 > alex@rtpty.com > Skype: alexneuman > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Nick Hudson nick.hudson@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100825/856d8ffc/attachment.html From paulo-m-roncon at ptinovacao.pt Thu Aug 26 03:35:26 2010 From: paulo-m-roncon at ptinovacao.pt (Paulo Roncon) Date: Thu Aug 26 03:37:46 2010 Subject: block by header information Message-ID: Hello all, anyone knows how can I block emails by header content (IP)? I dont want to use spamassassin. What I really want is to blacklist emails based on some info on the header. This normally is done at MTA level but i have a particular situation where this is not possible. thanks, Paulo From micoots at yahoo.com Thu Aug 26 04:50:27 2010 From: micoots at yahoo.com (Michael Mansour) Date: Thu Aug 26 04:50:38 2010 Subject: Allowing "workbook.bin" through Message-ID: <584755.53316.qm@web33307.mail.mud.yahoo.com> Hi, I'm not sure how to allow "workbook.bin" through the rulesets. The block is based on: No programs allowed (workbook.bin) I use: allow.filenames.rules allow.filetypes.rules files for the rule, and have added some but the emails still get blocked with the above error. Any ideas what rule I should be putting in place for it? Thanks. Michael. From jhilty at fit.edu Thu Aug 26 13:38:53 2010 From: jhilty at fit.edu (James Hilty) Date: Thu Aug 26 13:39:19 2010 Subject: Issue with ScamNailer. Unable to DL definitions. Message-ID: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> Hi, I just downloaded ScamNailer to test it out with one of our smtp servers, and before I put it into my cron.hourly folder I tried running it once on root. That's when hen I did I got this. This is the first run of this program..... Checking that /var/cache/ScamNailer/cache/-1 exists... ok Checking that /var/cache/ScamNailer/cache/-1.-1 exists... ok I am working with: Current: 2010-253 - 15 and Status: -1 - -1 This is base update Unable to retrieve http://www.mailscanner.tv/emails..2010-253 :404 Not Found Update required Retrieving http://www.mailscanner.tv/emails.2010-253.1 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.1 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.2 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.2 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.3 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.3 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.4 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.4 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.5 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.5 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.6 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.6 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.7 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.7 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.8 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.8 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.9 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.9 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.10 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.10 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.11 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.11 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.12 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.12 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.13 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.13 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.14 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.14 at./ScamNailer-2.09 line 276. Retrieving http://www.mailscanner.tv/emails.2010-253.15 Failed to retrieve http://www.mailscanner.tv/emails.2010-253.15 at./ScamNailer-2.09 line 276. Unable to open base file (/var/cache/ScamNailer/cache//2010-253) I tried to ping mailscanner.tv, and that went well. I tried going to mailscanner.tv, and that went fine. But when I tried to go to something like http://www.mailscanner.tv/emails.2010-253.1 that's when I started getting to error messages of 404 not found. Is anyone else getting this issue or is there something I did wrong. Mind you I made zero changes to the script when I ran it. Any help would be greatly appreciated. Thank you in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/aa8228b6/attachment.html From hvdkooij at vanderkooij.org Thu Aug 26 13:40:34 2010 From: hvdkooij at vanderkooij.org (hvdkooij) Date: Thu Aug 26 13:45:21 2010 Subject: block by header information In-Reply-To: References: Message-ID: On Thu, 26 Aug 2010 03:35:26 +0100, Paulo Roncon wrote: > anyone knows how can I block emails by header content (IP)? I dont want to > use spamassassin. What I really want is to blacklist emails based on some > info on the header. > This normally is done at MTA level but i have a particular situation where > this is not possible. Right. So you can't let the MTA handle this. Then the only option is to write spamassassin rules. I am sure the list archive will contain some examples. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From glenn.steen at gmail.com Thu Aug 26 13:55:20 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 26 13:55:30 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> Message-ID: On 26 August 2010 14:38, James Hilty wrote: > Hi, > > > > I just downloaded ScamNailer to test it out with one of our smtp servers, > and before I put it into my cron.hourly folder I tried running it once on > root. That?s when hen I did I got this. > > > > This is the first run of this program..... > > Checking that /var/cache/ScamNailer/cache/-1 exists... ok Checking that > /var/cache/ScamNailer/cache/-1.-1 exists... ok I am working with: Current: > 2010-253 - 15 and Status: -1 - -1 This is base update Unable to retrieve > http://www.mailscanner.tv/emails..2010-253 :404 Not Found Update required > Retrieving http://www.mailscanner.tv/emails.2010-253.1 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.1 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.2 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.2 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.3 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.3 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.4 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.4 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.5 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.5 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.6 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.6 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.7 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.7 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.8 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.8 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.9 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.9 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.10 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.10 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.11 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.11 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.12 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.12 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.13 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.13 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.14 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.14 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.15 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.15 > at./ScamNailer-2.09 line 276. > > Unable to open base file (/var/cache/ScamNailer/cache//2010-253) > > > > > > > > I tried to ping mailscanner.tv, and that went well. ?I tried going to > mailscanner.tv, and that went fine. But when I tried to go to something like > http://www.mailscanner.tv/emails.2010-253.1 that?s when I started getting to > error messages of 404 not found. Is anyone else getting this issue or is > there something I did wrong. > > > > Mind you I made zero changes to the script when I ran it. > > > > Any help would be greatly appreciated. Thank you in advance. > # /etc/cron.hourly/ScamNailer-2.09 Reading status from /var/cache/ScamNailer/status Checking that /var/cache/ScamNailer/cache/2010-344 exists... ok Checking that /var/cache/ScamNailer/cache/2010-344.18 exists... ok I am working with: Current: 2010-344 - 19 and Status: 2010-344 - 18 No base update required Update required Retrieving http://www.mailscanner.tv/emails.2010-344.19 /var/cache/ScamNailer/cache/2010-344.19 Updating live file /var/cache/ScamNailer/phishing.emails.list Deleting cached file: 2010-344.18.... ok Reloading MailScanner workers: MailScanner: [ OK ] Outgoing postfix: [ OK ] # ... Looks Ok to me...:-). Where did you get your copy? Is it the latest? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 26 13:57:30 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 26 13:57:41 2010 Subject: Allowing "workbook.bin" through In-Reply-To: <584755.53316.qm@web33307.mail.mud.yahoo.com> References: <584755.53316.qm@web33307.mail.mud.yahoo.com> Message-ID: On 26 August 2010 05:50, Michael Mansour wrote: > Hi, > > I'm not sure how to allow "workbook.bin" through the rulesets. > > The block is based on: > > No programs allowed (workbook.bin) > > I use: > > allow.filenames.rules > allow.filetypes.rules > > files for the rule, and have added some but the emails still get blocked with the above error. > > Any ideas what rule I should be putting in place for it? > > Thanks. > > Michael. > > Filetype rule firing there, so overload that with a "pure allow" rule file, for the select few you'd like this to work for. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jhilty at fit.edu Thu Aug 26 14:02:46 2010 From: jhilty at fit.edu (James Hilty) Date: Thu Aug 26 14:03:18 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> Message-ID: <8B7D8DD015663F4CBE2DFA6D35269828271141DA2D@EXBE.fit.edu> I got the one at http://www.scamnailer.info/files/2/ScamNailer-2.09.gz which should be the newest version I believe. Looking at your logs, it seems like your definitions are emails.2010-344 while mine are emails.2010-253. Seems like I am trying to DL an old version of the definitions. Which would explain why I can't get them. They are deleted. Still don't know what is causing it though. -James Hilty -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Thursday, August 26, 2010 8:55 AM To: MailScanner discussion Subject: Re: Issue with ScamNailer. Unable to DL definitions. On 26 August 2010 14:38, James Hilty wrote: > Hi, > > > > I just downloaded ScamNailer to test it out with one of our smtp > servers, and before I put it into my cron.hourly folder I tried > running it once on root. That's when hen I did I got this. > > > > This is the first run of this program..... > > Checking that /var/cache/ScamNailer/cache/-1 exists... ok Checking > that > /var/cache/ScamNailer/cache/-1.-1 exists... ok I am working with: Current: > 2010-253 - 15 and Status: -1 - -1 This is base update Unable to > retrieve > http://www.mailscanner.tv/emails..2010-253 :404 Not Found Update > required Retrieving http://www.mailscanner.tv/emails.2010-253.1 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.1 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.2 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.2 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.3 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.3 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.4 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.4 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.5 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.5 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.6 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.6 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.7 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.7 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.8 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.8 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.9 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.9 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.10 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.10 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.11 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.11 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.12 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.12 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.13 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.13 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.14 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.14 > at./ScamNailer-2.09 line 276. > > Retrieving http://www.mailscanner.tv/emails.2010-253.15 > > Failed to retrieve http://www.mailscanner.tv/emails.2010-253.15 > at./ScamNailer-2.09 line 276. > > Unable to open base file (/var/cache/ScamNailer/cache//2010-253) > > > > > > > > I tried to ping mailscanner.tv, and that went well. ?I tried going to > mailscanner.tv, and that went fine. But when I tried to go to > something like > http://www.mailscanner.tv/emails.2010-253.1 that's when I started > getting to error messages of 404 not found. Is anyone else getting > this issue or is there something I did wrong. > > > > Mind you I made zero changes to the script when I ran it. > > > > Any help would be greatly appreciated. Thank you in advance. > # /etc/cron.hourly/ScamNailer-2.09 Reading status from /var/cache/ScamNailer/status Checking that /var/cache/ScamNailer/cache/2010-344 exists... ok Checking that /var/cache/ScamNailer/cache/2010-344.18 exists... ok I am working with: Current: 2010-344 - 19 and Status: 2010-344 - 18 No base update required Update required Retrieving http://www.mailscanner.tv/emails.2010-344.19 /var/cache/ScamNailer/cache/2010-344.19 Updating live file /var/cache/ScamNailer/phishing.emails.list Deleting cached file: 2010-344.18.... ok Reloading MailScanner workers: MailScanner: [ OK ] Outgoing postfix: [ OK ] # ... Looks Ok to me...:-). Where did you get your copy? Is it the latest? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lyndonl at mexcom.co.za Thu Aug 26 14:08:04 2010 From: lyndonl at mexcom.co.za (Lyndon Labuschagne) Date: Thu Aug 26 14:09:38 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> Message-ID: <34CFB041-9C83-49C0-9DB6-42BDE1BC7ADC@mexcom.co.za> On 26 Aug 2010, at 2:38 PM, James Hilty wrote: > Hi, > > I just downloaded ScamNailer to test it out with one of our smtp servers, and before I put it into my cron.hourly folder I tried running it once on root. That?s when hen I did I got this. > > > > > I tried to ping mailscanner.tv, and that went well. I tried going to mailscanner.tv, and that went fine. But when I tried to go to something like http://www.mailscanner.tv/emails.2010-253.1 that?s when I started getting to error messages of 404 not found. Is anyone else getting this issue or is there something I did wrong. > > Mind you I made zero changes to the script when I ran it. > > Any help would be greatly appreciated. Thank you in advance. not to point out the obvious but can you telnet to www.mailscanner.tv on port 80 from the server that needs to do the update? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/00f2d4f5/attachment.html From lyndonl at mexcom.co.za Thu Aug 26 14:17:40 2010 From: lyndonl at mexcom.co.za (Lyndon Labuschagne) Date: Thu Aug 26 14:18:23 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: <34CFB041-9C83-49C0-9DB6-42BDE1BC7ADC@mexcom.co.za> References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> <34CFB041-9C83-49C0-9DB6-42BDE1BC7ADC@mexcom.co.za> Message-ID: On 26 Aug 2010, at 3:08 PM, Lyndon Labuschagne wrote: > > On 26 Aug 2010, at 2:38 PM, James Hilty wrote: > >> Hi, >> >> I just downloaded ScamNailer to test it out with one of our smtp servers, and before I put it into my cron.hourly folder I tried running it once on root. That?s when hen I did I got this. >> >> >> >> >> I tried to ping mailscanner.tv, and that went well. I tried going to mailscanner.tv, and that went fine. But when I tried to go to something like http://www.mailscanner.tv/emails.2010-253.1 that?s when I started getting to error messages of 404 not found. Is anyone else getting this issue or is there something I did wrong. im not sure if its possible to browse to the subdirectories but I get this if I do Not Found The requested URL /emails.2010-253.2 was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2 Server at www.mailscanner.eu Port 80 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/35edc658/attachment.html From jhilty at fit.edu Thu Aug 26 14:19:20 2010 From: jhilty at fit.edu (James Hilty) Date: Thu Aug 26 14:19:44 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: <34CFB041-9C83-49C0-9DB6-42BDE1BC7ADC@mexcom.co.za> References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> <34CFB041-9C83-49C0-9DB6-42BDE1BC7ADC@mexcom.co.za> Message-ID: <8B7D8DD015663F4CBE2DFA6D35269828271141DA30@EXBE.fit.edu> Yes, yes I can. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lyndon Labuschagne Sent: Thursday, August 26, 2010 9:08 AM To: MailScanner discussion Subject: Re: Issue with ScamNailer. Unable to DL definitions. On 26 Aug 2010, at 2:38 PM, James Hilty wrote: Hi, I just downloaded ScamNailer to test it out with one of our smtp servers, and before I put it into my cron.hourly folder I tried running it once on root. That's when hen I did I got this. I tried to ping mailscanner.tv, and that went well. I tried going to mailscanner.tv, and that went fine. But when I tried to go to something like http://www.mailscanner.tv/emails.2010-253.1 that's when I started getting to error messages of 404 not found. Is anyone else getting this issue or is there something I did wrong. Mind you I made zero changes to the script when I ran it. Any help would be greatly appreciated. Thank you in advance. not to point out the obvious but can you telnet to www.mailscanner.tv on port 80 from the server that needs to do the update? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/cebe4c28/attachment.html From stratos.td at gmail.com Thu Aug 26 15:24:11 2010 From: stratos.td at gmail.com (Steve) Date: Thu Aug 26 15:24:20 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: <4C5BEB05.5050408@ecs.soton.ac.uk> Message-ID: On 6 August 2010 11:59, Julian Field wrote: > I cannot reproduce your problem. > Please can you try the latest beta and see if it works there? > A classic case of PEBKAC error ... I found that one of the spool directories did not have correct permissions set - it all seems to work fine now. Thanks, Steve. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/1c1d0fc9/attachment.html From nsnidanko at harperpowerproducts.com Thu Aug 26 17:23:50 2010 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Thu Aug 26 17:24:04 2010 Subject: Blackberry emails References: <201008261101.o7QB0NAj014514@safir.blacknight.ie> Message-ID: <9453A32CAC9FFB4D8F59285E34B6A5062E8B@hotc_exch.harperotc.com> Hi Nick, I implemented the following solution for BES: 1. added *.blackberry.net to spam.whitelist.rules 2. added the following lines to content.scanning.rules: # BES ETP.DAT files From: *.blackberry.net no # BES ETP.DAT files From: *@*.blackberry.net no This should not strip activation files. If you run file -I command against them they show up as epplication, and are blocked by default. If your users use Blackberry desktop software to redirect email to their personal blackberries you would have to make it From and To. Hope it helps, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com Date: Wed, 25 Aug 2010 12:26:30 -0500 From: Nick Hudson Subject: Blackberry emails To: mailscanner@lists.mailscanner.info Message-ID: Content-Type: text/plain; charset="utf-8" I know this has been discussed in past emails on the list. I've looked though all the old emails and tried all the solutions but nothing is working. This is a constant headache for me and I would like to get it solved once and for all. The ETP.DAT files are passing though without any problems, the issue is that the email shows up in my Inbox and I was under the impression that the email server should be processing the email to activate the Blackberry device. So saying that does Mailscanner convert the email in any way that would cause it not to be read by the Exchange server and show up in my Inbox only? Any help would be appreciated. Thanks! -- Nick Hudson nick.hudson@gmail.com *********** From nick.hudson at gmail.com Thu Aug 26 18:24:07 2010 From: nick.hudson at gmail.com (Nick Hudson) Date: Thu Aug 26 18:24:16 2010 Subject: Blackberry emails In-Reply-To: <9453A32CAC9FFB4D8F59285E34B6A5062E8B@hotc_exch.harperotc.com> References: <201008261101.o7QB0NAj014514@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062E8B@hotc_exch.harperotc.com> Message-ID: Thanks yeah I did the same exact thing. It's working fine now. There was an issue with a service on the BES side that wasn't starting so it wasn't processing the emails as they come into the inbox. All is well now. Thanks again! On Thu, Aug 26, 2010 at 11:23 AM, Naz Snidanko < nsnidanko@harperpowerproducts.com> wrote: > Hi Nick, > > I implemented the following solution for BES: > > 1. added *.blackberry.net to spam.whitelist.rules > 2. added the following lines to content.scanning.rules: > > # BES ETP.DAT files > From: *.blackberry.net no > # BES ETP.DAT files > From: *@*.blackberry.net no > > This should not strip activation files. If you run file -I command > against them they show up as epplication, and are blocked by default. > > If your users use Blackberry desktop software to redirect email to their > personal blackberries you would have to make it From and To. > > Hope it helps, > > Naz Snidanko > Desktop & Network Support > Harper Power Products Inc. > (p) 416 201- 7506 > nsnidanko@harperpowerproducts.com > > Date: Wed, 25 Aug 2010 12:26:30 -0500 > From: Nick Hudson > Subject: Blackberry emails > To: mailscanner@lists.mailscanner.info > Message-ID: > > Content-Type: text/plain; charset="utf-8" > > I know this has been discussed in past emails on the list. I've looked > though all the old emails and tried all the solutions but nothing is > working. This is a constant headache for me and I would like to get it > solved once and for all. > > The ETP.DAT files are passing though without any problems, the issue is > that > the email shows up in my Inbox and I was under the impression that the > email > server should be processing the email to activate the Blackberry device. > So > saying that does Mailscanner convert the email in any way that would > cause > it not to be read by the Exchange server and show up in my Inbox only? > > Any help would be appreciated. > > Thanks! > > -- > Nick Hudson > nick.hudson@gmail.com > *********** > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Nick Hudson nick.hudson@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100826/a55fed8c/attachment.html From mark at msapiro.net Sat Aug 28 14:52:15 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat Aug 28 14:52:31 2010 Subject: Issue with ScamNailer. Unable to DL definitions. In-Reply-To: <8B7D8DD015663F4CBE2DFA6D35269828271141DA2D@EXBE.fit.edu> References: <8B7D8DD015663F4CBE2DFA6D3526982827113923FE@EXBE.fit.edu> <8B7D8DD015663F4CBE2DFA6D35269828271141DA2D@EXBE.fit.edu> Message-ID: <4C79148F.3060107@msapiro.net> On 11:59 AM, James Hilty wrote: > I got the one at > http://www.scamnailer.info/files/2/ScamNailer-2.09.gz which should be > the newest version I believe. > > Looking at your logs, it seems like your definitions are > emails.2010-344 while mine are emails.2010-253. Seems like I am > trying to DL an old version of the definitions. Which would explain > why I can't get them. They are deleted. Still don't know what is > causing it though. What does dig txt emails.msupdate.greylist.bastionmail.com return? This is effectively what the script does to get the name of the latest file. It should return a "txt" record with content similar to "emails.2010-346.17" which is what I got a few minutes ago. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan