From maxsec at gmail.com Wed Dec 1 06:35:17 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Dec 1 06:35:27 2010 Subject: Many cache hits before message finally delivered In-Reply-To: <1291151653.24471.61.camel@localhost.localdomain> References: <1291151653.24471.61.camel@localhost.localdomain> Message-ID: I'd also check there's not a bad mesg in the incoming queue or a file (check for dot files also) that shouldn't be there Martin On Tuesday, November 30, 2010, Daniel Davidson wrote: > I am having an odd problem were simple messages seemingly at random take > a very long time to deliver. ?Most others, deliver right away. A little > checking reveals that they are getting scanned for viruses multiple > times. ?For example: > > [root@mail etc]# grep Nov\ 30 /var/log/maillog|grep 98A1140460 |grep > SpamAssassin\ cache > Nov 30 08:55:29 mail MailScanner[27405]: SpamAssassin cache hit for > message 98A1140460.79963 > Nov 30 08:55:37 mail MailScanner[28156]: SpamAssassin cache hit for > message 98A1140460.25237 > Nov 30 08:55:43 mail MailScanner[28270]: SpamAssassin cache hit for > message 98A1140460.A8B9B > ......... > Nov 30 10:12:11 mail MailScanner[11353]: SpamAssassin cache hit for > message 98A1140460.37797 > Nov 30 10:12:15 mail MailScanner[11353]: Requeue: 98A1140460.37797 to > 8D23F4033E > > This ran about 500 times before the requeue finally took effect. ?Any > ideas as to what can cause this? ?I just updated clamav, but that does > not seem to help. ?Below are the appropriate package versions. ?Thanks > for any help in advance. > > mailscanner-4.61.7-2 > spamassassin-3.3.1-3.el5.rf > clamav-0.96.5-1.el5.rf > postfix-2.3.3-2.1.el5_2 > procmail-3.22-17.1 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK From steve.freegard at fsl.com Wed Dec 1 11:04:10 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Dec 1 11:04:25 2010 Subject: Problem with SQL config on MailScanner In-Reply-To: References: Message-ID: <4CF62BAA.2040605@fsl.com> On 30/11/10 20:42, Eduardo Casarero wrote: > Hi everybody! Today i started playing with the sql config options for > MailScanner and i cant make it work. > > My "config" table definition: > > CREATE TABLE `config` ( > `id` int(11) NOT NULL auto_increment, > `hostname` varchar(100) NOT NULL, > `value` varchar(100) NOT NULL, > `external` varchar(100) NOT NULL, > `options` varchar(100) NOT NULL, > PRIMARY KEY (`id`) > ) ENGINE=MyISAM > > MailScanner.conf: > > DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 > DB Username = root > DB Password = password > SQL Serial Number = SELECT value FROM config WHERE > options='confserialnumber' > SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? > SQL Config = SELECT options, value FROM config WHERE hostname=? > SQL Ruleset = > SQL SpamAssassin Config = > SQL Debug = yes > > this is the output i get: > > /opt/MailScanner/bin/MailScanner --debug --lint > > *Database functions disabled* > Trying to setlogsock(unix) > > Reading configuration file /opt/MailScanner/etc/MailScanner.conf > Read 865 hostnames from the phishing whitelist > Read 5278 hostnames from the phishing blacklists > > Checking version numbers... > Version number in MailScanner.conf (4.81.4) is correct. > (...) > > Does anybody have any idea of what i am doing wrong? Looking at the code: + # Disable database functions if required data not present + if (!$dsn || !$db_user || !$db_pass) { + $disabled = 1; + print STDERR "Database functions disabled\n" if $debug; + return undef; + } It would appear that the functions think that 'DB DSN', 'DB Username' or 'DB Password' fields evaluate to an empty value. > Also, if the line "include" is enable at the end of MailScanner.conf > with a valid config file all the DB config seems to dissapear, does > anybody knows what is the precedence between the include and the db? Not sure on this myself; personally I thought the whole include argument was weak, so I've never used it myself and never tested it with the database functions. My advice would be to get the database functions working first by using MailScanner.conf only first. Regards, Steve. From ecasarero at gmail.com Wed Dec 1 13:46:14 2010 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Dec 1 13:46:44 2010 Subject: Problem with SQL config on MailScanner In-Reply-To: <4CF62BAA.2040605@fsl.com> References: <4CF62BAA.2040605@fsl.com> Message-ID: 2010/12/1 Steve Freegard > On 30/11/10 20:42, Eduardo Casarero wrote: > >> Hi everybody! Today i started playing with the sql config options for >> MailScanner and i cant make it work. >> >> My "config" table definition: >> >> CREATE TABLE `config` ( >> `id` int(11) NOT NULL auto_increment, >> `hostname` varchar(100) NOT NULL, >> `value` varchar(100) NOT NULL, >> `external` varchar(100) NOT NULL, >> `options` varchar(100) NOT NULL, >> PRIMARY KEY (`id`) >> ) ENGINE=MyISAM >> >> MailScanner.conf: >> >> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 >> DB Username = root >> DB Password = password >> SQL Serial Number = SELECT value FROM config WHERE >> options='confserialnumber' >> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? >> SQL Config = SELECT options, value FROM config WHERE hostname=? >> SQL Ruleset = >> SQL SpamAssassin Config = >> SQL Debug = yes >> >> this is the output i get: >> >> /opt/MailScanner/bin/MailScanner --debug --lint >> >> *Database functions disabled* >> Trying to setlogsock(unix) >> >> Reading configuration file /opt/MailScanner/etc/MailScanner.conf >> Read 865 hostnames from the phishing whitelist >> Read 5278 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.81.4) is correct. >> (...) >> >> Does anybody have any idea of what i am doing wrong? >> > > Looking at the code: > > + # Disable database functions if required data not present > + if (!$dsn || !$db_user || !$db_pass) { > + $disabled = 1; > + print STDERR "Database functions disabled\n" if $debug; > + return undef; > + } > > It would appear that the functions think that 'DB DSN', 'DB Username' or > 'DB Password' fields evaluate to an empty value. > > > The problem was the empty password! thanks! > Also, if the line "include" is enable at the end of MailScanner.conf >> with a valid config file all the DB config seems to dissapear, does >> anybody knows what is the precedence between the include and the db? >> > > Not sure on this myself; personally I thought the whole include argument > was weak, so I've never used it myself and never tested it with the database > functions. My advice would be to get the database functions working first > by using MailScanner.conf only first. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c972347/attachment.html From ante.gulam at ri-ing.hr Wed Dec 1 14:47:48 2010 From: ante.gulam at ri-ing.hr (Ante Gulam) Date: Wed Dec 1 14:47:57 2010 Subject: Mailscanner attach scan problem Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out?inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into ?hold? And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do ?mv * ../incoming/? in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef325b0/attachment.html From MailScanner at ecs.soton.ac.uk Wed Dec 1 15:58:36 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Dec 1 15:58:52 2010 Subject: Mailscanner attach scan problem In-Reply-To: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> References: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> <4CF670AC.30505@ecs.soton.ac.uk> Message-ID: Start off with a MailScanner --lint and see if that reports any errors. Then get a single message into /var/spool/postfix/hold and then service MailScanner stop MailScanner --debug and see if you get one in the outgoing Postfix queue. And then read your /var/log/maillog carefully, there may well be something of use in there. Unfortunately your email doesn't tell us much more than that, so there's limited help I can provide. Jules. On 01/12/2010 14:47, Ante Gulam wrote: > > Hi, > > So i've configured my linux machine to be an antispam filter between > my Fortinet GW firewall and my exchange 2010 in my local domain for > incoming emails.. i've forwarded 25 out?inbound to linux and it > reley's it to EX10.. Releying in Postfix works fine.. Then i've > installed mailscanner with clam, spamassassin etc. (removing clamav > ltr considering it as a troubler maker in this situation).. turns out > it's not it's fault! J > > So when i send mail from outside it goes cleanly to the Postfix.. I > can see it in the /var/spool/postfix/hold folder.. mailscanner proc > analize it and mail goes to incoming folder with no mutch bother.. > BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, > txt etc. passes with no delay) the mailscanner proc goes bad.. it > blocks on MailScanner: starting child.. Sometimes iz goes .. > After that action no mails passing through.. with or without attach. > And files are filling in hold folder even if i'm not getting any new > mails from anyone.. ??? ie: > > 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* > > 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* > > 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* > > It's really important for me to solve this but i have no ideas > anymore.. i've configured postfix to check header.. header puts it > into ?hold? > > And mailscanner should take over after.. i dont see any complication > to scan the file and mv it to incoming.. Also a conf file acts wierd.. > If i uncomment > > Any AV it gives me an error while restarting init.d/mailscanner ... > > Interesting thing is: if i do ?mv * ../incoming/? in my hold folder > after some delay i get that email that was causing trouble and all the > mail that came after it was jammed.. and after that all seems working > fine until same thing happenes.. i have spamassassin and no AV > currently installed.. no amavis, sophos, clamd etc. > > Please some quick advice to solve this manner.. > > Tnx 2 all. > > Ps. If some snippet od conf is needed let me know! Tnx.. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Dec 1 17:58:19 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 1 17:58:30 2010 Subject: Mailscanner attach scan problem In-Reply-To: <-858783880576802161@unknownmsgid> References: <-858783880576802161@unknownmsgid> Message-ID: What version of mailscanner, postfix etc? How did you install? We might guess, but... Better if you tell us. As to guesswork, my money would be equally split between real old mailscanner version and a bad tnef exoander;-) Cheers Den 1 dec 2010 15.51, "Ante Gulam" skrev: Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out?inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into ?hold? And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do ?mv * ../incoming/? in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21c549b/attachment.html From alex at rtpty.com Wed Dec 1 18:03:53 2010 From: alex at rtpty.com (Alex Neuman van der Hans) Date: Wed Dec 1 18:05:47 2010 Subject: Mailscanner attach scan problem In-Reply-To: References: <-858783880576802161@unknownmsgid> Message-ID: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bda478.bisx.prod.on.blackberry> I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 1 Dec 2010 18:58:19 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner attach scan problem -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Dec 1 21:18:44 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Dec 1 21:18:54 2010 Subject: Mailscanner attach scan problem In-Reply-To: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bda478.bisx.prod.on.blackberry> References: <-858783880576802161@unknownmsgid> <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bda478.bisx.prod.on.blackberry> Message-ID: :-D ... You might be right... We'll just have to wait for Ante to get back with some facts... Den 1 dec 2010 19.10, "Alex Neuman van der Hans" skrev: I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@li... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/25993332/attachment.html From Jeff.Mills at sydneytech.com.au Thu Dec 2 05:56:07 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Thu Dec 2 05:56:22 2010 Subject: new spam getting through Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20f67c8/attachment.html From FUNK.Gabor at hunetkft.hu Thu Dec 2 09:55:40 2010 From: FUNK.Gabor at hunetkft.hu (Gabor FUNK) Date: Thu Dec 2 09:56:10 2010 Subject: new spam getting through References: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Message-ID: <9F5B4C699954459C95E71FB252F725C9@M2007> "x dot co" (url shortener registered in columbia, ~half a year ago) is listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or scoring should be ok now... G. ----- Original Message ----- From: Jeff Mills To: mailscanner@lists.mailscanner.info Sent: Thursday, December 02, 2010 6:56 AM Subject: new spam getting through Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8320bc/attachment.html From peter at farrows.org Thu Dec 2 10:13:34 2010 From: peter at farrows.org (peter@farrows.org) Date: Thu Dec 2 10:13:46 2010 Subject: new spam getting through In-Reply-To: <9F5B4C699954459C95E71FB252F725C9@M2007> References: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local><9F5B4C699954459C95E71FB252F725C9@M2007> Message-ID: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b28.c11.bise7.blackberry> Greylisting stop this for me. ------------------ -----Original Message----- From: "Gabor FUNK" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 2 Dec 2010 10:55:40 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: new spam getting through -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Jeff.Mills at sydneytech.com.au Thu Dec 2 11:14:38 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Thu Dec 2 11:15:04 2010 Subject: new spam getting through In-Reply-To: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b28.c11.bise7.blackberry> References: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local><9F5B4C699954459C95E71FB252F725C9@M2007> <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b28.c11.bise7.blackberry> Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E@SERVER01.sts.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of peter@farrows.org > Sent: Thursday, 2 December 2010 9:14 PM > To: MailScanner discussion > Subject: Re: new spam getting through > > Greylisting stop this for me. > ------------------ > Strange. All of the ones that have been getting through to me have come from hotmail servers, so greylisting has not stopped it. From steve.freegard at fsl.com Thu Dec 2 12:01:41 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Dec 2 12:01:56 2010 Subject: new spam getting through In-Reply-To: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> References: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Message-ID: <4CF78AA5.8040802@fsl.com> On 02/12/10 05:56, Jeff Mills wrote: > Is anyone else having issues with some new very simple spam coming > through in the last 48 hours? > > I?m having a lot of trouble blocking this stuff because the URL changes > all the time as well as the text. > > Here is an example: > > http://pastebin.com/kuAH2GUY > > Has anyone managed to come up with anything to stop it? > Try my short URL decoder plug-in that I wrote for SA: http://www.fsl.com/support/DecodeShortURLs.pm http://www.fsl.com/support/DecodeShortURLs.cf You'll need to add x(dot)co to the shortener list though; the other defaults should work fine. Put both files in /etc/mail/spamassassin and restart MailScanner to get SA to start using the new plugin. This will allow SA to 'see' the decoded URI and check it against URI blacklists or local 'uri' rules, so you have plenty of options to start blocking these. Regards, Steve. From ante.gulam at ri-ing.hr Thu Dec 2 13:23:24 2010 From: ante.gulam at ri-ing.hr (Ante Gulam) Date: Thu Dec 2 13:23:36 2010 Subject: MailScanner Digest, Vol 60, Issue 2 - Mailscanner attach scan problem (Ante Gulam) In-Reply-To: <201012021202.oB2C0XEt014217@safir.blacknight.ie> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> Message-ID: <019901cb9224$19441000$4bcc3000$@gulam@ri-ing.hr> Hi, So.. thank you all for fast reply ... i did some research and tested some things.. so here is some info. First versions: Postfix: "mail_version = 2.7.0", "This is MailScanner version 4.74.16" It's Ubuntu machine.. apache, mysql etc. was on it.. now i reconfigured it to be only mailfilter.. Apt-get-ing postfix and mailscanner did the intalling part.. little configuring to enable mailscanner etc. By the way i've solved it temporarly on the stupidest way by crontabing copy of hold/* into incoming.. :) Mails are passing but i think no scanning is going on. :) So... i did MailScanner -lint... here's output: ===================================== ===================================== root@mailfilter:/etc/MailScanner# MailScanner -lint Trying to setlogsock(unix) Read 848 hostnames from the phishing whitelist Read 4278 hostnames from the phishing blacklist Checking version numbers... Version number in MailScanner.conf (4.74.16) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-mailfilter-MailScanner-From ?????? ????? MailScanner setting GID to (124) MailScanner setting UID to (117) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0 SpamAssassin reported an error. I have found clamd scanners installed, and will use them all by default. Using locktype = posix MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamd =========================================================================== Insecure dependency in chown while running with -T switch at /usr/share/MailScanner//MailScanner/Message.pm line 2407. root@mailfilter:/etc/MailScanner# ===================================== ===================================== Also done stopping daemon (while caching 1 message) and --debuging to see the result: ===================================== ===================================== root@mailfilter:/var/spool/postfix/hold# ls AC3136CC9A root@mailfilter:/var/spool/postfix/hold# MailScanner stop root@mailfilter:/var/spool/postfix/hold# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib/perl/5.10/IO/File.pm line 63. ===================================== ===================================== And the interesting part.. mail mail.log in var/log gives me this: ===================================== ===================================== Dec 2 14:04:57 mailfilter MailScanner[10459]: MailScanner E-Mail Virus Scanner version 4.74.16 starting... Dec 2 14:04:57 mailfilter MailScanner[10459]: Read 848 hostnames from the phishing whitelist Dec 2 14:04:57 mailfilter MailScanner[10459]: Read 4278 hostnames from the phishing blacklist Dec 2 14:04:57 mailfilter MailScanner[10459]: Using SpamAssassin results cache Dec 2 14:04:57 mailfilter MailScanner[10459]: Connected to SpamAssassin cache database Dec 2 14:04:58 mailfilter MailScanner[10459]: Enabling SpamAssassin auto-whitelist functionality... Dec 2 14:05:00 mailfilter MailScanner[10417]: I have found clamd scanners installed, and will use them all by default. Dec 2 14:05:00 mailfilter MailScanner[10417]: Using locktype = flock Dec 2 14:05:00 mailfilter MailScanner[10417]: New Batch: Scanning 1 messages, 801932 bytes Dec 2 14:05:00 mailfilter MailScanner[10417]: Message AC3136CC9A.91F29 from 209.85.214.174 (anteXXX@gmail.com) to "mydomain".com is too big for spam checks (801932 > 200000 bytes) ===================================== ===================================== It says it's too big ?!?!? in MailScanner configuration everything is on -1 values that concerns sizes !?!? Maximum Message Size = -1 Maximum Attachment Size = -1 Minimum Attachment Size = -1 -------------------------- Thank you in advance.. Bye.. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Thursday, December 02, 2010 1:02 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 60, Issue 2 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: Problem with SQL config on MailScanner (Eduardo Casarero) 2. Mailscanner attach scan problem (Ante Gulam) 3. Re: Mailscanner attach scan problem (Jules Field) 4. Re: Mailscanner attach scan problem (Glenn Steen) 5. Re: Mailscanner attach scan problem (Alex Neuman van der Hans) 6. Re: Mailscanner attach scan problem (Glenn Steen) 7. new spam getting through (Jeff Mills) 8. Re: new spam getting through (Gabor FUNK) 9. Re: new spam getting through (peter@farrows.org) 10. RE: new spam getting through (Jeff Mills) ---------------------------------------------------------------------- Message: 1 Date: Wed, 1 Dec 2010 10:46:14 -0300 From: Eduardo Casarero Subject: Re: Problem with SQL config on MailScanner To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" 2010/12/1 Steve Freegard > On 30/11/10 20:42, Eduardo Casarero wrote: > >> Hi everybody! Today i started playing with the sql config options for >> MailScanner and i cant make it work. >> >> My "config" table definition: >> >> CREATE TABLE `config` ( >> `id` int(11) NOT NULL auto_increment, >> `hostname` varchar(100) NOT NULL, >> `value` varchar(100) NOT NULL, >> `external` varchar(100) NOT NULL, >> `options` varchar(100) NOT NULL, >> PRIMARY KEY (`id`) >> ) ENGINE=MyISAM >> >> MailScanner.conf: >> >> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 >> DB Username = root >> DB Password = password >> SQL Serial Number = SELECT value FROM config WHERE >> options='confserialnumber' >> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? >> SQL Config = SELECT options, value FROM config WHERE hostname=? >> SQL Ruleset = >> SQL SpamAssassin Config = >> SQL Debug = yes >> >> this is the output i get: >> >> /opt/MailScanner/bin/MailScanner --debug --lint >> >> *Database functions disabled* >> Trying to setlogsock(unix) >> >> Reading configuration file /opt/MailScanner/etc/MailScanner.conf >> Read 865 hostnames from the phishing whitelist >> Read 5278 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.81.4) is correct. >> (...) >> >> Does anybody have any idea of what i am doing wrong? >> > > Looking at the code: > > + # Disable database functions if required data not present > + if (!$dsn || !$db_user || !$db_pass) { > + $disabled = 1; > + print STDERR "Database functions disabled\n" if $debug; > + return undef; > + } > > It would appear that the functions think that 'DB DSN', 'DB Username' or > 'DB Password' fields evaluate to an empty value. > > > The problem was the empty password! thanks! > Also, if the line "include" is enable at the end of MailScanner.conf >> with a valid config file all the DB config seems to dissapear, does >> anybody knows what is the precedence between the include and the db? >> > > Not sure on this myself; personally I thought the whole include argument > was weak, so I've never used it myself and never tested it with the database > functions. My advice would be to get the database functions working first > by using MailScanner.conf only first. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c9 72347/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 1 Dec 2010 15:47:48 +0100 From: "Ante Gulam" Subject: Mailscanner attach scan problem To: Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> Content-Type: text/plain; charset="iso-8859-1" Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef 325b0/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 01 Dec 2010 15:58:36 +0000 From: Jules Field Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252; format=flowed Start off with a MailScanner --lint and see if that reports any errors. Then get a single message into /var/spool/postfix/hold and then service MailScanner stop MailScanner --debug and see if you get one in the outgoing Postfix queue. And then read your /var/log/maillog carefully, there may well be something of use in there. Unfortunately your email doesn't tell us much more than that, so there's limited help I can provide. Jules. On 01/12/2010 14:47, Ante Gulam wrote: > > Hi, > > So i've configured my linux machine to be an antispam filter between > my Fortinet GW firewall and my exchange 2010 in my local domain for > incoming emails.. i've forwarded 25 out`inbound to linux and it > reley's it to EX10.. Releying in Postfix works fine.. Then i've > installed mailscanner with clam, spamassassin etc. (removing clamav > ltr considering it as a troubler maker in this situation).. turns out > it's not it's fault! J > > So when i send mail from outside it goes cleanly to the Postfix.. I > can see it in the /var/spool/postfix/hold folder.. mailscanner proc > analize it and mail goes to incoming folder with no mutch bother.. > BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, > txt etc. passes with no delay) the mailscanner proc goes bad.. it > blocks on MailScanner: starting child.. Sometimes iz goes .. > After that action no mails passing through.. with or without attach. > And files are filling in hold folder even if i'm not getting any new > mails from anyone.. ??? ie: > > 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* > > 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* > > 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* > > It's really important for me to solve this but i have no ideas > anymore.. i've configured postfix to check header.. header puts it > into hold > > And mailscanner should take over after.. i dont see any complication > to scan the file and mv it to incoming.. Also a conf file acts wierd.. > If i uncomment > > Any AV it gives me an error while restarting init.d/mailscanner ... > > Interesting thing is: if i do mv * ../incoming/ in my hold folder > after some delay i get that email that was causing trouble and all the > mail that came after it was jammed.. and after that all seems working > fine until same thing happenes.. i have spamassassin and no AV > currently installed.. no amavis, sophos, clamd etc. > > Please some quick advice to solve this manner.. > > Tnx 2 all. > > Ps. If some snippet od conf is needed let me know! Tnx.. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 4 Date: Wed, 1 Dec 2010 18:58:19 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="windows-1252" What version of mailscanner, postfix etc? How did you install? We might guess, but... Better if you tell us. As to guesswork, my money would be equally split between real old mailscanner version and a bad tnef exoander;-) Cheers Den 1 dec 2010 15.51, "Ante Gulam" skrev: Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21 c549b/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 1 Dec 2010 18:03:53 +0000 From: "Alex Neuman van der Hans" Subject: Re: Mailscanner attach scan problem To: "MailScanner discussion" Message-ID: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bd a478.bisx.prod.on.blackberry> Content-Type: text/plain I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 1 Dec 2010 18:58:19 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner attach scan problem -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 6 Date: Wed, 1 Dec 2010 22:18:44 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" :-D ... You might be right... We'll just have to wait for Ante to get back with some facts... Den 1 dec 2010 19.10, "Alex Neuman van der Hans" skrev: I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@li... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/259 93332/attachment-0001.html ------------------------------ Message: 7 Date: Thu, 2 Dec 2010 16:56:07 +1100 From: Jeff Mills Subject: new spam getting through To: "mailscanner@lists.mailscanner.info" Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20 f67c8/attachment-0001.html ------------------------------ Message: 8 Date: Thu, 2 Dec 2010 10:55:40 +0100 From: "Gabor FUNK" Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <9F5B4C699954459C95E71FB252F725C9@M2007> Content-Type: text/plain; charset="iso-8859-1" "x dot co" (url shortener registered in columbia, ~half a year ago) is listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or scoring should be ok now... G. ----- Original Message ----- From: Jeff Mills To: mailscanner@lists.mailscanner.info Sent: Thursday, December 02, 2010 6:56 AM Subject: new spam getting through Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? ---------------------------------------------------------------------------- -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8 320bc/attachment-0001.html ------------------------------ Message: 9 Date: Thu, 2 Dec 2010 10:13:34 +0000 From: peter@farrows.org Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b 28.c11.bise7.blackberry> Content-Type: text/plain Greylisting stop this for me. ------------------ -----Original Message----- From: "Gabor FUNK" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 2 Dec 2010 10:55:40 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: new spam getting through -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 10 Date: Thu, 2 Dec 2010 22:14:38 +1100 From: Jeff Mills Subject: RE: new spam getting through To: MailScanner discussion Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of peter@farrows.org > Sent: Thursday, 2 December 2010 9:14 PM > To: MailScanner discussion > Subject: Re: new spam getting through > > Greylisting stop this for me. > ------------------ > Strange. All of the ones that have been getting through to me have come from hotmail servers, so greylisting has not stopped it. ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 60, Issue 2 ****************************************** No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.872 / Virus Database: 271.1.1/3290 - Release Date: 12/01/10 08:34:00 From ante.gulam at ri-ing.hr Thu Dec 2 13:34:14 2010 From: ante.gulam at ri-ing.hr (Ante Gulam) Date: Thu Dec 2 13:34:25 2010 Subject: Mailscanner attach scan problem In-Reply-To: <201012021202.oB2C0XEt014217@safir.blacknight.ie> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> Message-ID: <019a01cb9225$9c8bbd40$d5a337c0$@gulam@ri-ing.hr> I've just edited MailScanner.conf and grep-ed "Max Spam Check Size".. it was 200k. Ive set "-1".. but wouldn't be normal if it's too big to pass it to incoming ?! and not to leave it in "hold" ?!?! because it jammes my hold and all mails stucks with it coming after.. tnx -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Thursday, December 02, 2010 1:02 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 60, Issue 2 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: Problem with SQL config on MailScanner (Eduardo Casarero) 2. Mailscanner attach scan problem (Ante Gulam) 3. Re: Mailscanner attach scan problem (Jules Field) 4. Re: Mailscanner attach scan problem (Glenn Steen) 5. Re: Mailscanner attach scan problem (Alex Neuman van der Hans) 6. Re: Mailscanner attach scan problem (Glenn Steen) 7. new spam getting through (Jeff Mills) 8. Re: new spam getting through (Gabor FUNK) 9. Re: new spam getting through (peter@farrows.org) 10. RE: new spam getting through (Jeff Mills) ---------------------------------------------------------------------- Message: 1 Date: Wed, 1 Dec 2010 10:46:14 -0300 From: Eduardo Casarero Subject: Re: Problem with SQL config on MailScanner To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" 2010/12/1 Steve Freegard > On 30/11/10 20:42, Eduardo Casarero wrote: > >> Hi everybody! Today i started playing with the sql config options for >> MailScanner and i cant make it work. >> >> My "config" table definition: >> >> CREATE TABLE `config` ( >> `id` int(11) NOT NULL auto_increment, >> `hostname` varchar(100) NOT NULL, >> `value` varchar(100) NOT NULL, >> `external` varchar(100) NOT NULL, >> `options` varchar(100) NOT NULL, >> PRIMARY KEY (`id`) >> ) ENGINE=MyISAM >> >> MailScanner.conf: >> >> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 >> DB Username = root >> DB Password = password >> SQL Serial Number = SELECT value FROM config WHERE >> options='confserialnumber' >> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? >> SQL Config = SELECT options, value FROM config WHERE hostname=? >> SQL Ruleset = >> SQL SpamAssassin Config = >> SQL Debug = yes >> >> this is the output i get: >> >> /opt/MailScanner/bin/MailScanner --debug --lint >> >> *Database functions disabled* >> Trying to setlogsock(unix) >> >> Reading configuration file /opt/MailScanner/etc/MailScanner.conf >> Read 865 hostnames from the phishing whitelist >> Read 5278 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.81.4) is correct. >> (...) >> >> Does anybody have any idea of what i am doing wrong? >> > > Looking at the code: > > + # Disable database functions if required data not present > + if (!$dsn || !$db_user || !$db_pass) { > + $disabled = 1; > + print STDERR "Database functions disabled\n" if $debug; > + return undef; > + } > > It would appear that the functions think that 'DB DSN', 'DB Username' or > 'DB Password' fields evaluate to an empty value. > > > The problem was the empty password! thanks! > Also, if the line "include" is enable at the end of MailScanner.conf >> with a valid config file all the DB config seems to dissapear, does >> anybody knows what is the precedence between the include and the db? >> > > Not sure on this myself; personally I thought the whole include argument > was weak, so I've never used it myself and never tested it with the database > functions. My advice would be to get the database functions working first > by using MailScanner.conf only first. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c9 72347/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 1 Dec 2010 15:47:48 +0100 From: "Ante Gulam" Subject: Mailscanner attach scan problem To: Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> Content-Type: text/plain; charset="iso-8859-1" Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef 325b0/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 01 Dec 2010 15:58:36 +0000 From: Jules Field Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252; format=flowed Start off with a MailScanner --lint and see if that reports any errors. Then get a single message into /var/spool/postfix/hold and then service MailScanner stop MailScanner --debug and see if you get one in the outgoing Postfix queue. And then read your /var/log/maillog carefully, there may well be something of use in there. Unfortunately your email doesn't tell us much more than that, so there's limited help I can provide. Jules. On 01/12/2010 14:47, Ante Gulam wrote: > > Hi, > > So i've configured my linux machine to be an antispam filter between > my Fortinet GW firewall and my exchange 2010 in my local domain for > incoming emails.. i've forwarded 25 out`inbound to linux and it > reley's it to EX10.. Releying in Postfix works fine.. Then i've > installed mailscanner with clam, spamassassin etc. (removing clamav > ltr considering it as a troubler maker in this situation).. turns out > it's not it's fault! J > > So when i send mail from outside it goes cleanly to the Postfix.. I > can see it in the /var/spool/postfix/hold folder.. mailscanner proc > analize it and mail goes to incoming folder with no mutch bother.. > BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, > txt etc. passes with no delay) the mailscanner proc goes bad.. it > blocks on MailScanner: starting child.. Sometimes iz goes .. > After that action no mails passing through.. with or without attach. > And files are filling in hold folder even if i'm not getting any new > mails from anyone.. ??? ie: > > 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* > > 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* > > 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* > > It's really important for me to solve this but i have no ideas > anymore.. i've configured postfix to check header.. header puts it > into hold > > And mailscanner should take over after.. i dont see any complication > to scan the file and mv it to incoming.. Also a conf file acts wierd.. > If i uncomment > > Any AV it gives me an error while restarting init.d/mailscanner ... > > Interesting thing is: if i do mv * ../incoming/ in my hold folder > after some delay i get that email that was causing trouble and all the > mail that came after it was jammed.. and after that all seems working > fine until same thing happenes.. i have spamassassin and no AV > currently installed.. no amavis, sophos, clamd etc. > > Please some quick advice to solve this manner.. > > Tnx 2 all. > > Ps. If some snippet od conf is needed let me know! Tnx.. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 4 Date: Wed, 1 Dec 2010 18:58:19 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="windows-1252" What version of mailscanner, postfix etc? How did you install? We might guess, but... Better if you tell us. As to guesswork, my money would be equally split between real old mailscanner version and a bad tnef exoander;-) Cheers Den 1 dec 2010 15.51, "Ante Gulam" skrev: Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21 c549b/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 1 Dec 2010 18:03:53 +0000 From: "Alex Neuman van der Hans" Subject: Re: Mailscanner attach scan problem To: "MailScanner discussion" Message-ID: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bd a478.bisx.prod.on.blackberry> Content-Type: text/plain I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 1 Dec 2010 18:58:19 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner attach scan problem -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 6 Date: Wed, 1 Dec 2010 22:18:44 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" :-D ... You might be right... We'll just have to wait for Ante to get back with some facts... Den 1 dec 2010 19.10, "Alex Neuman van der Hans" skrev: I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@li... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/259 93332/attachment-0001.html ------------------------------ Message: 7 Date: Thu, 2 Dec 2010 16:56:07 +1100 From: Jeff Mills Subject: new spam getting through To: "mailscanner@lists.mailscanner.info" Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20 f67c8/attachment-0001.html ------------------------------ Message: 8 Date: Thu, 2 Dec 2010 10:55:40 +0100 From: "Gabor FUNK" Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <9F5B4C699954459C95E71FB252F725C9@M2007> Content-Type: text/plain; charset="iso-8859-1" "x dot co" (url shortener registered in columbia, ~half a year ago) is listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or scoring should be ok now... G. ----- Original Message ----- From: Jeff Mills To: mailscanner@lists.mailscanner.info Sent: Thursday, December 02, 2010 6:56 AM Subject: new spam getting through Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? ---------------------------------------------------------------------------- -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8 320bc/attachment-0001.html ------------------------------ Message: 9 Date: Thu, 2 Dec 2010 10:13:34 +0000 From: peter@farrows.org Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b 28.c11.bise7.blackberry> Content-Type: text/plain Greylisting stop this for me. ------------------ -----Original Message----- From: "Gabor FUNK" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 2 Dec 2010 10:55:40 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: new spam getting through -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 10 Date: Thu, 2 Dec 2010 22:14:38 +1100 From: Jeff Mills Subject: RE: new spam getting through To: MailScanner discussion Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of peter@farrows.org > Sent: Thursday, 2 December 2010 9:14 PM > To: MailScanner discussion > Subject: Re: new spam getting through > > Greylisting stop this for me. > ------------------ > Strange. All of the ones that have been getting through to me have come from hotmail servers, so greylisting has not stopped it. ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 60, Issue 2 ****************************************** No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.872 / Virus Database: 271.1.1/3290 - Release Date: 12/01/10 08:34:00 From glenn.steen at gmail.com Thu Dec 2 14:04:22 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 2 14:04:32 2010 Subject: Mailscanner attach scan problem In-Reply-To: <9023848998671243877@unknownmsgid> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> <9023848998671243877@unknownmsgid> Message-ID: On 2 December 2010 14:34, Ante Gulam wrote: > I've just edited MailScanner.conf and grep-ed "Max Spam Check Size".. it was > 200k. Ive set "-1".. but wouldn't be normal if it's too big > to pass it to incoming ?! and not to leave it in "hold" ?!?! because it > jammes my hold and all mails stucks with it coming after.. > > tnx > (snip) According to your other mail, at least the "outdated mailscanner" bet is true then. Don't install MailScanner from the official debian/ubuntu repos, they are way to conservative... and hence outdated. What you need do is either find the deb from somewhere else (I'm not sure where exactly, since I'm on an RPM-based system), or use the "source packe" from mailscanner.info. Personally, I put a value of: Max Spam Check Size = 6500000 ... just to be on the safe side:-). Setting it to -1 is not the supported way of disabling it (unlike the other size specifications). Also look at your TNEF expander setting and try vary that a bit (internal/external, and make sure the latter has a _huge_ space specification, when you try that). Oh, and do disable the cron job. It is ... less than fortunate... at best. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From raubvogel at gmail.com Thu Dec 2 15:26:05 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Dec 2 15:26:19 2010 Subject: MailScanner scores different if ran manually Message-ID: <4CF7BA8D.60603@gmail.com> I got a spam email that went through mailscanner and got the following score: not spam, SpamAssassin (not cached, score=4.45, required 4.7, BAYES_50 0.70, HDR_CYR 3.25, RAZOR2_CHECK 0.50) Fine, so I ran it manually, spamassassin -D -t --cf=/etc/MailScanner/spam.assassin.prefs.conf spam.mail and got the following score Content analysis details: (6.55 points, 4.7 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.7 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 3.25 HDR_CYR HDR_CYR Why did it score differently? Specifically why two out of three of the razor checks were only done at the command line? From maxsec at gmail.com Thu Dec 2 16:56:16 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Dec 2 16:56:26 2010 Subject: MailScanner scores different if ran manually In-Reply-To: <4CF7BA8D.60603@gmail.com> References: <4CF7BA8D.60603@gmail.com> Message-ID: check that /etc/mail/spamassassin/MailScanner.conf (assuming local.cf is in that dir too) is a sym link to /etc/MailScanner/spam.assassin.prefs.conf -- Martin Hepworth Oxford, UK On 2 December 2010 15:26, Mauricio Tavares wrote: > I got a spam email that went through mailscanner and got the following > score: > > not spam, SpamAssassin (not cached, score=4.45, required 4.7, BAYES_50 > 0.70, HDR_CYR 3.25, RAZOR2_CHECK 0.50) > > Fine, so I ran it manually, > > spamassassin -D -t --cf=/etc/MailScanner/spam.assassin.prefs.conf spam.mail > > and got the following score > > Content analysis details: (6.55 points, 4.7 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.7 BAYES_50 BODY: Bayesian spam probability is 40 to 60% > [score: 0.5000] > 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level > above 50% > [cf: 100] > 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > [cf: 100] > 3.25 HDR_CYR HDR_CYR > > Why did it score differently? Specifically why two out of three of the > razor checks were only done at the command line? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/bf9e7de8/attachment.html From ante.gulam at ri-ing.hr Thu Dec 2 20:54:55 2010 From: ante.gulam at ri-ing.hr (Ante Gulam) Date: Thu Dec 2 20:55:08 2010 Subject: Mailscanner attach scan problem In-Reply-To: <201012021202.oB2C0XEt014217@safir.blacknight.ie> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> Message-ID: <01c701cb9263$2cd5fc70$8681f550$@gulam@ri-ing.hr> Hi, I've purged all packages.. clam, sa, mailscanner.. even postfix.. Putted it all together again from 0.. configured all again .. there is no single error as i see. --debug, MailScanner -lint, mail.log in var/log ... everything seems fine considering logs.. BUT same thing is happening when some attach is sent.. there is no pattern in jamming.. sometimes zip, pdf, pptx.. But seems to me only zip jammes every single time... other ones know to pass now and then.. :) Does anyone has idea what could this be? I'll write a script to clamd the attach and mv it to incoming if passes scan :))) ROFL.. this has to go in production next week and this is not giving me confidence in mailscanner.. what is strange To me is that there is no pattern in all this.. proc sometimes goes and sometimes just goes Starting child... if i remember correctly.. i'm going to dig more till i found some solution.. Thnx.. regards.. Ante -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Thursday, December 02, 2010 1:02 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 60, Issue 2 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: Problem with SQL config on MailScanner (Eduardo Casarero) 2. Mailscanner attach scan problem (Ante Gulam) 3. Re: Mailscanner attach scan problem (Jules Field) 4. Re: Mailscanner attach scan problem (Glenn Steen) 5. Re: Mailscanner attach scan problem (Alex Neuman van der Hans) 6. Re: Mailscanner attach scan problem (Glenn Steen) 7. new spam getting through (Jeff Mills) 8. Re: new spam getting through (Gabor FUNK) 9. Re: new spam getting through (peter@farrows.org) 10. RE: new spam getting through (Jeff Mills) ---------------------------------------------------------------------- Message: 1 Date: Wed, 1 Dec 2010 10:46:14 -0300 From: Eduardo Casarero Subject: Re: Problem with SQL config on MailScanner To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" 2010/12/1 Steve Freegard > On 30/11/10 20:42, Eduardo Casarero wrote: > >> Hi everybody! Today i started playing with the sql config options for >> MailScanner and i cant make it work. >> >> My "config" table definition: >> >> CREATE TABLE `config` ( >> `id` int(11) NOT NULL auto_increment, >> `hostname` varchar(100) NOT NULL, >> `value` varchar(100) NOT NULL, >> `external` varchar(100) NOT NULL, >> `options` varchar(100) NOT NULL, >> PRIMARY KEY (`id`) >> ) ENGINE=MyISAM >> >> MailScanner.conf: >> >> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 >> DB Username = root >> DB Password = password >> SQL Serial Number = SELECT value FROM config WHERE >> options='confserialnumber' >> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? >> SQL Config = SELECT options, value FROM config WHERE hostname=? >> SQL Ruleset = >> SQL SpamAssassin Config = >> SQL Debug = yes >> >> this is the output i get: >> >> /opt/MailScanner/bin/MailScanner --debug --lint >> >> *Database functions disabled* >> Trying to setlogsock(unix) >> >> Reading configuration file /opt/MailScanner/etc/MailScanner.conf >> Read 865 hostnames from the phishing whitelist >> Read 5278 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.81.4) is correct. >> (...) >> >> Does anybody have any idea of what i am doing wrong? >> > > Looking at the code: > > + # Disable database functions if required data not present > + if (!$dsn || !$db_user || !$db_pass) { > + $disabled = 1; > + print STDERR "Database functions disabled\n" if $debug; > + return undef; > + } > > It would appear that the functions think that 'DB DSN', 'DB Username' or > 'DB Password' fields evaluate to an empty value. > > > The problem was the empty password! thanks! > Also, if the line "include" is enable at the end of MailScanner.conf >> with a valid config file all the DB config seems to dissapear, does >> anybody knows what is the precedence between the include and the db? >> > > Not sure on this myself; personally I thought the whole include argument > was weak, so I've never used it myself and never tested it with the database > functions. My advice would be to get the database functions working first > by using MailScanner.conf only first. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c9 72347/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 1 Dec 2010 15:47:48 +0100 From: "Ante Gulam" Subject: Mailscanner attach scan problem To: Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> Content-Type: text/plain; charset="iso-8859-1" Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef 325b0/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 01 Dec 2010 15:58:36 +0000 From: Jules Field Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252; format=flowed Start off with a MailScanner --lint and see if that reports any errors. Then get a single message into /var/spool/postfix/hold and then service MailScanner stop MailScanner --debug and see if you get one in the outgoing Postfix queue. And then read your /var/log/maillog carefully, there may well be something of use in there. Unfortunately your email doesn't tell us much more than that, so there's limited help I can provide. Jules. On 01/12/2010 14:47, Ante Gulam wrote: > > Hi, > > So i've configured my linux machine to be an antispam filter between > my Fortinet GW firewall and my exchange 2010 in my local domain for > incoming emails.. i've forwarded 25 out`inbound to linux and it > reley's it to EX10.. Releying in Postfix works fine.. Then i've > installed mailscanner with clam, spamassassin etc. (removing clamav > ltr considering it as a troubler maker in this situation).. turns out > it's not it's fault! J > > So when i send mail from outside it goes cleanly to the Postfix.. I > can see it in the /var/spool/postfix/hold folder.. mailscanner proc > analize it and mail goes to incoming folder with no mutch bother.. > BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, > txt etc. passes with no delay) the mailscanner proc goes bad.. it > blocks on MailScanner: starting child.. Sometimes iz goes .. > After that action no mails passing through.. with or without attach. > And files are filling in hold folder even if i'm not getting any new > mails from anyone.. ??? ie: > > 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* > > 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* > > 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* > > It's really important for me to solve this but i have no ideas > anymore.. i've configured postfix to check header.. header puts it > into hold > > And mailscanner should take over after.. i dont see any complication > to scan the file and mv it to incoming.. Also a conf file acts wierd.. > If i uncomment > > Any AV it gives me an error while restarting init.d/mailscanner ... > > Interesting thing is: if i do mv * ../incoming/ in my hold folder > after some delay i get that email that was causing trouble and all the > mail that came after it was jammed.. and after that all seems working > fine until same thing happenes.. i have spamassassin and no AV > currently installed.. no amavis, sophos, clamd etc. > > Please some quick advice to solve this manner.. > > Tnx 2 all. > > Ps. If some snippet od conf is needed let me know! Tnx.. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 4 Date: Wed, 1 Dec 2010 18:58:19 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="windows-1252" What version of mailscanner, postfix etc? How did you install? We might guess, but... Better if you tell us. As to guesswork, my money would be equally split between real old mailscanner version and a bad tnef exoander;-) Cheers Den 1 dec 2010 15.51, "Ante Gulam" skrev: Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21 c549b/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 1 Dec 2010 18:03:53 +0000 From: "Alex Neuman van der Hans" Subject: Re: Mailscanner attach scan problem To: "MailScanner discussion" Message-ID: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bd a478.bisx.prod.on.blackberry> Content-Type: text/plain I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 1 Dec 2010 18:58:19 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner attach scan problem -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 6 Date: Wed, 1 Dec 2010 22:18:44 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" :-D ... You might be right... We'll just have to wait for Ante to get back with some facts... Den 1 dec 2010 19.10, "Alex Neuman van der Hans" skrev: I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@li... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/259 93332/attachment-0001.html ------------------------------ Message: 7 Date: Thu, 2 Dec 2010 16:56:07 +1100 From: Jeff Mills Subject: new spam getting through To: "mailscanner@lists.mailscanner.info" Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20 f67c8/attachment-0001.html ------------------------------ Message: 8 Date: Thu, 2 Dec 2010 10:55:40 +0100 From: "Gabor FUNK" Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <9F5B4C699954459C95E71FB252F725C9@M2007> Content-Type: text/plain; charset="iso-8859-1" "x dot co" (url shortener registered in columbia, ~half a year ago) is listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or scoring should be ok now... G. ----- Original Message ----- From: Jeff Mills To: mailscanner@lists.mailscanner.info Sent: Thursday, December 02, 2010 6:56 AM Subject: new spam getting through Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? ---------------------------------------------------------------------------- -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8 320bc/attachment-0001.html ------------------------------ Message: 9 Date: Thu, 2 Dec 2010 10:13:34 +0000 From: peter@farrows.org Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b 28.c11.bise7.blackberry> Content-Type: text/plain Greylisting stop this for me. ------------------ -----Original Message----- From: "Gabor FUNK" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 2 Dec 2010 10:55:40 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: new spam getting through -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 10 Date: Thu, 2 Dec 2010 22:14:38 +1100 From: Jeff Mills Subject: RE: new spam getting through To: MailScanner discussion Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of peter@farrows.org > Sent: Thursday, 2 December 2010 9:14 PM > To: MailScanner discussion > Subject: Re: new spam getting through > > Greylisting stop this for me. > ------------------ > Strange. All of the ones that have been getting through to me have come from hotmail servers, so greylisting has not stopped it. ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 60, Issue 2 ****************************************** No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.872 / Virus Database: 271.1.1/3290 - Release Date: 12/01/10 08:34:00 From hvdkooij at vanderkooij.org Thu Dec 2 21:17:52 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Dec 2 21:18:02 2010 Subject: Mailscanner attach scan problem In-Reply-To: <01c701cb9263$2cd5fc70$8681f550$@gulam@ri-ing.hr> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> <01c701cb9263$2cd5fc70$8681f550$@gulam@ri-ing.hr> Message-ID: <4CF80D00.5010901@vanderkooij.org> On 02/12/10 21:54, Ante Gulam wrote: > I've purged all packages.. clam, sa, mailscanner.. even postfix.. > Putted it all together again from 0.. configured all again .. there is no > single error as i see. > --debug, MailScanner -lint, mail.log in var/log ... everything seems fine > considering logs.. > BUT same thing is happening when some attach is sent.. there is no pattern > in jamming.. sometimes zip, pdf, pptx.. > But seems to me only zip jammes every single time... other ones know to pass > now and then.. :) > > Does anyone has idea what could this be? I'll write a script to clamd the > attach and mv it to incoming if passes scan :))) ROFL.. this has to go in > production next week and this is not giving me confidence in mailscanner.. > what is strange > To me is that there is no pattern in all this.. proc sometimes goes > and sometimes just goes Starting child... if i remember > correctly.. i'm going to dig more till i found some solution.. Given that you only use the hardware to full capacity when you scan larger files it might actually be a hardware problem. It took me a week continues scanning to find faulty memory in a Barracuda unit that would bail out with a dying clamd process multiple times per day. While most of the times you get some indication of hardware problems there is the occasional situation where you seem to be chasing software problems based on your findings only to find out it is actually a hardware problem instead. So my E 0.02 is on a hardware problem for now. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From glenn.steen at gmail.com Thu Dec 2 22:13:47 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Dec 2 22:13:59 2010 Subject: Mailscanner attach scan problem In-Reply-To: <3552370637799127310@unknownmsgid> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> <3552370637799127310@unknownmsgid> Message-ID: And you ditched the somewhat antiquated ubuntu packaging of MS? And cortected the misconfig of SA check size? If so, Hugo is probably right. Get and run memtest86 or some other RAM stresstester. Cheers Den 2 dec 2010 22.00, "Ante Gulam" skrev: Hi, I've purged all packages.. clam, sa, mailscanner.. even postfix.. Putted it all together again from 0.. configured all again .. there is no single error as i see. --debug, MailScanner -lint, mail.log in var/log ... everything seems fine considering logs.. BUT same thing is happening when some attach is sent.. there is no pattern in jamming.. sometimes zip, pdf, pptx.. But seems to me only zip jammes every single time... other ones know to pass now and then.. :) Does anyone has idea what could this be? I'll write a script to clamd the attach and mv it to incoming if passes scan :))) ROFL.. this has to go in production next week and this is not giving me confidence in mailscanner.. what is strange To me is that there is no pattern in all this.. proc sometimes goes and sometimes just goes Starting child... if i remember correctly.. i'm going to dig more till i found some solution.. Thnx.. regards.. Ante -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bou... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/abadb36e/attachment-0001.html From jim.barber at ddihealth.com Fri Dec 3 01:35:42 2010 From: jim.barber at ddihealth.com (Jim Barber) Date: Fri Dec 3 01:35:57 2010 Subject: new spam getting through In-Reply-To: <4CF78AA5.8040802@fsl.com> References: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> <4CF78AA5.8040802@fsl.com> Message-ID: <4CF8496E.7030309@ddihealth.com> On 2/12/2010 8:01 PM, Steve Freegard wrote: > Try my short URL decoder plug-in that I wrote for SA: > > http://www.fsl.com/support/DecodeShortURLs.pm > http://www.fsl.com/support/DecodeShortURLs.cf > > You'll need to add x(dot)co to the shortener list though; the other > defaults should work fine. > > Put both files in /etc/mail/spamassassin and restart MailScanner to > get SA to start using the new plugin. > > This will allow SA to 'see' the decoded URI and check it against URI > blacklists or local 'uri' rules, so you have plenty of options to > start blocking these. > > Regards, > Steve. Thank you! :) I've been getting a lot of the same sort of emails with encoded short URLs slipping in in the past week or so. This plugin should go a long way towards stopping them. ---------- Jim Barber DDI Health From ante.gulam at ri-ing.hr Fri Dec 3 07:51:08 2010 From: ante.gulam at ri-ing.hr (Ante Gulam) Date: Fri Dec 3 07:51:16 2010 Subject: Mailscanner attach scan problem In-Reply-To: <201012021202.oB2C0XEt014217@safir.blacknight.ie> References: <201012021202.oB2C0XEt014217@safir.blacknight.ie> Message-ID: <01e701cb92be$d87c08c0$89741a40$@gulam@ri-ing.hr> Hi, After reinstalling everything and planning to manually check some things on incomes i've noticed and changed parameter for archives in MaSca.conf.. The one named: Maximum Archive Depth = 0.. not sure why this changed whole situation because problem wasn't only with archive files.. Guessing this one is related to multiple-compressed files .zip-->zip-->zip.. :) Now it seems to work fine.. :) everything seems to work but i tried to send few attach's in same mail.. cer, ppt, log.. cer seems to get recognized as "malware".. So mail stays in "hold" of postfix.. but now other mails go through which is important.. i'll wait to see if this mail is going somwhere! :) Should it be mv-ed to some other folder, like quar. Or something.. ?? :) tnx all for help.. i'll play ltr to see how to rm only attach that is recognized as threat.. Tnx.. Regards, Ante -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailscanner-request@lists.mailscanner.info Sent: Thursday, December 02, 2010 1:02 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner Digest, Vol 60, Issue 2 Send MailScanner mailing list submissions to mailscanner@lists.mailscanner.info To subscribe or unsubscribe via the World Wide Web, visit http://lists.mailscanner.info/mailman/listinfo/mailscanner or, via email, send a message with subject or body 'help' to mailscanner-request@lists.mailscanner.info You can reach the person managing the list at mailscanner-owner@lists.mailscanner.info When replying, please edit your Subject line so it is more specific than "Re: Contents of MailScanner digest..." Today's Topics: 1. Re: Problem with SQL config on MailScanner (Eduardo Casarero) 2. Mailscanner attach scan problem (Ante Gulam) 3. Re: Mailscanner attach scan problem (Jules Field) 4. Re: Mailscanner attach scan problem (Glenn Steen) 5. Re: Mailscanner attach scan problem (Alex Neuman van der Hans) 6. Re: Mailscanner attach scan problem (Glenn Steen) 7. new spam getting through (Jeff Mills) 8. Re: new spam getting through (Gabor FUNK) 9. Re: new spam getting through (peter@farrows.org) 10. RE: new spam getting through (Jeff Mills) ---------------------------------------------------------------------- Message: 1 Date: Wed, 1 Dec 2010 10:46:14 -0300 From: Eduardo Casarero Subject: Re: Problem with SQL config on MailScanner To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" 2010/12/1 Steve Freegard > On 30/11/10 20:42, Eduardo Casarero wrote: > >> Hi everybody! Today i started playing with the sql config options for >> MailScanner and i cant make it work. >> >> My "config" table definition: >> >> CREATE TABLE `config` ( >> `id` int(11) NOT NULL auto_increment, >> `hostname` varchar(100) NOT NULL, >> `value` varchar(100) NOT NULL, >> `external` varchar(100) NOT NULL, >> `options` varchar(100) NOT NULL, >> PRIMARY KEY (`id`) >> ) ENGINE=MyISAM >> >> MailScanner.conf: >> >> DB DSN = DBI:mysql:dbname=mailscanner;host=localhost;port=3306 >> DB Username = root >> DB Password = password >> SQL Serial Number = SELECT value FROM config WHERE >> options='confserialnumber' >> SQL Quick Peek = SELECT value FROM config WHERE external=? AND hostname=? >> SQL Config = SELECT options, value FROM config WHERE hostname=? >> SQL Ruleset = >> SQL SpamAssassin Config = >> SQL Debug = yes >> >> this is the output i get: >> >> /opt/MailScanner/bin/MailScanner --debug --lint >> >> *Database functions disabled* >> Trying to setlogsock(unix) >> >> Reading configuration file /opt/MailScanner/etc/MailScanner.conf >> Read 865 hostnames from the phishing whitelist >> Read 5278 hostnames from the phishing blacklists >> >> Checking version numbers... >> Version number in MailScanner.conf (4.81.4) is correct. >> (...) >> >> Does anybody have any idea of what i am doing wrong? >> > > Looking at the code: > > + # Disable database functions if required data not present > + if (!$dsn || !$db_user || !$db_pass) { > + $disabled = 1; > + print STDERR "Database functions disabled\n" if $debug; > + return undef; > + } > > It would appear that the functions think that 'DB DSN', 'DB Username' or > 'DB Password' fields evaluate to an empty value. > > > The problem was the empty password! thanks! > Also, if the line "include" is enable at the end of MailScanner.conf >> with a valid config file all the DB config seems to dissapear, does >> anybody knows what is the precedence between the include and the db? >> > > Not sure on this myself; personally I thought the whole include argument > was weak, so I've never used it myself and never tested it with the database > functions. My advice would be to get the database functions working first > by using MailScanner.conf only first. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/3c9 72347/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 1 Dec 2010 15:47:48 +0100 From: "Ante Gulam" Subject: Mailscanner attach scan problem To: Message-ID: <013101cb9166$b8d50110$2a7f0330$@gulam@ri-ing.hr> Content-Type: text/plain; charset="iso-8859-1" Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/bef 325b0/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 01 Dec 2010 15:58:36 +0000 From: Jules Field Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset=windows-1252; format=flowed Start off with a MailScanner --lint and see if that reports any errors. Then get a single message into /var/spool/postfix/hold and then service MailScanner stop MailScanner --debug and see if you get one in the outgoing Postfix queue. And then read your /var/log/maillog carefully, there may well be something of use in there. Unfortunately your email doesn't tell us much more than that, so there's limited help I can provide. Jules. On 01/12/2010 14:47, Ante Gulam wrote: > > Hi, > > So i've configured my linux machine to be an antispam filter between > my Fortinet GW firewall and my exchange 2010 in my local domain for > incoming emails.. i've forwarded 25 out`inbound to linux and it > reley's it to EX10.. Releying in Postfix works fine.. Then i've > installed mailscanner with clam, spamassassin etc. (removing clamav > ltr considering it as a troubler maker in this situation).. turns out > it's not it's fault! J > > So when i send mail from outside it goes cleanly to the Postfix.. I > can see it in the /var/spool/postfix/hold folder.. mailscanner proc > analize it and mail goes to incoming folder with no mutch bother.. > BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, > txt etc. passes with no delay) the mailscanner proc goes bad.. it > blocks on MailScanner: starting child.. Sometimes iz goes .. > After that action no mails passing through.. with or without attach. > And files are filling in hold folder even if i'm not getting any new > mails from anyone.. ??? ie: > > 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* > > 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* > > 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* > > 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* > > It's really important for me to solve this but i have no ideas > anymore.. i've configured postfix to check header.. header puts it > into hold > > And mailscanner should take over after.. i dont see any complication > to scan the file and mv it to incoming.. Also a conf file acts wierd.. > If i uncomment > > Any AV it gives me an error while restarting init.d/mailscanner ... > > Interesting thing is: if i do mv * ../incoming/ in my hold folder > after some delay i get that email that was causing trouble and all the > mail that came after it was jammed.. and after that all seems working > fine until same thing happenes.. i have spamassassin and no AV > currently installed.. no amavis, sophos, clamd etc. > > Please some quick advice to solve this manner.. > > Tnx 2 all. > > Ps. If some snippet od conf is needed let me know! Tnx.. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 4 Date: Wed, 1 Dec 2010 18:58:19 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="windows-1252" What version of mailscanner, postfix etc? How did you install? We might guess, but... Better if you tell us. As to guesswork, my money would be equally split between real old mailscanner version and a bad tnef exoander;-) Cheers Den 1 dec 2010 15.51, "Ante Gulam" skrev: Hi, So i've configured my linux machine to be an antispam filter between my Fortinet GW firewall and my exchange 2010 in my local domain for incoming emails.. i've forwarded 25 out`inbound to linux and it reley's it to EX10.. Releying in Postfix works fine.. Then i've installed mailscanner with clam, spamassassin etc. (removing clamav ltr considering it as a troubler maker in this situation).. turns out it's not it's fault! J So when i send mail from outside it goes cleanly to the Postfix.. I can see it in the /var/spool/postfix/hold folder.. mailscanner proc analize it and mail goes to incoming folder with no mutch bother.. BUT.. If i send .zip, .exe or some other attach .. even .pptx.. (log, txt etc. passes with no delay) the mailscanner proc goes bad.. it blocks on MailScanner: starting child.. Sometimes iz goes .. After that action no mails passing through.. with or without attach. And files are filling in hold folder even if i'm not getting any new mails from anyone.. ??? ie: 4 -rwx------ 1 postfix postfix 2656 2010-12-01 15:28 D0D6F6CDCD* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 DCE756CDCE* 4 -rwx------ 1 postfix postfix 3078 2010-12-01 15:08 C88226CDCC* 4 -rwx------ 1 postfix postfix 595 2010-12-01 15:07 CF3EB6CDB6* 416 -rwx------ 1 postfix postfix 423997 2010-12-01 15:04 52D776CC10* It's really important for me to solve this but i have no ideas anymore.. i've configured postfix to check header.. header puts it into hold And mailscanner should take over after.. i dont see any complication to scan the file and mv it to incoming.. Also a conf file acts wierd.. If i uncomment Any AV it gives me an error while restarting init.d/mailscanner ... Interesting thing is: if i do mv * ../incoming/ in my hold folder after some delay i get that email that was causing trouble and all the mail that came after it was jammed.. and after that all seems working fine until same thing happenes.. i have spamassassin and no AV currently installed.. no amavis, sophos, clamd etc. Please some quick advice to solve this manner.. Tnx 2 all. Ps. If some snippet od conf is needed let me know! Tnx.. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/f21 c549b/attachment-0001.html ------------------------------ Message: 5 Date: Wed, 1 Dec 2010 18:03:53 +0000 From: "Alex Neuman van der Hans" Subject: Re: Mailscanner attach scan problem To: "MailScanner discussion" Message-ID: <986494996-1291226730-cardhu_decombobulator_blackberry.rim.net-655917271-@bd a478.bisx.prod.on.blackberry> Content-Type: text/plain I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 1 Dec 2010 18:58:19 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner attach scan problem -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 6 Date: Wed, 1 Dec 2010 22:18:44 +0100 From: Glenn Steen Subject: Re: Mailscanner attach scan problem To: MailScanner discussion Message-ID: Content-Type: text/plain; charset="iso-8859-1" :-D ... You might be right... We'll just have to wait for Ante to get back with some facts... Den 1 dec 2010 19.10, "Alex Neuman van der Hans" skrev: I would double that bet and say it's both at the same time! -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 832-6725 +1-440-253-9789 (USA) Recuerda visitar http://vidadigital.com.pa/ BB PIN 20EA17C5 Twitter: @AlexNeuman - @VidaDigitalTV http://facebook.com/vidadigital Skype: alexneuman -----Original Message----- From: Glenn Steen Sender: mailscanner-bounces@li... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101201/259 93332/attachment-0001.html ------------------------------ Message: 7 Date: Thu, 2 Dec 2010 16:56:07 +1100 From: Jeff Mills Subject: new spam getting through To: "mailscanner@lists.mailscanner.info" Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69D@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/f20 f67c8/attachment-0001.html ------------------------------ Message: 8 Date: Thu, 2 Dec 2010 10:55:40 +0100 From: "Gabor FUNK" Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <9F5B4C699954459C95E71FB252F725C9@M2007> Content-Type: text/plain; charset="iso-8859-1" "x dot co" (url shortener registered in columbia, ~half a year ago) is listed in URIBL as of DEC 01 22:31:08 GMT, anyone using it for blocking or scoring should be ok now... G. ----- Original Message ----- From: Jeff Mills To: mailscanner@lists.mailscanner.info Sent: Thursday, December 02, 2010 6:56 AM Subject: new spam getting through Is anyone else having issues with some new very simple spam coming through in the last 48 hours? I'm having a lot of trouble blocking this stuff because the URL changes all the time as well as the text. Here is an example: http://pastebin.com/kuAH2GUY Has anyone managed to come up with anything to stop it? ---------------------------------------------------------------------------- -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101202/fa8 320bc/attachment-0001.html ------------------------------ Message: 9 Date: Thu, 2 Dec 2010 10:13:34 +0000 From: peter@farrows.org Subject: Re: new spam getting through To: "MailScanner discussion" Message-ID: <847718099-1291284816-cardhu_decombobulator_blackberry.rim.net-2002076051-@b 28.c11.bise7.blackberry> Content-Type: text/plain Greylisting stop this for me. ------------------ -----Original Message----- From: "Gabor FUNK" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 2 Dec 2010 10:55:40 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: new spam getting through -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ------------------------------ Message: 10 Date: Thu, 2 Dec 2010 22:14:38 +1100 From: Jeff Mills Subject: RE: new spam getting through To: MailScanner discussion Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF69E@SERVER01.sts.local> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of peter@farrows.org > Sent: Thursday, 2 December 2010 9:14 PM > To: MailScanner discussion > Subject: Re: new spam getting through > > Greylisting stop this for me. > ------------------ > Strange. All of the ones that have been getting through to me have come from hotmail servers, so greylisting has not stopped it. ------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! End of MailScanner Digest, Vol 60, Issue 2 ****************************************** No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.872 / Virus Database: 271.1.1/3290 - Release Date: 12/01/10 08:34:00 From hvdkooij at vanderkooij.org Fri Dec 3 14:04:27 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Dec 3 14:04:38 2010 Subject: Fwd: Fedora 12 End of Life Message-ID: Just a reminder for those running MailScanner on top of Fedora. (I'm sure you should known this.) -------- Original Message -------- Subject: Fedora 12 End of Life Date: Thu, 2 Dec 2010 14:49:38 -0700 This announcement is a reminder that as of 2010-12-02, Fedora 12 has reached its end of life for updates and support. No further updates, including security updates, will be available for Fedora 12. Fedora 13 will continue to receive updates until approximately one month after the release of Fedora 15. The maintenance schedule of Fedora releases is documented on the Fedora Project wiki: https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule Please see http://fedoraproject.org/wiki/DistributionUpgrades for more information on upgrading to a supported release. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101203/74efda17/signature.bin From peter.ong at hypermediasystems.com Fri Dec 3 15:19:50 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Fri Dec 3 15:19:59 2010 Subject: new spam getting through In-Reply-To: <4CF8496E.7030309@ddihealth.com> Message-ID: <1028214655.26520.1291389589972.JavaMail.root@mail021.dti> Kewl, I'm going to try these. I too have been recently receiving the same kind of spam. p ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Thursday, December 2, 2010 5:35:42 PM > Subject: Re: new spam getting through > > On 2/12/2010 8:01 PM, Steve Freegard wrote: > > Try my short URL decoder plug-in that I wrote for SA: > > > > http://www.fsl.com/support/DecodeShortURLs.pm > > http://www.fsl.com/support/DecodeShortURLs.cf > > > > You'll need to add x(dot)co to the shortener list though; the other > > > defaults should work fine. > > > > Put both files in /etc/mail/spamassassin and restart MailScanner to > > > get SA to start using the new plugin. > > > > This will allow SA to 'see' the decoded URI and check it against URI > > > blacklists or local 'uri' rules, so you have plenty of options to > > start blocking these. > > > > Regards, > > Steve. > > Thank you! :) > > I've been getting a lot of the same sort of emails with encoded short > > URLs slipping in in the past week or so. > This plugin should go a long way towards stopping them. > > ---------- > Jim Barber > DDI Health > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Fri Dec 3 15:29:04 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Fri Dec 3 15:29:14 2010 Subject: new spam getting through In-Reply-To: <4CF8496E.7030309@ddihealth.com> Message-ID: <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> Has anyone else tried these sa plugins? I've implemented them in our gateways, so no results yet. I did a rudimentary test on it... seems to be okay. p ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Thursday, December 2, 2010 5:35:42 PM > Subject: Re: new spam getting through > > On 2/12/2010 8:01 PM, Steve Freegard wrote: > > Try my short URL decoder plug-in that I wrote for SA: > > > > http://www.fsl.com/support/DecodeShortURLs.pm > > http://www.fsl.com/support/DecodeShortURLs.cf > > > > You'll need to add x(dot)co to the shortener list though; the other > > > defaults should work fine. > > > > Put both files in /etc/mail/spamassassin and restart MailScanner to > > > get SA to start using the new plugin. > > > > This will allow SA to 'see' the decoded URI and check it against URI > > > blacklists or local 'uri' rules, so you have plenty of options to > > start blocking these. > > > > Regards, > > Steve. > > Thank you! :) > > I've been getting a lot of the same sort of emails with encoded short > > URLs slipping in in the past week or so. > This plugin should go a long way towards stopping them. > > ---------- > Jim Barber > DDI Health > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Dstraka at caspercollege.edu Fri Dec 3 15:34:06 2010 From: Dstraka at caspercollege.edu (Daniel Straka) Date: Fri Dec 3 15:34:36 2010 Subject: new spam getting through In-Reply-To: <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> References: <4CF8496E.7030309@ddihealth.com> <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> Message-ID: <4CF8AB7E020000000010AA40@gw.caspercollege.edu> I copied them to /etc/mail/spamassassin, ran spamassassin --lint and that generated a bunch of errors. So until I have time to look closer, I removed them. >>> On 12/3/2010 at 8:29 AM, in message <1511442244.26578.1291390144929.JavaMail.root@mail021.dti>, Peter Ong wrote: > Has anyone else tried these sa plugins? I've implemented them in our > gateways, so no results yet. I did a rudimentary test on it... seems to be > okay. > > p > > ----- Original Message ----- > >> From: "Jim Barber" >> To: "MailScanner discussion" >> Sent: Thursday, December 2, 2010 5:35:42 PM >> Subject: Re: new spam getting through >> >> On 2/12/2010 8:01 PM, Steve Freegard wrote: >> > Try my short URL decoder plug-in that I wrote for SA: >> > >> > http://www.fsl.com/support/DecodeShortURLs.pm >> > http://www.fsl.com/support/DecodeShortURLs.cf >> > >> > You'll need to add x(dot)co to the shortener list though; the other >> >> > defaults should work fine. >> > >> > Put both files in /etc/mail/spamassassin and restart MailScanner to >> >> > get SA to start using the new plugin. >> > >> > This will allow SA to 'see' the decoded URI and check it against URI >> >> > blacklists or local 'uri' rules, so you have plenty of options to >> > start blocking these. >> > >> > Regards, >> > Steve. >> >> Thank you! :) >> >> I've been getting a lot of the same sort of emails with encoded short >> >> URLs slipping in in the past week or so. >> This plugin should go a long way towards stopping them. >> >> ---------- >> Jim Barber >> DDI Health >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jwithrow at matech.net Fri Dec 3 15:35:07 2010 From: jwithrow at matech.net (Joshua F. Withrow) Date: Fri Dec 3 15:36:02 2010 Subject: new spam getting through In-Reply-To: <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> References: <4CF8496E.7030309@ddihealth.com> <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> Message-ID: I've had them running since early yesterday. I haven't looked to see how much they're contributing, but everything is running fine. :) Josh Withrow Software Developer Office: 410-548-1627 x154 Email: jwithrow@matech.net -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Peter Ong Sent: Friday, December 03, 2010 10:29 AM To: MailScanner discussion Subject: Re: new spam getting through Has anyone else tried these sa plugins? I've implemented them in our gateways, so no results yet. I did a rudimentary test on it... seems to be okay. p ----- Original Message ----- > From: "Jim Barber" > To: "MailScanner discussion" > Sent: Thursday, December 2, 2010 5:35:42 PM > Subject: Re: new spam getting through > > On 2/12/2010 8:01 PM, Steve Freegard wrote: > > Try my short URL decoder plug-in that I wrote for SA: > > > > http://www.fsl.com/support/DecodeShortURLs.pm > > http://www.fsl.com/support/DecodeShortURLs.cf > > > > You'll need to add x(dot)co to the shortener list though; the other > > > defaults should work fine. > > > > Put both files in /etc/mail/spamassassin and restart MailScanner to > > > get SA to start using the new plugin. > > > > This will allow SA to 'see' the decoded URI and check it against URI > > > blacklists or local 'uri' rules, so you have plenty of options to > > start blocking these. > > > > Regards, > > Steve. > > Thank you! :) > > I've been getting a lot of the same sort of emails with encoded short > > URLs slipping in in the past week or so. > This plugin should go a long way towards stopping them. > > ---------- > Jim Barber > DDI Health > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This message is the property of Machining Technologies, Inc (MaTech) and the Information contained herein may be/is subject to the Code of Federal Regulations Chapter 22 International Traffic in Arms Regulations (ITAR). This data may not be resold, diverted, transferred, transshipped, made available to a foreign national within the United States, or otherwise disposed of in any other country outside of its intended destination, either in original form or after being incorporated through an intermediate process into other data without the prior written approval of the US Department of State. The information in this e-mail and subsequent attachments may contain legally privileged, proprietary and/or confidential information that is intended only for the use of the addressee(s). No addressee should forward, print, copy or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as the recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, retention or use of the contents of this e-mail information is prohibited. If you have received this communication in error, please immediately notify the sender by telephone or return e-mail and delete this e-mail. Thank You. From peter.ong at hypermediasystems.com Fri Dec 3 15:40:38 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Fri Dec 3 15:40:49 2010 Subject: new spam getting through In-Reply-To: <4CF8AB7E020000000010AA40@gw.caspercollege.edu> Message-ID: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> Strange, I did the same thing, but no errors in mine. p ----- Original Message ----- > From: "Daniel Straka" > To: "MailScanner discussion" > Sent: Friday, December 3, 2010 7:34:06 AM > Subject: Re: new spam getting through > > I copied them to /etc/mail/spamassassin, ran spamassassin --lint and > that generated a bunch of errors. So until I have time to look closer, > I removed them. > > >>> On 12/3/2010 at 8:29 AM, in message > <1511442244.26578.1291390144929.JavaMail.root@mail021.dti>, Peter Ong > wrote: > > Has anyone else tried these sa plugins? I've implemented them in our > > > gateways, so no results yet. I did a rudimentary test on it... seems > to be > > okay. > > > > p > > > > ----- Original Message ----- > > > >> From: "Jim Barber" > >> To: "MailScanner discussion" > >> Sent: Thursday, December 2, 2010 5:35:42 PM > >> Subject: Re: new spam getting through > >> > >> On 2/12/2010 8:01 PM, Steve Freegard wrote: > >> > Try my short URL decoder plug-in that I wrote for SA: > >> > > >> > http://www.fsl.com/support/DecodeShortURLs.pm > >> > http://www.fsl.com/support/DecodeShortURLs.cf > >> > > >> > You'll need to add x(dot)co to the shortener list though; the > other > >> > >> > defaults should work fine. > >> > > >> > Put both files in /etc/mail/spamassassin and restart MailScanner > to > >> > >> > get SA to start using the new plugin. > >> > > >> > This will allow SA to 'see' the decoded URI and check it against > URI > >> > >> > blacklists or local 'uri' rules, so you have plenty of options to > > >> > start blocking these. > >> > > >> > Regards, > >> > Steve. > >> > >> Thank you! :) > >> > >> I've been getting a lot of the same sort of emails with encoded > short > >> > >> URLs slipping in in the past week or so. > >> This plugin should go a long way towards stopping them. > >> > >> ---------- > >> Jim Barber > >> DDI Health > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Fri Dec 3 16:20:24 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Fri Dec 3 16:20:41 2010 Subject: new spam getting through In-Reply-To: References: <4CF8496E.7030309@ddihealth.com> <1511442244.26578.1291390144929.JavaMail.root@mail021.dti> Message-ID: <4CF918C8.5070000@fsl.com> On 03/12/10 15:35, Joshua F. Withrow wrote: > I've had them running since early yesterday. I haven't looked to see how much they're contributing, but everything is running fine. :) Two ways to do that if you used the defaults: 1) Look at /tmp/DecodeShortURLs.txt - this logs each decoded short URL in the format: [epoch time] short URL -> decoded URL 2) If you log SA hits to your log file then you can grep it for hits on 'HAS_SHORT_URL'. Regards, Steve. From noel.butler at ausics.net Sat Dec 4 02:15:25 2010 From: noel.butler at ausics.net (Noel Butler) Date: Sat Dec 4 02:15:38 2010 Subject: new spam getting through In-Reply-To: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> Message-ID: <1291428925.5201.2.camel@tardis> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101204/420b3724/attachment.bin From Jeff.Mills at sydneytech.com.au Sun Dec 5 22:19:17 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Sun Dec 5 22:19:31 2010 Subject: new spam getting through In-Reply-To: <1291428925.5201.2.camel@tardis> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF6CD@SERVER01.sts.local> >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Noel Butler >Sent: Saturday, 4 December 2010 1:15 PM >To: mailscanner@lists.mailscanner.info >Subject: Re: new spam getting through > >On Fri, 2010-12-03 at 07:40 -0800, Peter Ong wrote: > >Strange, I did the same thing, but no errors in mine. > > >Likewise, no errors here, only running since late last night so haven't checked to see how effective, but by a quick look at it, it should help a lot with short urls (thanks Steve) > >Noel > > We?re still getting some getting through (probably new URLs), but it is definitely working. grep -c SHORT_UR /var/log/mail.log 45 Thanks to Steve for his work on this one. From gcle at smcaus.com.au Sun Dec 5 22:47:39 2010 From: gcle at smcaus.com.au (Gerard Cleary) Date: Sun Dec 5 22:47:52 2010 Subject: new spam getting through In-Reply-To: <1291428925.5201.2.camel@tardis> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> Message-ID: <201012060947.39079.gcle@smcaus.com.au> On Sat, 4 Dec 2010 13:15:25 Noel Butler wrote: > Likewise, no errors here, only running since late last night so haven't > checked to see how effective, but by a quick look at it, it should help > a lot with short urls (thanks Steve) > I want to add my hearty thanks to Steve as well. I put the files in on Friday afternoon (I know, you're not supposed to do silly things like that, but I checked it for the next hour and all was OK.) Over the weekend, it trapped 313 spams !! Very effective indeed. Thanks again. Gerard. -- Gerard Cleary SMC Systems Administration Ph: +61 2 9354 8222 From steve.freegard at fsl.com Sun Dec 5 23:27:27 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Sun Dec 5 23:27:38 2010 Subject: new spam getting through In-Reply-To: <201012060947.39079.gcle@smcaus.com.au> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> <201012060947.39079.gcle@smcaus.com.au> Message-ID: <4CFC1FDF.4090601@fsl.com> On 05/12/10 22:47, Gerard Cleary wrote: > On Sat, 4 Dec 2010 13:15:25 Noel Butler wrote: >> Likewise, no errors here, only running since late last night so haven't >> checked to see how effective, but by a quick look at it, it should help >> a lot with short urls (thanks Steve) >> > I want to add my hearty thanks to Steve as well. I put the files in on Friday > afternoon (I know, you're not supposed to do silly things like that, but I > checked it for the next hour and all was OK.) > Over the weekend, it trapped 313 spams !! Very effective indeed. Excellent - I'm glad it's working well for you and to everyone else that replied that it's working for them. The thing to do is check /tmp/DecodeShortURLs.txt for nasty domains that you can block locally as not all of the obviously bad decoded short URLs are finding their into the URI blacklists at the moment (credit where it's due to SURBL who seem better at this than URIBL currently). I'm finding this rule is working out well on a number of FSL sites: uri FSL_URI_REFER_CCBIL /refer\.ccbill\.com/ describe FSL_URI_REFER_CCBIL Links to refer.ccbill.com score FSL_URI_REFER_CCBIL 4.0 Everyone can help improve this plug-in in the following ways: 1) Let me know if you find any new URL shorteners that are not listed in DecodeShortURLs.cf so I can add them to the supplied URL shortener list. 2) If you see any new shortener blocks (this is where a page is redirected to an abuse/blocked page for that particular shortener hash). For example you can see I have definitions in the file for BITLY, SIMURL and MEGRE - there will surely be others that I've missed or do not know about; again - let me know as the more of these I can get mean that if a service blocks a shortened URL; you'll score it highly without worrying about potential FPs. 3) Report any bugs to me. Kind regards, Steve. From Jeff.Mills at sydneytech.com.au Sun Dec 5 23:44:52 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Sun Dec 5 23:45:03 2010 Subject: new spam getting through In-Reply-To: <4CFC1FDF.4090601@fsl.com> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> <201012060947.39079.gcle@smcaus.com.au> <4CFC1FDF.4090601@fsl.com> Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F5AEDF6D7@SERVER01.sts.local> > > I'm finding this rule is working out well on a number of FSL sites: > > uri FSL_URI_REFER_CCBIL /refer\.ccbill\.com/ describe > FSL_URI_REFER_CCBIL Links to refer.ccbill.com score FSL_URI_REFER_CCBIL > 4.0 > Steve, My logs are mostly either showing ccbill as above, or /cnbc14snewsnow\.com/ There are a few others, but those two are by far the majority. Jeff From jim.barber at ddihealth.com Mon Dec 6 00:58:29 2010 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Dec 6 00:58:44 2010 Subject: new spam getting through In-Reply-To: <4CFC1FDF.4090601@fsl.com> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> <201012060947.39079.gcle@smcaus.com.au> <4CFC1FDF.4090601@fsl.com> Message-ID: <4CFC3535.3000401@ddihealth.com> On 6/12/2010 7:27 AM, Steve Freegard wrote: > 3) Report any bugs to me. > > Kind regards, > Steve. Hi Steve. I've noticed one strange thing. I run a few MX servers for the company I work for. Two of them are running MailScanner with an older version of SpamAssassin (v 3.2.5) One of them is running MIMEDefang with SpamAssassin 3.3.1 On the MailScanner boxes, your plugin triggers the HAS_SHORT_URL rule along with a number of the other SHORT_URL_* rules. So it is working very effectively there. But on my MIMEDefang host the plugin has triggered 197 times over the weekend with the HAS_SHORT_URL rule, but none of the the SHORT_URL_* rules fired at all. So it only adds 0.001 to the overall score which isn't enough to ban the bad emails. I'm not really sure what to check, but I'll start researching now to see if I can find why. Regards, ---------- Jim Barber DDI Health From jim.barber at ddihealth.com Mon Dec 6 02:21:27 2010 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Dec 6 02:21:42 2010 Subject: new spam getting through In-Reply-To: <4CFC3535.3000401@ddihealth.com> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> <201012060947.39079.gcle@smcaus.com.au> <4CFC1FDF.4090601@fsl.com> <4CFC3535.3000401@ddihealth.com> Message-ID: <4CFC48A7.5040509@ddihealth.com> On 6/12/2010 8:58 AM, Jim Barber wrote: > Hi Steve. > > I've noticed one strange thing. > I run a few MX servers for the company I work for. > > Two of them are running MailScanner with an older version of > SpamAssassin (v 3.2.5) > One of them is running MIMEDefang with SpamAssassin 3.3.1 > > On the MailScanner boxes, your plugin triggers the HAS_SHORT_URL rule > along with a number of the other SHORT_URL_* rules. > So it is working very effectively there. > > But on my MIMEDefang host the plugin has triggered 197 times over the > weekend with the HAS_SHORT_URL rule, but none of the the SHORT_URL_* > rules fired at all. > So it only adds 0.001 to the overall score which isn't enough to ban > the bad emails. > I'm not really sure what to check, but I'll start researching now to > see if I can find why. > > Regards, > > ---------- > Jim Barber > DDI Health One difference I spot is in the SpamAssassin lint test I see the following on the MailScanner host: dbg: rules: HAS_SHORT_URL merged duplicates: SHORT_URL_404 SHORT_URL_CHAINED SHORT_URL_LOOP SHORT_URL_MAXCHAIN This message doesn't happen on the lint tests on the MIMEDefang host. When I go back over the logs for my MailScanner boxes it seems that if HAS_SHORT_URL triggers then all of those duplicate rules also trigger. So to me that means any short URL that comes in to the MailScanner boxes whether it is legitimate or not will always trigger all the rules. I guess on the MIMEDefang host, the rules are working correctly, and the short URL is detected, but none of the other conditions exist. The bug I am seeing is the duplicate rules, but maybe that is because I need to upgrade my versions of SpamAssassin (which is on the cards). From jim.barber at ddihealth.com Mon Dec 6 02:46:58 2010 From: jim.barber at ddihealth.com (Jim Barber) Date: Mon Dec 6 02:47:11 2010 Subject: new spam getting through In-Reply-To: <4CFC48A7.5040509@ddihealth.com> References: <2087199252.26596.1291390838857.JavaMail.root@mail021.dti> <1291428925.5201.2.camel@tardis> <201012060947.39079.gcle@smcaus.com.au> <4CFC1FDF.4090601@fsl.com> <4CFC3535.3000401@ddihealth.com> <4CFC48A7.5040509@ddihealth.com> Message-ID: <4CFC4EA2.4070403@ddihealth.com> On 6/12/2010 10:21 AM, Jim Barber wrote: > On 6/12/2010 8:58 AM, Jim Barber wrote: >> Hi Steve. >> >> I've noticed one strange thing. >> I run a few MX servers for the company I work for. >> >> Two of them are running MailScanner with an older version of >> SpamAssassin (v 3.2.5) >> One of them is running MIMEDefang with SpamAssassin 3.3.1 >> >> On the MailScanner boxes, your plugin triggers the HAS_SHORT_URL rule >> along with a number of the other SHORT_URL_* rules. >> So it is working very effectively there. >> >> But on my MIMEDefang host the plugin has triggered 197 times over the >> weekend with the HAS_SHORT_URL rule, but none of the the SHORT_URL_* >> rules fired at all. >> So it only adds 0.001 to the overall score which isn't enough to ban >> the bad emails. >> I'm not really sure what to check, but I'll start researching now to >> see if I can find why. >> >> Regards, >> >> ---------- >> Jim Barber >> DDI Health > > One difference I spot is in the SpamAssassin lint test I see the > following on the MailScanner host: > > dbg: rules: HAS_SHORT_URL merged duplicates: SHORT_URL_404 > SHORT_URL_CHAINED SHORT_URL_LOOP SHORT_URL_MAXCHAIN > > This message doesn't happen on the lint tests on the MIMEDefang host. > > When I go back over the logs for my MailScanner boxes it seems that if > HAS_SHORT_URL triggers then all of those duplicate rules also trigger. > So to me that means any short URL that comes in to the MailScanner > boxes whether it is legitimate or not will always trigger all the rules. > > I guess on the MIMEDefang host, the rules are working correctly, and > the short URL is detected, but none of the other conditions exist. > > The bug I am seeing is the duplicate rules, but maybe that is because > I need to upgrade my versions of SpamAssassin (which is on the cards). Upgrading to SpamAssassin 3.3.1 fixed the duplicate rule error on the MailScanner boxes. So that's good and all I need to do is increase the HAS_SHORT_URL score from 0.01 to something a bit more aggressive to help tip the balance. Thanks. From prinbra at gmail.com Mon Dec 6 04:49:42 2010 From: prinbra at gmail.com (Curu Wong) Date: Mon Dec 6 04:52:14 2010 Subject: Apple iWork document cause mailscanner to crash Message-ID: One of our clients send us an email containing an Apple iWork file( with a .pages suffix) as attachment, which caused MailScanner crashed several times. After then ,I extract that .pages attachment, and send it using another email, It cause MailScanner crash again. So I believe it's the attachment that caused MailScanner to die. Can anyone please give a hand on fixing this? Or, is there a way to debug MailScanner so that I can know what it is doing when it crash? Many thanks! here is the message from maillog when MS hung. ---------------------------------------------------------------------------------------------------------------------------------------------- Dec 6 12:28:26 spamsnake MailScanner[4362]: New Batch: Scanning 1 messages, 206434 bytes Dec 6 12:28:26 spamsnake MailScanner[4396]: MailScanner E-Mail Virus Scanner version 4.81.4 starting... Dec 6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file /opt/MailScanner/etc/MailScanner.conf Dec 6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file /opt/MailScanner/etc/conf.d/README Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 865 hostnames from the phishing whitelist Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 5278 hostnames from the phishing blacklists Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init function SQLBlacklist Dec 6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Blacklist Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 0 blacklist entries Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init function MailWatchLogging Dec 6 12:28:26 spamsnake MailScanner[4396]: Started SQL Logging child Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init function SQLWhitelist Dec 6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Whitelist Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 0 whitelist entries Dec 6 12:28:26 spamsnake MailScanner[4396]: Using SpamAssassin results cache Dec 6 12:28:26 spamsnake MailScanner[4396]: Connected to SpamAssassin cache database Dec 6 12:28:26 spamsnake MailScanner[4396]: Enabling SpamAssassin auto-whitelist functionality... Dec 6 12:28:30 spamsnake MailScanner[4396]: Connected to Processing Attempts Database Dec 6 12:28:30 spamsnake MailScanner[4396]: Found 2 messages in the Processing Attempts Database Dec 6 12:28:30 spamsnake MailScanner[4396]: Using locktype = flock -------------------------------------------------------------------------------------------------------------------------------------------------------------- It will repeat several times until MS finally give up delivering that message. Also, when MS hung, I got the following error message in /var/log/messages ----------------------------------------------------------------------------------------------------------------------------- Dec 6 12:28:26 spamsnake MailScanner: Process did not exit cleanly, returned 9 with signal 0 Dec 6 12:32:21 spamsnake MailScanner: Process did not exit cleanly, returned 9 with signal 0 Dec 6 12:36:12 spamsnake MailScanner: Process did not exit cleanly, returned 9 with signal 0 ----------------------------------------------------------------------------------------------------------------------------- and the output of ps command is: ----------------------------------------------------------------------------------------------------------------------------- postfix 4322 0.0 3.4 105784 35580 ? Ss 12:27 0:00 MailScanner: starting child postfix 4323 1.0 10.0 223676 102832 ? S 12:27 0:01 MailScanner: waiting for messages postfix 4335 1.0 10.0 223620 102828 ? S 12:27 0:01 MailScanner: waiting for messages postfix 4344 1.0 10.0 223620 102828 ? S 12:27 0:01 MailScanner: waiting for messages postfix 4353 1.1 10.0 223676 102828 ? S 12:27 0:01 MailScanner: waiting for messages postfix 4396 2.1 10.0 223688 102844 ? S 12:28 0:01 MailScanner: waiting for messages ----------------------------------------------------------------------------------------------------------------------------- and MailScanner --lint didn't show any error message. Because that .pages file contains sensitive information, I am sorry that couldn't upload it here. I run ths MS v 4.81.4 with spamassassin 3.3.1, clamav 0.96.3 on ubuntu 10.04 LTS version. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101206/eaa7e878/attachment.html From prinbra at gmail.com Mon Dec 6 07:48:06 2010 From: prinbra at gmail.com (Curu Wong) Date: Mon Dec 6 07:48:15 2010 Subject: Apple iWork document cause mailscanner to crash In-Reply-To: References: Message-ID: I run ms in debug mode, and get this output: --------------------------------------------------------------------------------------------------------------------------------------------- Insecure dependency in chmod while running with -T switch at /usr/share/perl5/Archive/Zip/Member.pm line 490. --------------------------------------------------------------------------------------------------------------------------------------------- This is the famous perl tainting problem. I foud a patch for the perl module Archive::Zip v 1.30 on https://rt.cpan.org/Public/Bug/Display.html?id=61930. In fact, not only the .pages document can cause my ms to crash, all other zip archive will cause the crash without applying this patch. here my Perl version is v5.10.1. 2010/12/6 Curu Wong > One of our clients send us an email containing an Apple iWork file( with a > .pages suffix) as attachment, which caused MailScanner crashed several > times. After then ,I extract that .pages attachment, and send it using > another email, It cause MailScanner crash again. So I believe it's the > attachment that caused MailScanner to die. > Can anyone please give a hand on fixing this? Or, is there a way to debug > MailScanner so that I can know what it is doing when it crash? Many thanks! > > here is the message from maillog when MS hung. > > ---------------------------------------------------------------------------------------------------------------------------------------------- > Dec 6 12:28:26 spamsnake MailScanner[4362]: New Batch: Scanning 1 > messages, 206434 bytes > Dec 6 12:28:26 spamsnake MailScanner[4396]: MailScanner E-Mail Virus > Scanner version 4.81.4 starting... > Dec 6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file > /opt/MailScanner/etc/MailScanner.conf > Dec 6 12:28:26 spamsnake MailScanner[4396]: Reading configuration file > /opt/MailScanner/etc/conf.d/README > Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 865 hostnames from the > phishing whitelist > Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 5278 hostnames from the > phishing blacklists > Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init > function SQLBlacklist > Dec 6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Blacklist > Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 0 blacklist entries > Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init > function MailWatchLogging > Dec 6 12:28:26 spamsnake MailScanner[4396]: Started SQL Logging child > Dec 6 12:28:26 spamsnake MailScanner[4396]: Config: calling custom init > function SQLWhitelist > Dec 6 12:28:26 spamsnake MailScanner[4396]: Starting up SQL Whitelist > Dec 6 12:28:26 spamsnake MailScanner[4396]: Read 0 whitelist entries > Dec 6 12:28:26 spamsnake MailScanner[4396]: Using SpamAssassin results > cache > Dec 6 12:28:26 spamsnake MailScanner[4396]: Connected to SpamAssassin > cache database > Dec 6 12:28:26 spamsnake MailScanner[4396]: Enabling SpamAssassin > auto-whitelist functionality... > Dec 6 12:28:30 spamsnake MailScanner[4396]: Connected to Processing > Attempts Database > Dec 6 12:28:30 spamsnake MailScanner[4396]: Found 2 messages in the > Processing Attempts Database > Dec 6 12:28:30 spamsnake MailScanner[4396]: Using locktype = flock > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > It will repeat several times until MS finally give up delivering that > message. > > Also, when MS hung, I got the following error message in /var/log/messages > > ----------------------------------------------------------------------------------------------------------------------------- > Dec 6 12:28:26 spamsnake MailScanner: Process did not exit cleanly, > returned 9 with signal 0 > Dec 6 12:32:21 spamsnake MailScanner: Process did not exit cleanly, > returned 9 with signal 0 > Dec 6 12:36:12 spamsnake MailScanner: Process did not exit cleanly, > returned 9 with signal 0 > > ----------------------------------------------------------------------------------------------------------------------------- > > and the output of ps command is: > > ----------------------------------------------------------------------------------------------------------------------------- > postfix 4322 0.0 3.4 105784 35580 ? Ss 12:27 0:00 > MailScanner: starting child > postfix 4323 1.0 10.0 223676 102832 ? S 12:27 0:01 > MailScanner: waiting for messages > postfix 4335 1.0 10.0 223620 102828 ? S 12:27 0:01 > MailScanner: waiting for messages > postfix 4344 1.0 10.0 223620 102828 ? S 12:27 0:01 > MailScanner: waiting for messages > postfix 4353 1.1 10.0 223676 102828 ? S 12:27 0:01 > MailScanner: waiting for messages > postfix 4396 2.1 10.0 223688 102844 ? S 12:28 0:01 > MailScanner: waiting for messages > > ----------------------------------------------------------------------------------------------------------------------------- > > and MailScanner --lint didn't show any error message. > > Because that .pages file contains sensitive information, I am sorry that > couldn't upload it here. > > I run ths MS v 4.81.4 with spamassassin 3.3.1, clamav 0.96.3 on ubuntu > 10.04 LTS version. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101206/c3b7f945/attachment.html From peter.ong at hypermediasystems.com Mon Dec 6 15:58:26 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 15:58:37 2010 Subject: new spam getting through In-Reply-To: <188385761.28550.1291650850652.JavaMail.root@mail021.dti> Message-ID: <622970678.28552.1291651106267.JavaMail.root@mail021.dti> Hey Mr. Steve, thanks for the plugins. I didn't thank you earlier. So here's how the plugin is faring at my place: 1. It appears to be working fine: [7443] dbg: config: read file /etc/mail/spamassassin/DecodeShortURLs.cf [7443] dbg: plugin: loading Mail::SpamAssassin::Plugin::DecodeShortURLs from /etc/mail/spamassassin/DecodeShortURLs.pm [7443] dbg: plugin: Mail::SpamAssassin::Plugin::DecodeShortURLs=HASH(0xacc6f30) implements 'parsed_metadata', priority -1 2. I still received spam, and it doesn't appear this was triggered at all: [root@me]# grep -c SHORT_U mail20101204 0 [root@me]# grep -c SHORT_U mail20101205 0 I know those spams came through on these days through this server. 3. This is the spamassassin I'm running. SpamAssassin version 3.2.5 running on Perl version 5.8.8 4. cd /tmp/DecodeShortURLs du -hs DecodeShortURLs.txt 0 DecodeShortURLs.txt I don't know what I'm missing. Can somebody help? p From peter.ong at hypermediasystems.com Mon Dec 6 16:04:24 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 16:04:38 2010 Subject: new spam getting through In-Reply-To: <646454156.28554.1291651356618.JavaMail.root@mail021.dti> Message-ID: <143709261.28556.1291651464871.JavaMail.root@mail021.dti> To further test, here's what I did. I created an empty text file. Pasted only the shortened urls in them. Then, I ran spamassassin on them: I ran: spamassassin -t < spam3.txt spam3.txt is the text file I created with only the shortened urls inside. ------------=_4CFD0930.09ACA586 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit https://mail021.dti/zimbra/ http://goo.gl/m4PzL ------------=_4CFD0930.09ACA586-- Spam detection software, running on the system "gateway001.inf", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: [...] Content analysis details: (9.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 MISSING_MID Missing Message-Id: header 0.0 MISSING_DATE Missing Date: header -0.0 NO_RELAYS Informational: message was not relayed via SMTP 2.5 MISSING_HB_SEP Missing blank line between message header and body 1.3 MISSING_HEADERS Missing To: header 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO 1.8 MISSING_SUBJECT Missing Subject: header 1.4 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text -0.0 NO_RECEIVED Informational: message has no Received headers 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers ----- Original Message ----- > From: "Peter Ong" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 7:58:26 AM > Subject: Re: new spam getting through > > Hey Mr. Steve, thanks for the plugins. I didn't thank you earlier. > > So here's how the plugin is faring at my place: > > 1. It appears to be working fine: > [7443] dbg: config: read file > /etc/mail/spamassassin/DecodeShortURLs.cf > [7443] dbg: plugin: loading > Mail::SpamAssassin::Plugin::DecodeShortURLs from > /etc/mail/spamassassin/DecodeShortURLs.pm > [7443] dbg: plugin: > Mail::SpamAssassin::Plugin::DecodeShortURLs=HASH(0xacc6f30) implements > 'parsed_metadata', priority -1 > > 2. I still received spam, and it doesn't appear this was triggered at > all: > [root@me]# grep -c SHORT_U mail20101204 > 0 > [root@me]# grep -c SHORT_U mail20101205 > 0 > > I know those spams came through on these days through this server. > > 3. This is the spamassassin I'm running. > SpamAssassin version 3.2.5 > running on Perl version 5.8.8 > > 4. cd /tmp/DecodeShortURLs > du -hs DecodeShortURLs.txt > 0 DecodeShortURLs.txt > > I don't know what I'm missing. Can somebody help? > > p From maxsec at gmail.com Mon Dec 6 17:04:29 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Dec 6 17:04:39 2010 Subject: new spam getting through In-Reply-To: <143709261.28556.1291651464871.JavaMail.root@mail021.dti> References: <646454156.28554.1291651356618.JavaMail.root@mail021.dti> <143709261.28556.1291651464871.JavaMail.root@mail021.dti> Message-ID: well the SA is out of date, so update that and make sure it's using network tests. -- Martin Hepworth Oxford, UK On 6 December 2010 16:04, Peter Ong wrote: > To further test, here's what I did. > > I created an empty text file. Pasted only the shortened urls in them. Then, > I ran spamassassin on them: > > I ran: > spamassassin -t < spam3.txt > spam3.txt is the text file I created with only the shortened urls inside. > > ------------=_4CFD0930.09ACA586 > Content-Type: message/rfc822; x-spam-type=original > Content-Description: original message before SpamAssassin > Content-Disposition: inline > Content-Transfer-Encoding: 8bit > > https://mail021.dti/zimbra/ > http://goo.gl/m4PzL > > ------------=_4CFD0930.09ACA586-- > > Spam detection software, running on the system "gateway001.inf", has > identified this incoming email as possible spam. The original message > has been attached to this so you can view it (if it isn't spam) or label > similar future email. If you have any questions, see > the administrator of that system for details. > > Content preview: [...] > > Content analysis details: (9.2 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 0.0 MISSING_MID Missing Message-Id: header > 0.0 MISSING_DATE Missing Date: header > -0.0 NO_RELAYS Informational: message was not relayed via SMTP > 2.5 MISSING_HB_SEP Missing blank line between message header and > body > 1.3 MISSING_HEADERS Missing To: header > 2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO > 1.8 MISSING_SUBJECT Missing Subject: header > 1.4 EMPTY_MESSAGE Message appears to have no textual parts and no > Subject: text > -0.0 NO_RECEIVED Informational: message has no Received headers > 0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 > headers > > > ----- Original Message ----- > > > From: "Peter Ong" > > To: "MailScanner discussion" > > Sent: Monday, December 6, 2010 7:58:26 AM > > Subject: Re: new spam getting through > > > > Hey Mr. Steve, thanks for the plugins. I didn't thank you earlier. > > > > So here's how the plugin is faring at my place: > > > > 1. It appears to be working fine: > > [7443] dbg: config: read file > > /etc/mail/spamassassin/DecodeShortURLs.cf > > [7443] dbg: plugin: loading > > Mail::SpamAssassin::Plugin::DecodeShortURLs from > > /etc/mail/spamassassin/DecodeShortURLs.pm > > [7443] dbg: plugin: > > Mail::SpamAssassin::Plugin::DecodeShortURLs=HASH(0xacc6f30) implements > > 'parsed_metadata', priority -1 > > > > 2. I still received spam, and it doesn't appear this was triggered at > > all: > > [root@me]# grep -c SHORT_U mail20101204 > > 0 > > [root@me]# grep -c SHORT_U mail20101205 > > 0 > > > > I know those spams came through on these days through this server. > > > > 3. This is the spamassassin I'm running. > > SpamAssassin version 3.2.5 > > running on Perl version 5.8.8 > > > > 4. cd /tmp/DecodeShortURLs > > du -hs DecodeShortURLs.txt > > 0 DecodeShortURLs.txt > > > > I don't know what I'm missing. Can somebody help? > > > > p > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101206/3f3190f8/attachment.html From steve.freegard at fsl.com Mon Dec 6 17:27:25 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 6 17:40:26 2010 Subject: new spam getting through In-Reply-To: <143709261.28556.1291651464871.JavaMail.root@mail021.dti> References: <646454156.28554.1291651356618.JavaMail.root@mail021.dti> <143709261.28556.1291651464871.JavaMail.root@mail021.dti> Message-ID: <4CFD1CFD.1090200@fsl.com> On 06/12/10 16:04, Peter Ong wrote: > To further test, here's what I did. > > I created an empty text file. Pasted only the shortened urls in them. Then, I ran spamassassin on them: > > I ran: > spamassassin -t< spam3.txt > spam3.txt is the text file I created with only the shortened urls inside. > > ------------=_4CFD0930.09ACA586 > Content-Type: message/rfc822; x-spam-type=original > Content-Description: original message before SpamAssassin > Content-Disposition: inline > Content-Transfer-Encoding: 8bit > > https://mail021.dti/zimbra/ > http://goo.gl/m4PzL > > ------------=_4CFD0930.09ACA586-- ^^^ That is not a valid RFC822 message; which is the problem - SA saw a completely empty message (hence EMPTY_MESSAGE rule fired). Create a file like this: ---- CUT HERE ---- Subject: testing Content-type: text/plain ---- CUT HERE ----- Then run it through SA like this: spamassassin -D -t < file 2>&1 | grep DecodeShortURLs And if you are still running 3.2.5 it won't work based on a previous bug report; you'll need to be running 3.3.1 due to a bug in 3.2.5 causing eval rules to be merged incorrectly. Regards, Steve. From peter.ong at hypermediasystems.com Mon Dec 6 17:47:51 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 17:48:02 2010 Subject: new spam getting through In-Reply-To: <4CFD1CFD.1090200@fsl.com> Message-ID: <1191844399.28710.1291657671425.JavaMail.root@mail021.dti> Gaah!!! Thanks... I'll schedule the updates. p ----- Original Message ----- > From: "Steve Freegard" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 9:27:25 AM > Subject: Re: new spam getting through > > On 06/12/10 16:04, Peter Ong wrote: > > To further test, here's what I did. > > > > I created an empty text file. Pasted only the shortened urls in > them. Then, I ran spamassassin on them: > > > > I ran: > > spamassassin -t< spam3.txt > > spam3.txt is the text file I created with only the shortened urls > inside. > > > > ------------=_4CFD0930.09ACA586 > > Content-Type: message/rfc822; x-spam-type=original > > Content-Description: original message before SpamAssassin > > Content-Disposition: inline > > Content-Transfer-Encoding: 8bit > > > > https://mail021.dti/zimbra/ > > http://goo.gl/m4PzL > > > > ------------=_4CFD0930.09ACA586-- > > ^^^ That is not a valid RFC822 message; which is the problem - SA saw > a > completely empty message (hence EMPTY_MESSAGE rule fired). > > Create a file like this: > > ---- CUT HERE ---- > Subject: testing > Content-type: text/plain > > > ---- CUT HERE ----- > > Then run it through SA like this: > > spamassassin -D -t < file 2>&1 | grep DecodeShortURLs > > And if you are still running 3.2.5 it won't work based on a previous > bug > report; you'll need to be running 3.3.1 due to a bug in 3.2.5 causing > > eval rules to be merged incorrectly. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Mon Dec 6 18:56:28 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 18:56:39 2010 Subject: new spam getting through In-Reply-To: <4CFD1CFD.1090200@fsl.com> Message-ID: <1264055296.28908.1291661788710.JavaMail.root@mail021.dti> Hey Guys, In my sandbox, I upgraded spamassassin... and tested one of the messages I received for which I'm doing this: SpamAssassin version 3.3.1 running on Perl version 5.8.8 Content analysis details: (4.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: x.co] 0.0 FREEMAIL_FROM Sender email is freemail (interceptor1980[at]hotmail.co.uk) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [65.55.90.38 listed in list.dnswl.org] 1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (interceptor1980[at]hotmail.co.uk) 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000] Should I be seeing the HAS_SHORT_URL rule triggered in the output above? p From steve.freegard at fsl.com Mon Dec 6 19:54:53 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 6 20:02:02 2010 Subject: new spam getting through In-Reply-To: <1264055296.28908.1291661788710.JavaMail.root@mail021.dti> References: <4CFD1CFD.1090200@fsl.com> <1264055296.28908.1291661788710.JavaMail.root@mail021.dti> Message-ID: <4CFD3F8D.6020301@fsl.com> On 06/12/10 18:56, Peter Ong wrote: > Hey Guys, > > In my sandbox, I upgraded spamassassin... and tested one of the messages I received for which I'm doing this: > > SpamAssassin version 3.3.1 > running on Perl version 5.8.8 > > > Content analysis details: (4.1 points, 5.0 required) > > pts rule name description > ---- ---------------------- -------------------------------------------------- > 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist > [URIs: x.co] > 0.0 FREEMAIL_FROM Sender email is freemail > (interceptor1980[at]hotmail.co.uk) > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low > trust > [65.55.90.38 listed in list.dnswl.org] > 1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in > digit (interceptor1980[at]hotmail.co.uk) > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines > 0.0 HTML_MESSAGE BODY: HTML included in message > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% > [score: 0.5000] > > Should I be seeing the > HAS_SHORT_URL rule triggered in the output above? > p You'll need to add x(dot)co to the list of url_shorteners as it isn't present in the downloadable version. Also - if you're trying to debug it: spamassassin -D -t < msg 2>&1 | grep DecodeShortURLs Is the command to use here. Regards, Steve. From peter.ong at hypermediasystems.com Mon Dec 6 20:21:33 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 20:21:44 2010 Subject: new spam getting through In-Reply-To: <4CFD3F8D.6020301@fsl.com> Message-ID: <1018339981.29046.1291666893736.JavaMail.root@mail021.dti> I already did that. url_shortener x.co ----- Original Message ----- > From: "Steve Freegard" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 11:54:53 AM > Subject: Re: new spam getting through > > On 06/12/10 18:56, Peter Ong wrote: > > Hey Guys, > > > > In my sandbox, I upgraded spamassassin... and tested one of the > messages I received for which I'm doing this: > > > > SpamAssassin version 3.3.1 > > running on Perl version 5.8.8 > > > > > > Content analysis details: (4.1 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- > -------------------------------------------------- > > 1.7 URIBL_BLACK Contains an URL listed in the URIBL > blacklist > > [URIs: x.co] > > 0.0 FREEMAIL_FROM Sender email is freemail > > (interceptor1980[at]hotmail.co.uk) > > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > http://www.dnswl.org/, low > > trust > > [65.55.90.38 listed in list.dnswl.org] > > 1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username > ends in > > digit > (interceptor1980[at]hotmail.co.uk) > > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable > relay lines > > 0.0 HTML_MESSAGE BODY: HTML included in message > > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to > 60% > > [score: 0.5000] > > > > Should I be seeing the > > HAS_SHORT_URL rule triggered in the output above? > > p > > You'll need to add x(dot)co to the list of url_shorteners as it isn't > > present in the downloadable version. > > Also - if you're trying to debug it: > > spamassassin -D -t < msg 2>&1 | grep DecodeShortURLs > > Is the command to use here. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Mon Dec 6 20:45:46 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 20:45:59 2010 Subject: new spam getting through In-Reply-To: <4CFD3F8D.6020301@fsl.com> Message-ID: <126022894.29055.1291668346495.JavaMail.root@mail021.dti> Thanks for your patience, Steve. I figured out the problem. p ----- Original Message ----- > From: "Steve Freegard" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 11:54:53 AM > Subject: Re: new spam getting through > > On 06/12/10 18:56, Peter Ong wrote: > > Hey Guys, > > > > In my sandbox, I upgraded spamassassin... and tested one of the > messages I received for which I'm doing this: > > > > SpamAssassin version 3.3.1 > > running on Perl version 5.8.8 > > > > > > Content analysis details: (4.1 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- > -------------------------------------------------- > > 1.7 URIBL_BLACK Contains an URL listed in the URIBL > blacklist > > [URIs: x.co] > > 0.0 FREEMAIL_FROM Sender email is freemail > > (interceptor1980[at]hotmail.co.uk) > > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > http://www.dnswl.org/, low > > trust > > [65.55.90.38 listed in list.dnswl.org] > > 1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username > ends in > > digit > (interceptor1980[at]hotmail.co.uk) > > 0.0 UNPARSEABLE_RELAY Informational: message has unparseable > relay lines > > 0.0 HTML_MESSAGE BODY: HTML included in message > > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to > 60% > > [score: 0.5000] > > > > Should I be seeing the > > HAS_SHORT_URL rule triggered in the output above? > > p > > You'll need to add x(dot)co to the list of url_shorteners as it isn't > > present in the downloadable version. > > Also - if you're trying to debug it: > > spamassassin -D -t < msg 2>&1 | grep DecodeShortURLs > > Is the command to use here. > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Mon Dec 6 21:14:03 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 21:14:13 2010 Subject: new spam getting through In-Reply-To: <126022894.29055.1291668346495.JavaMail.root@mail021.dti> Message-ID: <958738288.29081.1291670043133.JavaMail.root@mail021.dti> Don't mean to be a stickler, but would anyone know the bug number in sa3.2.5 that's causing my problems? I need to pitch this in a change control before I update the main servers, so I'll need to add it in there. Thanks. p ----- Original Message ----- > From: "Peter Ong" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 12:45:46 PM > Subject: Re: new spam getting through > > Thanks for your patience, Steve. I figured out the problem. > > p > > ----- Original Message ----- > > > From: "Steve Freegard" > > To: "MailScanner discussion" > > Sent: Monday, December 6, 2010 11:54:53 AM > > Subject: Re: new spam getting through > > > > On 06/12/10 18:56, Peter Ong wrote: > > > Hey Guys, > > > > > > In my sandbox, I upgraded spamassassin... and tested one of the > > messages I received for which I'm doing this: > > > > > > SpamAssassin version 3.3.1 > > > running on Perl version 5.8.8 > > > > > > > > > Content analysis details: (4.1 points, 5.0 required) > > > > > > pts rule name description > > > ---- ---------------------- > > -------------------------------------------------- > > > 1.7 URIBL_BLACK Contains an URL listed in the URIBL > > blacklist > > > [URIs: x.co] > > > 0.0 FREEMAIL_FROM Sender email is freemail > > > (interceptor1980[at]hotmail.co.uk) > > > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > > http://www.dnswl.org/, low > > > trust > > > [65.55.90.38 listed in > list.dnswl.org] > > > 1.6 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username > > ends in > > > digit > > (interceptor1980[at]hotmail.co.uk) > > > 0.0 UNPARSEABLE_RELAY Informational: message has > unparseable > > relay lines > > > 0.0 HTML_MESSAGE BODY: HTML included in message > > > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to > > 60% > > > [score: 0.5000] > > > > > > Should I be seeing the > > > HAS_SHORT_URL rule triggered in the output above? > > > p > > > > You'll need to add x(dot)co to the list of url_shorteners as it > isn't > > > > present in the downloadable version. > > > > Also - if you're trying to debug it: > > > > spamassassin -D -t < msg 2>&1 | grep DecodeShortURLs > > > > Is the command to use here. > > > > Regards, > > Steve. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Mon Dec 6 21:54:50 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Dec 6 22:06:45 2010 Subject: new spam getting through In-Reply-To: <958738288.29081.1291670043133.JavaMail.root@mail021.dti> References: <126022894.29055.1291668346495.JavaMail.root@mail021.dti> <958738288.29081.1291670043133.JavaMail.root@mail021.dti> Message-ID: <4CFD5BAA.4040101@fsl.com> On 06/12/10 21:14, Peter Ong wrote: > Don't mean to be a stickler, but would anyone know the bug number in sa3.2.5 that's causing my problems? I need to pitch this in a change control before I update the main servers, so I'll need to add it in there. Thanks. https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5959 From peter.ong at hypermediasystems.com Mon Dec 6 22:12:48 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Mon Dec 6 22:12:58 2010 Subject: new spam getting through In-Reply-To: <4CFD5BAA.4040101@fsl.com> Message-ID: <1334654118.29170.1291673568389.JavaMail.root@mail021.dti> Kewl, thanks. p ----- Original Message ----- > From: "Steve Freegard" > To: "MailScanner discussion" > Sent: Monday, December 6, 2010 1:54:50 PM > Subject: Re: new spam getting through > > On 06/12/10 21:14, Peter Ong wrote: > > Don't mean to be a stickler, but would anyone know the bug number in > sa3.2.5 that's causing my problems? I need to pitch this in a change > control before I update the main servers, so I'll need to add it in > there. Thanks. > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5959 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From danield at igb.uiuc.edu Mon Dec 6 22:16:15 2010 From: danield at igb.uiuc.edu (Daniel Davidson) Date: Mon Dec 6 22:16:30 2010 Subject: Many cache hits before message finally delivered In-Reply-To: References: <1291151653.24471.61.camel@localhost.localdomain> Message-ID: <1291673775.26771.196.camel@localhost.localdomain> Thanks for this tip. I looked in the queues and to my surprise in the hold directory I had about 10 messages that had been there for over a month. I looked, and they were spam so I deleted them. Everything runs much better now. Dan On Wed, 2010-12-01 at 06:35 +0000, Martin Hepworth wrote: > I'd also check there's not a bad mesg in the incoming queue or a file > (check for dot files also) that shouldn't be there > > Martin > > On Tuesday, November 30, 2010, Daniel Davidson wrote: > > I am having an odd problem were simple messages seemingly at random take > > a very long time to deliver. Most others, deliver right away. A little > > checking reveals that they are getting scanned for viruses multiple > > times. For example: > > > > [root@mail etc]# grep Nov\ 30 /var/log/maillog|grep 98A1140460 |grep > > SpamAssassin\ cache > > Nov 30 08:55:29 mail MailScanner[27405]: SpamAssassin cache hit for > > message 98A1140460.79963 > > Nov 30 08:55:37 mail MailScanner[28156]: SpamAssassin cache hit for > > message 98A1140460.25237 > > Nov 30 08:55:43 mail MailScanner[28270]: SpamAssassin cache hit for > > message 98A1140460.A8B9B > > ......... > > Nov 30 10:12:11 mail MailScanner[11353]: SpamAssassin cache hit for > > message 98A1140460.37797 > > Nov 30 10:12:15 mail MailScanner[11353]: Requeue: 98A1140460.37797 to > > 8D23F4033E > > > > This ran about 500 times before the requeue finally took effect. Any > > ideas as to what can cause this? I just updated clamav, but that does > > not seem to help. Below are the appropriate package versions. Thanks > > for any help in advance. > > > > mailscanner-4.61.7-2 > > spamassassin-3.3.1-3.el5.rf > > clamav-0.96.5-1.el5.rf > > postfix-2.3.3-2.1.el5_2 > > procmail-3.22-17.1 > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth > Oxford, UK From eddie at emcuk.com Tue Dec 7 11:00:21 2010 From: eddie at emcuk.com (Eddie Hallahan) Date: Tue Dec 7 11:00:32 2010 Subject: Which is the 'best' filesystem for running mailscanner Message-ID: <4CFE13C5.50808@emcuk.com> Hi all, I'm currently looking into making a new-build of my current servers and have decided that nothing should be sacred and as such am looking at all the various things that could/should change from my old build. One of the things I'm pondering is which filesystem to use. The servers main function is mailscanning with some proxyserver and firewall duties thrown in. Does anyone have any thoughts? Regards -- Eddie Hallahan Enterprise Management Consulting www.emcuk.com Enterprise Management Consulting is a company registered in England and Wales with company number 3134554. VAT registration number is 681038440. From hvdkooij at vanderkooij.org Tue Dec 7 11:10:27 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Dec 7 11:10:35 2010 Subject: Which is the 'best' filesystem for running mailscanner In-Reply-To: <4CFE13C5.50808@emcuk.com> References: <4CFE13C5.50808@emcuk.com> Message-ID: On Tue, 07 Dec 2010 11:00:21 +0000, Eddie Hallahan wrote: > I'm currently looking into making a new-build of my current servers > and > have decided that nothing should be sacred and as such am looking at > all > the various things that could/should change from my old build. > > One of the things I'm pondering is which filesystem to use. The > servers > main function is mailscanning with some proxyserver and firewall > duties > thrown in. Well as nothing is sacred my first hint would be to throw out those tasks. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From e.mink at remote.nl Tue Dec 7 11:41:51 2010 From: e.mink at remote.nl (Eric Mink) Date: Tue Dec 7 11:42:32 2010 Subject: Which is the 'best' filesystem for running mailscanner In-Reply-To: References: <4CFE13C5.50808@emcuk.com> Message-ID: <2DDEFD48EFB09D49A0BCCDAC59FCF7DF6164FB@REMSVR015.lan.remote.nl> I use ubuntu server 10.10 for these functions Met vriendelijk groet, Eric Mink ? Remote IT - Services Pascalweg 1, Postbus 256 8000 AG? Zwolle ? Telefoon: 038 - 428 44 44 Fax: 038 - 428 44 40 E-mail: servicedesk@remote.nl -----Oorspronkelijk bericht----- Van: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Namens Hugo van der Kooij Verzonden: dinsdag 7 december 2010 12:10 Aan: MailScanner discussion Onderwerp: Re: Which is the 'best' filesystem for running mailscanner On Tue, 07 Dec 2010 11:00:21 +0000, Eddie Hallahan wrote: > I'm currently looking into making a new-build of my current servers > and > have decided that nothing should be sacred and as such am looking at > all > the various things that could/should change from my old build. > > One of the things I'm pondering is which filesystem to use. The > servers > main function is mailscanning with some proxyserver and firewall > duties > thrown in. Well as nothing is sacred my first hint would be to throw out those tasks. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From eddie at emcuk.com Tue Dec 7 11:47:52 2010 From: eddie at emcuk.com (Eddie Hallahan) Date: Tue Dec 7 11:48:02 2010 Subject: Which is the 'best' filesystem for running mailscanner In-Reply-To: <4CFE13C5.50808@emcuk.com> References: <4CFE13C5.50808@emcuk.com> Message-ID: <4CFE1EE8.7090109@emcuk.com> Eddie Hallahan wrote: > Hi all, > > I'm currently looking into making a new-build of my current servers and > have decided that nothing should be sacred and as such am looking at all > the various things that could/should change from my old build. > > One of the things I'm pondering is which filesystem to use. The servers > main function is mailscanning with some proxyserver and firewall duties > thrown in. > > Does anyone have any thoughts? > > Regards > > To clarify, by filesystem I mean ext3, xfs, jfs, reiserfs, ntfs etc From bonivart at opencsw.org Tue Dec 7 13:32:15 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Tue Dec 7 13:32:45 2010 Subject: Which is the 'best' filesystem for running mailscanner In-Reply-To: <4CFE1EE8.7090109@emcuk.com> References: <4CFE13C5.50808@emcuk.com> <4CFE1EE8.7090109@emcuk.com> Message-ID: On Tue, Dec 7, 2010 at 12:47 PM, Eddie Hallahan wrote: > To clarify, by filesystem I mean ext3, xfs, jfs, reiserfs, ntfs etc Zfs if that is available to you. Really, it doesn't matter much since most of MailScanners work is done in tmpfs anyway. :-) /peter From edward.prendergast at netring.co.uk Tue Dec 7 16:34:52 2010 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Tue Dec 7 16:35:25 2010 Subject: no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 Message-ID: <4CFE622C.3090200@netring.co.uk> Hey I've just upgraded to SpamAssassin 3.3.1 on MailScanner 4.81.4/perl 5.8.8/Centos 5.5. When I'm running in debug mode I see the following errors: root@server12 [/usr/local/src/Mail-SpamAssassin-3.3.1]# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Argument "2.007_001" isn't numeric in numeric lt (<) at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/SPF.pm line 397. Building a message batch to scan... Have a batch of 14 messages. no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 Messages with the encoding iso-8859-1 are going through spamassassin fine and getting scanned - they are also getting stopped based on the GTUBE test. Any input would be appreciated! Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From prinbra at gmail.com Wed Dec 8 02:25:01 2010 From: prinbra at gmail.com (Curu Wong) Date: Wed Dec 8 02:25:10 2010 Subject: no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 In-Reply-To: <4CFE622C.3090200@netring.co.uk> References: <4CFE622C.3090200@netring.co.uk> Message-ID: try install the perl module MIME::EncWords, MIME::Charset 2010/12/8 Edward Prendergast > Hey > > I've just upgraded to SpamAssassin 3.3.1 on MailScanner 4.81.4/perl > 5.8.8/Centos 5.5. > > When I'm running in debug mode I see the following errors: > > root@server12 [/usr/local/src/Mail-SpamAssassin-3.3.1]# MailScanner > --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Argument "2.007_001" isn't numeric in numeric lt (<) at > /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/SPF.pm line 397. > Building a message batch to scan... > Have a batch of 14 messages. > no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm > line 821 > no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm > line 821 > no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm > line 1881 > no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm > line 1881 > > Messages with the encoding iso-8859-1 are going through spamassassin fine > and getting scanned - they are also getting stopped based on the GTUBE test. > > Any input would be appreciated! > > Thanks, > Edward > > > > ************ > The information in this email is confidential and may be legally > privileged. > It is intended solely for the addressee. Access to this email by anyone > else > is unauthorised. If you are not the intended recipient, any action taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please notify > us immediately. Please also destroy and delete the message from your > computer. > ************ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101208/42a864db/attachment.html From edward.prendergast at netring.co.uk Wed Dec 8 09:52:32 2010 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Wed Dec 8 09:52:54 2010 Subject: no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 In-Reply-To: References: <4CFE622C.3090200@netring.co.uk> Message-ID: <4CFF5560.6000705@netring.co.uk> On 08/12/10 02:25, Curu Wong wrote: > try install the perl module MIME::EncWords, MIME::Charset > > 2010/12/8 Edward Prendergast > > > no decoder for iso-8859-1 at > /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 > I installed MIME::EncWords, MIME::Charset was already installed - but the problem still seems to be occuring: In Debugging mode, not forking... Trying to setlogsock(unix) Argument "2.007_001" isn't numeric in numeric lt (<) at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/SPF.pm line 397. Building a message batch to scan... Have a batch of 26 messages. no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 Thanks ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20101208/cdc2d41a/attachment.html From steve.freegard at fsl.com Wed Dec 8 10:52:23 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Dec 8 10:54:05 2010 Subject: no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 In-Reply-To: <4CFF5560.6000705@netring.co.uk> References: <4CFE622C.3090200@netring.co.uk> <4CFF5560.6000705@netring.co.uk> Message-ID: <4CFF6367.8040409@fsl.com> On 08/12/10 09:52, Edward Prendergast wrote: > On 08/12/10 02:25, Curu Wong wrote: >> try install the perl module MIME::EncWords, MIME::Charset >> >> 2010/12/8 Edward Prendergast > > >> >> no decoder for iso-8859-1 at >> /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 >> Is your MIME-Tools package up-to-date (e.g. 5.428) http://search.cpan.org/~doneill/MIME-tools/ Regards, Steve. From edward.prendergast at netring.co.uk Wed Dec 8 11:07:39 2010 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Wed Dec 8 11:08:02 2010 Subject: no decoder for iso-8859-1 at /usr/lib/perl5/site_perl/5.8.8/MIME/Parser.pm line 821 In-Reply-To: <4CFF6367.8040409@fsl.com> References: <4CFE622C.3090200@netring.co.uk> <4CFF5560.6000705@netring.co.uk> <4CFF6367.8040409@fsl.com> Message-ID: <4CFF66FB.60800@netring.co.uk> On 08/12/10 10:52, Steve Freegard wrote: > On 08/12/10 09:52, Edward Prendergast wrote: >> On 08/12/10 02:25, Curu Wong wrote: >>> try install the perl module MIME::EncWords, MIME::Charset >>> >>> 2010/12/8 Edward Prendergast >> > >>> >>> no decoder for iso-8859-1 at >>> /usr/lib/perl5/site_perl/5.8.8/MIME/Entity.pm line 1881 >>> > > Is your MIME-Tools package up-to-date (e.g. 5.428) > http://search.cpan.org/~doneill/MIME-tools/ > I'm already running MIME::Tools 5.428 so I guess that's not the issue? ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From Chris at ChrisBailey.au.com Wed Dec 8 22:44:08 2010 From: Chris at ChrisBailey.au.com (Christopher M Bailey) Date: Thu Dec 9 08:52:37 2010 Subject: Clam AV error Message-ID: <1291848248.2573.7.camel@Linux.SteviePaige.com.local> Hi All, I'm getting the following error when running upgrade_MailScanner_conf Your setting for 'Monitors for ClamAV Updates' is broken. It should look like this (unless your ClamAV is installed somewhere else) Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd My ClamAV files are stored in /var/clamav where do I change this as I can find no reference to it in my Mailscanner.conf file included below. TIA Chris ==============================Mailscanner.conf======================= # Main configuration file for the MailScanner E-Mail Virus Scanner # # It's good practice to check through configuration files to make sure # they fit with your system and your needs, whatever you expect them to # contain. # # Note: If your directories are symlinked (soft-linked) in any way, # please put their *real* location in here, not a path that # includes any links. You may get some very strange error # messages from some of the virus scanners if you don't. # # Note for Version 4.00 and above: # A lot of the settings can take a ruleset as well as just simple # values. These rulesets are files containing rules which are applied # to the current message to calculate the value of the configuration # option. The rules are checked in the order they appear in the ruleset. # # Note for Version 4.03 and above: # As well as rulesets, you can now include your own functions in # here. Look at the directory containing Config.pm and you will find # CustomConfig.pm. In here, you can add your own "value" function and # an Initvalue function to set up any global state you need such as # database connections. Then for a setting below, you can put: # Configuration Option = &ValueFunction # where "ValueFunction" is the name of the function you have # written in CustomConfig.pm. # # Note for Version 4.54 and above: # Numbers can be scaled by 1 thousand, 1 million or 1 billion by # putting a "k", "m" or "g" immediately after the number. You must # *not* put any spaces between the number and the k, m or g. # # Note for Version 4.77 and above: # If you are going to use "host:" in rulesets, it is imperative that # you have a local caching name-server (DNS server). Or else using # "host:" in rulesets will really slow you down. # # Note for Version 4.78 and above: # This file now supports nested "include" statements. The syntax is # include filename-wildcard-here # where filename-wildcard-here is replaced with the full path of one # or more other MailScanner.conf files to be read. You can use the # normal shell wildcard characters such as "*". # For each setting, the last value read will be used by MailScanner. # At the end of this file, there is an "include" that will pull in # all the files in /etc/MailScanner/conf.d so you can just add # your own local changes in there, and not need to modify this file. # # # Definition of variables which are substituted into definitions below. # # You can add any %variables% that you want to use in addition to the # ones provided. # # You can also use any shell environment variables here such as $HOSTNAME # or ${HOSTNAME} in configuration settings and rulesets. See the # definition of "Hostname" for an example. # # Enter a short identifying name for your organisation below, this is # used to make the X-MailScanner headers unique for your organisation. # Multiple servers within one site should use an identical value here # to avoid adding multiple redundant headers where mail has passed # through several servers within your organisation. # # Note: Some Symantec scanners complain (incorrectly) about "." # ***** characters appearing in the names of headers. # Some other mail servers complain about "_" characters # appearing in the names of headers as well. # So don't put "." or "_" in this setting. # # **** RULE: It must not contain any spaces! **** %org-name% = SteviePaige # Enter the full name of your organisation below, this is used in the # signature placed at the bottom of report messages sent by MailScanner. # It can include pretty much any text you like. You can make the result # span several lines by including "\n" sequences in the text. These will # be replaced by line-breaks. %org-long-name% = Stevie Paige - Australian Soul-Blues # Enter the location of your organisation's web site below. This is used # in the signature placed at the bottom of report messages sent by # MailScanner. It should preferably be the location of a page that you # have written explaining why you might have rejected the mail and what # the recipient and/or sender should do about it. %web-site% = www.steviepaige.com # Configuration directory containing this file %etc-dir% = /etc/MailScanner # Set the directory containing all the reports in the required language %report-dir% = /etc/MailScanner/reports/en # Rulesets directory containing your ".rules" files %rules-dir% = /etc/MailScanner/rules # Configuration directory containing files related to MCP # (Message Content Protection) %mcp-dir% = /etc/MailScanner/mcp # One other that is set automatically for you is %version% which is, # unsurprisingly, the string of the MailScanner version. It does not # contain the build number (the "-1" on the end), but does include the rest. # # System settings # --------------- # # How many MailScanner processes do you want to run at a time? # There is no point increasing this figure if your MailScanner server # is happily keeping up with your mail traffic. # If you are running on a server with more than 1 CPU, or you have a # high mail load (and/or slow DNS lookups) then you should see better # performance if you increase this figure. # If you are running on a small system with limited RAM, you should # note that each child takes just over 20MB. # # As a rough guide, try 5 children per CPU. But read the notes above. Max Children = 5 # User to run as (not normally used for sendmail) # If you want to change the ownership or permissions of the quarantine or # temporary files created by MailScanner, please see the "Incoming Work" # settings later in this file. #Run As User = mail #Run As User = postfix Run As User = # Group to run as (not normally used for sendmail) #Run As Group = mail #Run As Group = postfix Run As Group = # How often (in seconds) should each process check the incoming mail # queue for new messages? If you have a quiet mail server, you might # want to increase this value so it causes less load on your server, at # the cost of slightly increasing the time taken for an average message # to be processed. Queue Scan Interval = 6 # Set location of incoming mail queue # # This can be any one of # 1. A directory name # Example: /var/spool/mqueue.in # 2. A wildcard giving directory names # Example: /var/spool/mqueue.in/* # 3. The name of a file containing a list of directory names, # which can in turn contain wildcards. # Example: /etc/MailScanner/mqueue.in.list.conf # # If you are using sendmail and have your queues split into qf, df, xf # directories, then just specify the main directory, do not give me the # directory names of the qf,df,xf directories. # Example: if you have /var/spool/mqueue.in/qf # /var/spool/mqueue.in/df # /var/spool/mqueue.in/xf # then just tell me /var/spool/mqueue.in. I will find the subdirectories # automatically. # Incoming Queue Dir = /var/spool/mqueue.in # Set location of outgoing mail queue. # This can also be the filename of a ruleset. Outgoing Queue Dir = /var/spool/mqueue # Set where to unpack incoming messages before scanning them # This can completely safely use tmpfs or a ramdisk, which will # give you a significant performance improvement. # NOTE: The path given here must not include any links at all, # NOTE: but must be the absolute path to the directory. # NOTE: If you change this, you should change these too: # NOTE: SpamAssassin Temporary Dir # NOTE: SpamAssassin Cache Database File Incoming Work Dir = /var/spool/MailScanner/incoming # Set where to store infected and message attachments (if they are kept) # This can also be the filename of a ruleset. Quarantine Dir = /var/spool/MailScanner/quarantine # Set where to store the process id number so you can stop MailScanner PID file = /var/run/MailScanner.pid # To avoid resource leaks, re-start periodically. Forces a re-read of all # the configuration files too, so new updates to the bad phishing sites list # are read frequently. Restart Every = 14400 # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = sendmail # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/sbin/sendmail # Sendmail2 is provided for Exim users. # It is the command used to attempt delivery of outgoing cleaned/disinfected # messages. # This is not usually required for sendmail. # This can also be the filename of a ruleset. #For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf #For sendmail users: Sendmail2 = /usr/sbin/sendmail #Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf Sendmail2 = /usr/sbin/sendmail # # Incoming Work Dir Settings # -------------------------- # # You should not normally need to touch these settings at all, # unless you are using ClamAV and need to be able to use the # external archive unpackers instead of ClamAV's built-in ones. # If you want to create the temporary working files so they are owned # by a user other than the "Run As User" setting at the top of this file, # you can change that here. # # Note: If the "Run As User" is not "root" you cannot change the # user but may still be able to change the group, if the # "Run As User" is a member of both of the groups "Run As Group" # and "Incoming Work Group" # Note: If the "Run As User" is "root" (or not set at all) and you are # using the "clamd" virus scanner AND clamd is not running as root, # then this must be set to the group clamd is using (from your # clamd.conf), example: # Incoming Work Group = clamav # Incoming Work Permissions = 0640 Incoming Work User = Incoming Work Group = # If you want processes running under the same *group* as MailScanner to # be able to read the working files (and list what is in the # directories, of course), set to 0640. If you want *all* other users to # be able to read them, set to 0644. For a detailed description, if # you're not already familiar with it, refer to `man 2 chmod`. # Typical use: external helper programs of virus scanners (notably ClamAV), # like unpackers. # Use with care, you may well open security holes. # # Note: If the "Run As User" is "root" (or not set at all) and you are # using the "clamd" virus scanner, then this must be set: # Incoming Work Group = clamav # Incoming Work Permissions = 0640 Incoming Work Permissions = 0600 # # Quarantine and Archive Settings # ------------------------------- # # If, for example, you are using a web interface so that users can manage # their quarantined files, you might want to change the ownership and # permissions of the quarantined so that they can be read and/or deleted # by the web server. # Don't touch this unless you know what you are doing! # If you want to create the quarantine/archive so the files are owned # by a user other than the "Run As User" setting at the top of this file, # you can change that here. # Note: If the "Run As User" is not "root" then you cannot change the # user but may still be able to change the group, if the # "Run As User" is a member of both of the groups "Run As Group" # and "Quarantine Group". Quarantine User = Quarantine Group = # If you want processes running under the same *group* as MailScanner to # be able to read the quarantined files (and list what is in the # directories, of course), set to 0640. If you want *all* other users to # be able to read them, set to 0644. For a detailed description, if # you're not already familiar with it, refer to `man 2 chmod`. # Typical use: let the webserver have access to the files so users can # download them if they really want to. # Use with care, you may well open security holes. Quarantine Permissions = 0600 # # Processing Incoming Mail # ------------------------ # # In every batch of virus-scanning, limit the maximum # a) number of unscanned messages to deliver # b) number of potentially infected messages to unpack and scan # c) total size of unscanned messages to deliver # d) total size of potentially infected messages to unpack and scan Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 # If more messages are found in the queue than this, then switch to an # "accelerated" mode of processing messages. This will cause it to stop # scanning messages in strict date order, but in the order it finds them # in the queue. If your queue is bigger than this size a lot of the time, # then some messages could be greatly delayed. So treat this option as # "in emergency only". Max Normal Queue Size = 800 # If this is set to "yes", then email messages passing through MailScanner # will be processed and checked, and all the other options in this file # will be used to control what checks are made on the message. # # If this is set to "no", then email messages will NOT be processed or # checked *at all*, and so any viruses or other problems will be ignored. # # If this is set to "virus", then email messages will only be scanned for # viruses and *nothing* else. # # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # From: my.domain.com virus # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). Scan Messages = yes # You may not want to receive mail from certain addresses and/or to certain # addresses. If so, you can do this with your email transport (sendmail, # Postfix, etc) but that will just send a one-line message which is not # helpful to the user sending the message. # If this is set to yes, then the message set by the "Rejection Report" # will be sent instead, and the incoming message will be deleted. # If you want to store a copy of the original incoming message then use the # "Archive Mail" setting to archive a copy of it. # The purpose of this option is to set it to be a ruleset, so that you # can reject messages from a few offending addresses where you need to send # a polite reply instead of just a brief 1-line rejection message. Reject Message = no # Limit the number of attempts made at processing any particular message. # If you get a message which repeatedly crashes MailScanner, it will # limit the imapact by ignoring the message and refusing to process it, # after more than the given number of attempts have been made at it. # Note that enabling this feature causes a slight performance hit. # Set this to 0 to disable the limit and the entire Processing Attempts # Database and its requirement for SQLite. # This cannot be a ruleset, only a simple value. Maximum Processing Attempts = 6 # This is the location of the database file used to track the number of # times any message has been attempted. # To clear out the database, just delete the file, MailScanner will re- # create it automatically when it starts. Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db # The maximum number of attachments allowed in a message before it is # considered to be an error. Some email systems, if bouncing a message # between 2 addresses repeatedly, add information about each bounce as # an attachment, creating a message with thousands of attachments in just # a few minutes. This can slow down or even stop MailScanner as it uses # all available memory to unpack these thousands of attachments. # This can also be the filename of a ruleset. Maximum Attachments Per Message = 200 # Expand TNEF attachments using an external program (or a Perl module)? # This should be "yes" unless the scanner you are using (Sophos, McAfee) has # the facility built-in. However, if you set it to "no", then the filenames # within the TNEF attachment will not be checked against the filename rules. Expand TNEF = yes # When the TNEF (winmail.dat) attachments are expanded, should the # attachments contained in there be added to the list of attachments in # the message? # If you set this to "add" or "replace" then recipients of messages sent # in "Outlook Rich Text Format" (TNEF) will be able to read the attachments # if they are not using Microsoft Outlook. # # no => Leave winmail.dat TNEF attachments alone. # add => Add the contents of winmail.dat as extra attachments, but also # still include the winmail.dat file itself. This will result in # TNEF messages being doubled in size. # replace => Replace the winmail.dat TNEF attachment with the files it # contains, and delete the original winmail.dat file itself. # This means the message stays the same size, but is usable by # non-Outlook recipients. # # This can also be the filename of a ruleset. Use TNEF Contents = replace # Some versions of Microsoft Outlook generate unparsable Rich Text # format attachments. Do we want to deliver these bad attachments anyway? # Setting this to yes introduces the slight risk of a virus getting through, # but if you have a lot of troubled Outlook users you might need to do this. # We are working on a replacement for the TNEF decoder. # This can also be the filename of a ruleset. Deliver Unparsable TNEF = no # Where the MS-TNEF expander is installed. # This is EITHER the full command (including maxsize option) that runs # the external TNEF expander binary, # OR the keyword "internal" which will make MailScanner use the Perl # module that does the same job. # They are both provided as I am unsure which one is faster and which # one is capable of expanding more file formats (there are plenty!). # # The --maxsize option limits the maximum size that any expanded attachment # may be. It helps protect against Denial Of Service attacks in TNEF files. # This can also be the filename of a ruleset. #TNEF Expander = internal TNEF Expander = /usr/bin/tnef --maxsize=100000000 # The maximum length of time the TNEF Expander is allowed to run for 1 message. # (in seconds) TNEF Timeout = 120 # Where the "file" command is installed. # This is used for checking the content type of files, regardless of their # filename. # To disable Filetype checking, set this value to blank. File Command = /usr/bin/file # The maximum length of time the "file" command is allowed to run for 1 # batch of messages (in seconds). File Timeout = 20 # Where the "gunzip" command is installed. # This is used for expanding .gz files. # To disable gzipped file checking, set this value to blank # and the timeout to 0. Gunzip Command = /bin/gunzip # The maximum length of time the "gunzip" command is allowed to run to expand # 1 attachment file (in seconds). Gunzip Timeout = 50 # Where the "unrar" command is installed. # If you haven't got this command, look at www.rarlab.com. # # This is used for unpacking rar archives so that the contents can be # checked for banned filenames and filetypes, and also that the # archive can be tested to see if it is password-protected. # Virus scanning the contents of rar archives is still left to the virus # scanner, with one exception: # If using the clavavmodule virus scanner, this adds external RAR checking # to that scanner which is needed for archives which are RAR version 3. Unrar Command = /usr/bin/unrar # The maximum length of time the "unrar" command is allowed to run for 1 # RAR archive (in seconds) Unrar Timeout = 50 # A few viruses store their infected data in UU-encoded files, to try to # catch out virus scanners. This rarely succeeds at all. # Setting this option to yes means that you can apply filename and filetype # checks to the contents of UU-encoded files. This may occasionally be # useful, in which case you should set to yes. # This can also be the filename of a ruleset. Find UU-Encoded Files = no # The maximum size, in bytes, of any message including the headers. # If this is set to zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # dialup users so their email applications don't time out downloading huge # messages. Maximum Message Size = %rules-dir%/max.message.size.rules # The maximum size, in bytes, of any attachment in a message. # If this is set to zero, effectively no attachments are allowed. # If this is set less than zero, then no size checking is done. # This can also be the filename of a ruleset, so you can have different # settings for different users. You might want to set this quite small for # large mailing lists so they don't get deluged by large attachments. # This can also be the filename of a ruleset. Maximum Attachment Size = -1 # The minimum size, in bytes, of any attachment in a message. # If this is set less than or equal to zero, then no size checking is done. # It is very useful to set this to 1 as it removes any zero-length # attachments which may be created by broken viruses. # This can also be the filename of a ruleset. Minimum Attachment Size = -1 # The maximum depth to which zip archives, rar archives and Microsoft Office # documents will be unpacked, to allow for checking filenames and filetypes # within zip and rar archives and embedded within Office documents. # # Note: This setting does *not* affect virus scanning in archives at all. # # To disable this feature set this to 0. # A common useful setting is this option = 0, and Allow Password-Protected # Archives = no. That block password-protected archives but does not do # any filename/filetype checks on the files within the archive. # This can also be the filename of a ruleset. Maximum Archive Depth = 4 # Find zip archives by filename or by file contents? # Finding them by content is a far more reliable way of finding them, but # it does mean that you cannot tell your users to avoid zip file checking # by renaming the file from ".zip" to "_zip" and tricks like that. # Only set this to no (i.e. check by filename only) if you don't want to # reliably check the contents of zip files. Note this does not affect # virus checking, but it will affect all the other checks done on the contents # of the zip file. # This can also be the filename of a ruleset. Find Archives By Content = yes # Do you want to unpack Microsoft "OLE" documents, such as *.doc, *.xls # and *.ppt documents? This will extract any files which have been hidden # by being embedded in these documents. # There are one or two minor bugs in the third-party code that does the # processing of these files, so it can cause MailScanner to hang in very # rare cases. # ClamAV has its own OLE unpacking code, so you can safely switch this off # if you just rely on ClamAV for your virus-scanning. Note that this will, # however, disabled all lfilename and filetype checking of embedded files. # This can also be the filename of a ruleset. Unpack Microsoft Documents = yes # Should the attachments be compressed and put into a single zip file? # This can also be the filename of a ruleset. Zip Attachments = no # If the attachments are to be compressed into a single zip file, # this is the filename of the zip file. # This can also be the filename of a ruleset. Attachments Zip Filename = MessageAttachments.zip # If the original total size of all the attachments to be compressed is # less than this number of bytes, they will not be zipped at all. # This can also be the filename of a ruleset. Attachments Min Total Size To Zip = 100k # Attachments whose filenames end in these strings will not be zipped. # This can also be the filename of a ruleset. Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml # Do you want to add the plain text contents of Microsoft Word documents? # This feature uses the 'antiword' program available from # http://www.winfield.demon.nl/ # For those of you running on Linux, you can get RPMs and SRPMs from # http://www.volny.cz/zellerin/rpmmenu.html # It is switched off by default, as it causes a slight performance hit. # This can also be the filename of a ruleset. Add Text Of Doc = no # Location and full command of the "antiword" program # Using a ruleset here, you could have different output styles for # different people. # This can also be the filename of a ruleset. Antiword = /usr/bin/antiword -f # The maximum length of time the "antiword" command is allowed to run for 1 # Word document (in seconds) Antiword Timeout = 50 # MailScanner can automatically unpack small archives, # so you don't have to go through several extra clicks to extract small # files from automatically-generated emailed archives. # # This is the maximum number of files in each archive. If an archive contains # more files than this, we do not try to unpack it at all. # Set this value to 0 to disable this feature. # This can also be the filename of a ruleset. Unzip Maximum Files Per Archive = 0 # The maximum unpacked size of each file in an archive. Bigger than this, and # the file will not be unpacked. Setting this value to 0 will disable this # feature completely. # This can also be the filename of a ruleset. Unzip Maximum File Size = 50k # The list of filename extensions that should be unpacked. # This can also be the filename of a ruleset. Unzip Filenames = *.txt *.ini *.log *.csv # The MIME type of the files unpacked from the archive. # If you are using it for mostly text files, then use "text/plain". # If you are using it for mostly binary files, then use # "application/octet-stream". # This can also be the filename of a ruleset. Unzip MimeType = text/plain # # Virus Scanning and Vulnerability Testing # ---------------------------------------- # # Do you want to scan email for viruses? # A few people don't have a virus scanner licence and so want to disable # all the virus scanning. # If you use a ruleset for this setting, then the mail will be scanned if # *any* of the rules match (except the default). That way unscanned mail # never reaches a user who is having their mail virus-scanned. # # If you want to be able to switch scanning on/off for different users or # different domains, set this to the filename of a ruleset. # This can also be the filename of a ruleset. Virus Scanning = yes # Which Virus Scanning package(s) to use: # sophos from www.sophos.com # sophossavi (also from www.sophos.com, using the SAVI perl module) # mcafee from www.mcafee.com # mcafee6 from www.mcafee.com (Version 6 and newer) # command from www.command.co.uk # bitdefender from www.bitdefender.com # drweb from www.dials.ru/english/dsav_toolkit/drwebunix.htm # kaspersky-4.5 from www.kaspersky.com (Version 4.5 and newer) # kaspersky from www.kaspersky.com # kavdaemonclient from www.kaspersky.com # etrust from http://www3.ca.com/Solutions/Product.asp?ID=156 # inoculate from www.cai.com/products/inoculateit.htm # inoculan from ftp.ca.com/pub/getbbs/linux.eng/inoctar.LINUX.Z # nod32 for No32 before version 1.99 from www.nod32.com # nod32-1.99 for Nod32 1.99 and later, from www.nod32.com # f-secure from www.f-secure.com # f-prot from www.f-prot.com # f-prot-6 for F-Prot version 6 or later, from www.f-prot.com # f-protd-6 for F-Prot version 6 or later "fpscand" daemon # panda from www.pandasoftware.com # rav from www.ravantivirus.com # antivir from www.antivir.de # clamav from www.clamav.net # clamavmodule (also from www.clamav.net using the ClamAV perl module) # clamd (also from www.clamav.net using the clamd daemon) # *Note: read the comments above the "Incoming Work Group" setting*, # or # trend from www.trendmicro.com # norman from www.norman.de # css from www.symantec.com # avg from www.grisoft.com # vexira from www.centralcommand.com # symscanengine from www.symantec.com (Symantec Scan Engine, not CSS) # avast from www.avast.com # avastd (also from www.avast.com and relies on avastd to be configured # [read 'man avastd.conf'] and running) # esets from www.eset.com # vba32 from www.anti-virus.by/en/ # generic One you wrote: edit the generic-wrapper and generic-autoupdate # to fit your own needs. The output spec is in generic-wrapper, or # none No virus scanning at all. # # Note for McAfee users: do not use any symlinks with McAfee at all. It is # very strange but may not detect all viruses when # started from a symlink or scanning a directory path # including symlinks. # # Note: If you want to use multiple virus scanners, then this should be a # space-separated list of virus scanners. For example: # Virus Scanners = sophos f-prot mcafee # # Note: Make sure that you check that the base installation directory in the # 3rd column of virus.scanners.conf matches the location you have # installed each of your virus scanners. The supplied # virus.scanners.conf file assumes the default installation locations # recommended by each of the virus scanner installation guides. # # Note: If you specify "auto" then MailScanner will search for all the # scanners you have installed and will use all of them. If you really # want none, then specify "none". # # This *cannot* be the filename of a ruleset. Virus Scanners = clamav # The maximum length of time the commercial virus scanner is allowed to run # for 1 batch of messages (in seconds). Virus Scanner Timeout = 300 # Should I attempt to disinfect infected attachments and then deliver # the clean ones. "Disinfection" involves removing viruses from files # (such as removing macro viruses from documents). "Cleaning" is the # replacement of infected attachments with "VirusWarning.txt" text # attachments. # Less than 1% of viruses in the wild can be successfully disinfected, # as macro viruses are now a rare occurrence. So the default has been # changed to "no" as it gives a significant performance improvement. # # This can also be the filename of a ruleset. Deliver Disinfected Files = no # Strings listed here will be searched for in the output of the virus scanners. # It is used to list which viruses should be handled differently from other # viruses. If a virus name is given here, then # 1) The sender will not be warned that he sent it # 2) No attempt at true disinfection will take place # (but it will still be "cleaned" by removing the nasty attachments # from the message) # 3) The recipient will not receive the message, # unless the "Still Deliver Silent Viruses" option is set # Other words that can be put in this list are the 5 special keywords # HTML-IFrame : inserting this will stop senders being warned about # HTML Iframe tags, when they are not allowed. # HTML-Codebase : inserting this will stop senders being warned about # HTML Object Codebase/Data tags, when they are not allowed. # HTML-Script : inserting this will stop senders being warned about # HTML Script tags, when they are not allowed. # HTML-Form : inserting this will stop senders being warned about # HTML Form tags, when they are not allowed. # Zip-Password : inserting this will stop senders being warned about # password-protected zip files, when they are not allowed. # This keyword is not needed if you include All-Viruses. # All-Viruses : inserting this will stop senders being warned about # any virus, while still allowing you to warn senders # about HTML-based attacks. This includes Zip-Password # so you don't need to include both. # # The default of "All-Viruses" means that no senders of viruses will be # notified (as the sender address is always forged these days anyway), # but anyone who sends a message that is blocked for other reasons will # still be notified. # # This can also be the filename of a ruleset. Silent Viruses = HTML-IFrame All-Viruses # Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient? # Setting this to "yes" is good when you are testing everything, and # because it shows management that MailScanner is protecting them, # but it is bad because they have to filter/delete all the incoming virus # warnings. # # Note: Once you have deployed this into "production" use, you should set # Note: this option to "no" so you don't bombard thousands of people with # Note: useless messages they don't want! # # This can also be the filename of a ruleset. Still Deliver Silent Viruses = no # Strings listed here will be searched for in the output of the virus scanners. # It works to achieve the opposite effect of the "Silent Viruses" listed above. # If a string here is found in the output of the virus scanners, then the # message will be treated as if it were not infected with a "Silent Virus". # If a message is detected as both a silent virus and a non-forging virus, # then the ___non-forging status will override the silent status.___ # In simple terms, you should list virus names (or parts of them) that you # know do *not* forge the From address. # A good example of this is a document macro virus or a Joke program. # Another word that can be put in this list is the special keyword # Zip-Password : inserting this will cause senders to be warned about # password-protected zip files, when they are not allowed. # This will over-ride the All-Viruses setting in the list # of "Silent Viruses" above. # Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar # Some virus scanners now use their signatures to detect spam as well as # viruses. These "viruses" are called "spam-viruses". When they are found # the following header will be added to your message before it is passed to # SpamAssassin, listing all the "spam-viruses" that were found as a comma- # separated list. # This can also be the filename of a ruleset. Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: # This defines which virus reports from your virus scanners are really the # names of "spam-viruses" as described in the "Spam-Virus Header" section # above. This is a space-separated list of strings which can contain "*" # wildcards to mean "any string of characters", and which will match the # whole name of the virus reported by your virus scanner. So for example # "HTML/*" will match all virus names which start with the string "HTML/". # The supplied example is suitable for F-Prot6 and the SaneSecurity # databases for ClamAV. The test is case-sensitive. # This cannot be a ruleset, it must be a simple value as described. Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* # Should encrypted messages be blocked? # This is useful if you are wary about your users sending encrypted # messages to your competition. # This can be a ruleset so you can block encrypted message to certain domains. Block Encrypted Messages = no # Should unencrypted messages be blocked? # This could be used to ensure all your users send messages outside your # company encrypted to avoid snooping of mail to your business partners. # This can be a ruleset so you can just check mail to certain users/domains. Block Unencrypted Messages = no # Should archives which contain any password-protected files be allowed? # Leaving this set to "no" is a good way of protecting against all the # protected zip files used by viruses at the moment. # This can also be the filename of a ruleset. Allow Password-Protected Archives = no # Normally, you can still get the filenames out of a password-protected # archive, despite the encryption. So by default filename checks are still # done on these files. However, some people want to suppress this checking # as they allow a few people to receive password-protected archives that # contain things such as .exe's as part of their business needs. This option # can be used to suppress filename checks inside password-protected archives. # This can also be the filename of a ruleset. Check Filenames In Password-Protected Archives = yes # # Options specific to Sophos Anti-Virus # ------------------------------------- # # Anything on the next line that appears in brackets at the end of a line # of output from Sophos will cause the error/infection to be ignored. # Use of this option is dangerous, and should only be used if you are having # trouble with lots of corrupt PDF files, for example. # If you need to specify more than 1 string to find in the error message, # then put each string in quotes and separate them with a comma. # For example: #Allowed Sophos Error Messages = "corrupt", "format not supported", "File was encrypted", "The main body of virus data is out of date", "Password protected file" Allowed Sophos Error Messages = # The directory (or a link to it) containing all the Sophos *.ide files. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos IDE Dir = /usr/local/Sophos/ide # The directory (or a link to it) containing all the Sophos *.so libraries. # This is only used by the "sophossavi" virus scanner, and is irrelevant # for all other scanners. Sophos Lib Dir = /usr/local/Sophos/lib # SophosSAVI only: monitor each of these files for changes in size to # detect when a Sophos update has happened. The date of the Sophos Lib Dir # is also monitored. # This is only used by the "sophossavi" virus scanner, not the "sophos" # scanner setting. Monitors For Sophos Updates = /usr/local/Sophos/ide/*ides.zip # # Options specific to ClamAV Anti-Virus # ------------------------------------- # # ClamAVModule only: monitor each of these files for changes in size to # detect when a ClamAV update has happened. # This is only used by the "clamavmodule" virus scanner, not the "clamav" # scanner setting. Monitors For ClamAV Updates = /var/clamav/*.cvd # ClamAVModule only: set limits when scanning for viruses. # # The maximum recursion level of archives, # The maximum number of files per batch, # The maximum file of each file, # The maximum compression ratio of archive. # These settings *cannot* be the filename of a ruleset, only a simple number. ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 # Clamd only: configuration options for using the clamd daemon. # 1. The port to use when communicating with clamd via TCP connection # 2. The Socket, or IP to use for communicating with the clamd Daemon. # You enter either the full path to the UNIX socket file or the IP # address the daemon is listening on. # 3. The ClamD Lock file should be created by clamd init script in most # cases. If it is not then the entry should be blank. # 4. If MailScanner is running on a system with more then 1 CPU core (or # more than 1 CPU) then you can set "Clamd Use Threads" to "yes" to # speed up the scanning, otherwise there is no advantage and it should # be set to "no". # # None of these options can be the filenames of rulesets, they must be just # simple values. Clamd Port = 3310 Clamd Socket = /tmp/clamd.socket Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no # There are now sets of signatures available from places such as # www.sanesecurity.co.uk which use ClamAV to detect spam. Some of these # signatures rely on being passed the whole message as one file. By setting # this option to "yes", each entire message is written out to the scanning # area, thus enabling these signatures to work reliably. # It has a slight speed impact but is worth it for the extra spam-spotting # ability. # # This option cannot be the filename of a ruleset, it must be "yes" or "no". ClamAV Full Message Scan = yes # # Options specific to F-Protd-6 Anti-Virus # ---------------------------------------- # # This is the port number used by the local fpscand daemon. 10200 is the # default value used by the F-Prot 6 installation program, and so should # be correct. # This option cannot be the filename of a ruleset, it must be a number. Fpscand Port = 10200 # # Removing/Logging dangerous or potentially offensive content # ----------------------------------------------------------- # # Do you want to scan the messages for potentially dangerous content? # Setting this to "no" will disable all the content-based checks except # Virus Scanning, Allow Partial Messages and Allow External Message Bodies. # This can also be the filename of a ruleset. Dangerous Content Scanning = yes # Do you want to allow partial messages, which only contain a fraction of # the attachments, not the whole thing? There is absolutely no way to # scan these "partial messages" properly for viruses, as MailScanner never # sees all of the attachment at the same time. Enabling this option can # allow viruses through. You have been warned. # This can also be the filename of a ruleset so you can, for example, allow # them in outgoing mail but not in incoming mail. Allow Partial Messages = no # Do you want to allow messages whose body is stored somewhere else on the # internet, which is downloaded separately by the user's email package? # There is no way to guarantee that the file fetched by the user's email # package is free from viruses, as MailScanner never sees it. # This feature is dangerous as it can allow viruses to be fetched from # other Internet sites by a user's email package. The user would just # think it was a normal email attachment and would have been scanned by # MailScanner. # It is only currently supported by Netscape 6 anyway, and the only people # who use it are the IETF. So I would strongly advise leaving this switched off. # This can also be the filename of a ruleset. Allow External Message Bodies = no # Do you want to check for "Phishing" attacks? # These are attacks that look like a genuine email message from your bank, # which contain a link to click on to take you to the web site where you # will be asked to type in personal information such as your account number # or credit card details. # Except it is not the real bank's web site at all, it is a very good copy # of it run by thieves who want to steal your personal information or # credit card details. # These can be spotted because the real address of the link in the message # is not the same as the text that appears to be the link. # Note: This does cause extra load, particularly on systems receiving lots # of spam such as secondary MX hosts. # This can also be the filename of a ruleset. Find Phishing Fraud = yes # While detecting "Phishing" attacks, do you also want to point out links # to numeric IP addresses. Genuine links to totally numeric IP addresses # are very rare, so this option is set to "yes" by default. If a numeric # IP address is found in a link, the same phishing warning message is used # as in the Find Phishing Fraud option above. # This can also be the filename of a ruleset. Also Find Numeric Phishing = yes # If this is set to yes, then most of the URL in a link must match the # destination address it claims to take you to. This is the default as it is # a much stronger test and is very hard to maliciously avoid. # If this is set to no, then just the company name and country (and any # names between the two, dependent on the specific country) must match. # This is not as strict as it will not protect you against internal # malicious sites based within the company being abused. For example, it would # not find www.nasty.company-name.co.uk pretending to be # www.nice.company-name.co.uk. But it will still detect most phishing attacks # of the type www.nasty.co.jp versus www.nice.co.jp. # Depending on the country code it knows how many levels of domain need to # be checked. # This can also be the filename of a ruleset. Use Stricter Phishing Net = yes # If a phishing fraud is detected, do you want to highlight the tag with # a message stating that the link may be to a fraudulent web site. # This can also be the filename of a ruleeset. Highlight Phishing Fraud = yes # There are some companies, such as banks, that insist on sending out # email messages with links in them that are caught by the "Find Phishing # Fraud" test described above. # This is a space-separated list of the names of files which contain a # list of link destinations which should be ignored in the test. This may, # for example, contain the known websites of some banks. # See the file itself for more information. # This can only be the names of the files containing the list, it *cannot* # be the filename of a ruleset. Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf # As an opposite to the "safe" list above, there is also a live continuously- # updated list of known bad sites, which will always trigger the "Find # Phishing Fraud" test described above. # This is a space-separated list of the names of files which contain # a list of link destinations which should always trigger the test. This # file should be updated hourly. # This can only be the name of the file containing the list, it *cannot* # be the filename of a ruleset. Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf # This file lists all the countries that use 2nd-level and 3rd-level # domain names to classify distinct types of website within their country. # This cannot be the name of a ruleset, it is just a simple setting. Country Sub-Domains List = %etc-dir%/country.domains.conf # Do you want to allow