From jancarel.putter at gmail.com Thu Jul 1 13:27:34 2010 From: jancarel.putter at gmail.com (JC Putter) Date: Thu Jul 1 13:27:45 2010 Subject: Mailscanner Phishing Warning Message-ID: Hi, Is it possible to change the Mailscanner phishing warnings text ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100701/0d589566/attachment.html From raubvogel at gmail.com Thu Jul 1 14:17:00 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Jul 1 14:17:13 2010 Subject: Mailscanner Phishing Warning In-Reply-To: References: Message-ID: On Thu, Jul 1, 2010 at 8:27 AM, JC Putter wrote: > Hi, > > Is it possible to change the Mailscanner phishing warnings text ? You mean besides the warning text messages defined in Mailscanner.conf? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From jancarel.putter at gmail.com Thu Jul 1 14:20:52 2010 From: jancarel.putter at gmail.com (JC Putter) Date: Thu Jul 1 14:21:06 2010 Subject: Mailscanner Phishing Warning In-Reply-To: References: Message-ID: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry> Yes I mean the red text displayed Sent via BlackBerry -----Original Message----- From: Mauricio Tavares Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 1 Jul 2010 09:17:00 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner Phishing Warning On Thu, Jul 1, 2010 at 8:27 AM, JC Putter wrote: > Hi, > > Is it possible to change the Mailscanner phishing warnings text ? You mean besides the warning text messages defined in Mailscanner.conf? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Thu Jul 1 14:52:18 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Thu Jul 1 14:52:29 2010 Subject: Mailscanner Phishing Warning In-Reply-To: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry> Message-ID: <1675256259.53883.1277992338478.JavaMail.root@mail021.dti> Hehehehe. ----- Original Message ----- > From: "JC Putter" > To: "MailScanner discussion" > Sent: Thursday, July 1, 2010 6:20:52 AM > Subject: Re: Mailscanner Phishing Warning > > Yes I mean the red text displayed > Sent via BlackBerry > > -----Original Message----- > From: Mauricio Tavares > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 09:17:00 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Mailscanner Phishing Warning > > On Thu, Jul 1, 2010 at 8:27 AM, JC Putter > wrote: > > Hi, > > > > Is it possible to change the Mailscanner phishing warnings text ? > > You mean besides the warning text messages defined in > Mailscanner.conf? > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jancarel.putter at gmail.com Thu Jul 1 15:47:23 2010 From: jancarel.putter at gmail.com (JC Putter) Date: Thu Jul 1 15:47:36 2010 Subject: Mailscanner Phishing Warning In-Reply-To: <1675256259.53883.1277992338478.JavaMail.root@mail021.dti> References: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry><1675256259.53883.1277992338478.JavaMail.root@mail021.dti> Message-ID: <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> Lovely I just made myself look like a fool... Sent via BlackBerry -----Original Message----- From: Peter Ong Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 1 Jul 2010 06:52:18 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Mailscanner Phishing Warning Hehehehe. ----- Original Message ----- > From: "JC Putter" > To: "MailScanner discussion" > Sent: Thursday, July 1, 2010 6:20:52 AM > Subject: Re: Mailscanner Phishing Warning > > Yes I mean the red text displayed > Sent via BlackBerry > > -----Original Message----- > From: Mauricio Tavares > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 09:17:00 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Mailscanner Phishing Warning > > On Thu, Jul 1, 2010 at 8:27 AM, JC Putter > wrote: > > Hi, > > > > Is it possible to change the Mailscanner phishing warnings text ? > > You mean besides the warning text messages defined in > Mailscanner.conf? > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From raubvogel at gmail.com Thu Jul 1 16:06:41 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Thu Jul 1 16:06:49 2010 Subject: Mailscanner Phishing Warning In-Reply-To: <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> References: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry> <1675256259.53883.1277992338478.JavaMail.root@mail021.dti> <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> Message-ID: On Thu, Jul 1, 2010 at 10:47 AM, JC Putter wrote: > Lovely I just made myself look like a fool... > Heh, if you wake up really early and work hard enough, you might get to *my* level of foolishness. Sometimes I scare myself... and that does not include me staring at the mirror in the morning. > > Sent via BlackBerry > > -----Original Message----- > From: Peter Ong > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 06:52:18 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Mailscanner Phishing Warning > > Hehehehe. > > ----- Original Message ----- > >> From: "JC Putter" >> To: "MailScanner discussion" >> Sent: Thursday, July 1, 2010 6:20:52 AM >> Subject: Re: Mailscanner Phishing Warning >> >> Yes I mean the red text displayed >> Sent via BlackBerry >> >> -----Original Message----- >> From: Mauricio Tavares >> Sender: mailscanner-bounces@lists.mailscanner.info >> Date: Thu, 1 Jul 2010 09:17:00 >> To: MailScanner discussion >> Reply-To: MailScanner discussion >> Subject: Re: Mailscanner Phishing Warning >> >> On Thu, Jul 1, 2010 at 8:27 AM, JC Putter >> wrote: >> > Hi, >> > >> > Is it possible to change the Mailscanner phishing warnings text ? >> >> ? ? ? You mean besides the warning text messages defined in >> Mailscanner.conf? >> >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> > >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From peter.ong at hypermediasystems.com Thu Jul 1 16:21:48 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Thu Jul 1 16:21:58 2010 Subject: Mailscanner Phishing Warning In-Reply-To: Message-ID: <413177025.54013.1277997708677.JavaMail.root@mail021.dti> This kind of comedy is soup for the IT soul. It's subtle, understated, yet clever. There are three kinds of people in this world: 1. Those who can count 2. and those who can't. p ----- Original Message ----- > From: "Mauricio Tavares" > To: "MailScanner discussion" > Sent: Thursday, July 1, 2010 8:06:41 AM > Subject: Re: Mailscanner Phishing Warning > > On Thu, Jul 1, 2010 at 10:47 AM, JC Putter > wrote: > > Lovely I just made myself look like a fool... > > > Heh, if you wake up really early and work hard enough, you > might > get to *my* level of foolishness. Sometimes I scare myself... and > that > does not include me staring at the mirror in the morning. > > > > > Sent via BlackBerry > > > > -----Original Message----- > > From: Peter Ong > > Sender: mailscanner-bounces@lists.mailscanner.info > > Date: Thu, 1 Jul 2010 06:52:18 > > To: MailScanner discussion > > Reply-To: MailScanner discussion > > > Subject: Re: Mailscanner Phishing Warning > > > > Hehehehe. > > > > ----- Original Message ----- > > > >> From: "JC Putter" > >> To: "MailScanner discussion" > >> Sent: Thursday, July 1, 2010 6:20:52 AM > >> Subject: Re: Mailscanner Phishing Warning > >> > >> Yes I mean the red text displayed > >> Sent via BlackBerry > >> > >> -----Original Message----- > >> From: Mauricio Tavares > >> Sender: mailscanner-bounces@lists.mailscanner.info > >> Date: Thu, 1 Jul 2010 09:17:00 > >> To: MailScanner discussion > >> Reply-To: MailScanner discussion > > >> Subject: Re: Mailscanner Phishing Warning > >> > >> On Thu, Jul 1, 2010 at 8:27 AM, JC Putter > > >> wrote: > >> > Hi, > >> > > >> > Is it possible to change the Mailscanner phishing warnings text > ? > >> > >> ? ? ? You mean besides the warning text messages defined in > >> Mailscanner.conf? > >> > >> > -- > >> > MailScanner mailing list > >> > mailscanner@lists.mailscanner.info > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > >> > Before posting, read http://wiki.mailscanner.info/posting > >> > > >> > Support MailScanner development - buy the book off the website! > >> > > >> > > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter at farrows.org Thu Jul 1 19:30:28 2010 From: peter at farrows.org (Peter Farrow) Date: Thu Jul 1 19:30:39 2010 Subject: Mailscanner Phishing Warning In-Reply-To: <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> References: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry><1675256259.53883.1277992338478.JavaMail.root@mail021.dti> <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> Message-ID: <4C2CDEC4.5030608@farrows.org> We can forgive you, after all you still have "Sent via BlackBerry " as a signature... ;-) On 01/07/2010 15:47, JC Putter wrote: > Lovely I just made myself look like a fool... > > > Sent via BlackBerry > > -----Original Message----- > From: Peter Ong > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 06:52:18 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Mailscanner Phishing Warning > > Hehehehe. > > ----- Original Message ----- > > >> From: "JC Putter" >> To: "MailScanner discussion" >> Sent: Thursday, July 1, 2010 6:20:52 AM >> Subject: Re: Mailscanner Phishing Warning >> >> Yes I mean the red text displayed >> Sent via BlackBerry >> >> -----Original Message----- >> From: Mauricio Tavares >> Sender: mailscanner-bounces@lists.mailscanner.info >> Date: Thu, 1 Jul 2010 09:17:00 >> To: MailScanner discussion >> Reply-To: MailScanner discussion >> Subject: Re: Mailscanner Phishing Warning >> >> On Thu, Jul 1, 2010 at 8:27 AM, JC Putter >> wrote: >> >>> Hi, >>> >>> Is it possible to change the Mailscanner phishing warnings text ? >>> >> You mean besides the warning text messages defined in >> Mailscanner.conf? >> >> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> From J.Ede at birchenallhowden.co.uk Thu Jul 1 19:55:58 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Jul 1 19:56:27 2010 Subject: Mailscanner Phishing Warning In-Reply-To: <4C2CDEC4.5030608@farrows.org> References: <1242510913-1277990453-cardhu_decombobulator_blackberry.rim.net-1652005588-@bda108.bisx.produk.on.blackberry><1675256259.53883.1277992338478.JavaMail.root@mail021.dti> <1809865821-1277995644-cardhu_decombobulator_blackberry.rim.net-1194520862-@bda108.bisx.produk.on.blackberry> <4C2CDEC4.5030608@farrows.org> Message-ID: <1213490F1F316842A544A850422BFA96408493D12C@BHLSBS.bhl.local> There was me thinking that was the unforgiveable sin... ;) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Farrow > Sent: 01 July 2010 19:30 > To: MailScanner discussion > Subject: Re: Mailscanner Phishing Warning > > We can forgive you, after all you still have "Sent via BlackBerry " as a > signature... > > ;-) > > > On 01/07/2010 15:47, JC Putter wrote: > > Lovely I just made myself look like a fool... > > > > > > Sent via BlackBerry > > > > -----Original Message----- > > From: Peter Ong > > Sender: mailscanner-bounces@lists.mailscanner.info > > Date: Thu, 1 Jul 2010 06:52:18 > > To: MailScanner discussion > > Reply-To: MailScanner discussion > > Subject: Re: Mailscanner Phishing Warning > > > > Hehehehe. > > > > ----- Original Message ----- > > > > > >> From: "JC Putter" > >> To: "MailScanner discussion" > >> Sent: Thursday, July 1, 2010 6:20:52 AM > >> Subject: Re: Mailscanner Phishing Warning > >> > >> Yes I mean the red text displayed > >> Sent via BlackBerry > >> > >> -----Original Message----- > >> From: Mauricio Tavares > >> Sender: mailscanner-bounces@lists.mailscanner.info > >> Date: Thu, 1 Jul 2010 09:17:00 > >> To: MailScanner discussion > >> Reply-To: MailScanner discussion > >> Subject: Re: Mailscanner Phishing Warning > >> > >> On Thu, Jul 1, 2010 at 8:27 AM, JC Putter > >> wrote: > >> > >>> Hi, > >>> > >>> Is it possible to change the Mailscanner phishing warnings text ? > >>> > >> You mean besides the warning text messages defined in > >> Mailscanner.conf? > >> > >> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > >>> > >>> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jwin at senegence.com Thu Jul 1 22:21:20 2010 From: jwin at senegence.com (John Win) Date: Thu Jul 1 22:23:27 2010 Subject: retrieving quarantine spam Message-ID: Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win From alex at rtpty.com Thu Jul 1 22:33:35 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 1 22:33:50 2010 Subject: retrieving quarantine spam Message-ID: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> Try "formail -s sendmail -v user < message" ------Original Message------ From: John Win Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner discussion ReplyTo: MailScanner discussion Subject: retrieving quarantine spam Sent: Jul 1, 2010 4:21 PM Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com From jwin at senegence.com Thu Jul 1 23:06:33 2010 From: jwin at senegence.com (John Win) Date: Thu Jul 1 23:08:40 2010 Subject: retrieving quarantine spam References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> Message-ID: Alex, That sent the message through the spam filter again so it created another quarantine message. It didn't reach the user mailbox. Sincerely, John Win -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 2:34 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam Try "formail -s sendmail -v user < message" ------Original Message------ From: John Win Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner discussion ReplyTo: MailScanner discussion Subject: retrieving quarantine spam Sent: Jul 1, 2010 4:21 PM Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com From doc at maddoc.net Thu Jul 1 23:12:56 2010 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 1 23:13:07 2010 Subject: retrieving quarantine spam In-Reply-To: References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> Message-ID: <4C2D12E8.1050903@maddoc.net> I use this all the time. sendmail -toi < whatevernameis Can include the full path to it or cd to where it is. -Doc John Win wrote: > Alex, > That sent the message through the spam filter again so it created another > quarantine message. It didn't reach the user mailbox. > > Sincerely, > > John Win > > > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 2:34 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > Try "formail -s sendmail -v user < message" > ------Original Message------ > From: John Win > Sender: mailscanner-bounces@lists.mailscanner.info > To: MailScanner discussion > ReplyTo: MailScanner discussion > Subject: retrieving quarantine spam > Sent: Jul 1, 2010 4:21 PM > > Could someone point me into right direction on how to retrieve or release > spam from quarantine? > I don't have MailWatch yet, so just looking for a way to manually retrieve > into a mail client. > > I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user > But my mail client doesn't seem to recognize it. > > Thank you all in advance, > > > My quarantine setup is as below.. > > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > > ------------------------ > Mailscanner 4.79.11-1 > Spamassassin 3.3.1-2 > Sendmail 8.14.3 > Dovecot 1.2.11-3 > ------------------------- > > Sincerely, > > John Win > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From alex at rtpty.com Thu Jul 1 23:16:27 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 1 23:16:43 2010 Subject: retrieving quarantine spam In-Reply-To: References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> Message-ID: <1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry> You need to create a rule so that messages sent from localhost don't get scanned. One problem with this might be that if you have web forms or webmail those messages won't be scanned. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "John Win" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 1 Jul 2010 15:06:33 To: MailScanner discussion Reply-To: MailScanner discussion Subject: RE: retrieving quarantine spam Alex, That sent the message through the spam filter again so it created another quarantine message. It didn't reach the user mailbox. Sincerely, John Win -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 2:34 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam Try "formail -s sendmail -v user < message" ------Original Message------ From: John Win Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner discussion ReplyTo: MailScanner discussion Subject: retrieving quarantine spam Sent: Jul 1, 2010 4:21 PM Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From noel.butler at ausics.net Thu Jul 1 23:39:05 2010 From: noel.butler at ausics.net (Noel Butler) Date: Thu Jul 1 23:39:23 2010 Subject: MailScanner Bug - Privacy Advisory Message-ID: <1278023945.7521.30.camel@tardis> Directed at: Those using : Inline Spam Warning, %report-dir %/inline.spam.warning.txt Date first reported: May 17, 2010 (noticed one month earlier, delayed reporting in case kernel.org messed up) Date subsequently reported: June 11, 2010 Initial response June 12, 2010 Response update June 12, 2010 Acknowledgment none received Severity: Moderate (IMO) Summary: "inline spam warning" report to multiple recipients, displays all recipients in the warning message that are sent to all users. Description: This lets other users know not only who else may exist on the system, but also on, for example this mailing list. This must be a failure of the privacy mechanism. Message headers in each delivered message received by the recipient (verified by my own and one other recipient of that list who was kind enough to forward full headers,) do not include the other envelope recipients, it is only contained in the MailScanner generated message. Example: Dear user1@domain, user2@domain, user3@domain , ... (This messages yielded 7 addresses in the Dear ... field all up in the one I personally got) MailScanner believes the attached message which was sent to you, >From : linux-kernel-announce-owner@removed (but I'm sure most here are smart enough to know the domain) ... (nothing else is relevant so is not included) I am posting this to make those using the same method aware of this privacy issue given no action has been taken (yes, I read the changelog, I have been keeping an eye on it often) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100702/fee283ad/attachment.html From alex at rtpty.com Thu Jul 1 23:46:29 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 1 23:46:58 2010 Subject: MailScanner Bug - Privacy Advisory In-Reply-To: <1278023945.7521.30.camel@tardis> References: <1278023945.7521.30.camel@tardis> Message-ID: <1601112609-1278024401-cardhu_decombobulator_blackberry.rim.net-1887924672-@bda942.bisx.prod.on.blackberry> Can this be reproduced if you split recipients at the mta? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Noel Butler Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 02 Jul 2010 08:39:05 To: MailScanner discussion Reply-To: MailScanner discussion Subject: MailScanner Bug - Privacy Advisory -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Fri Jul 2 15:41:04 2010 From: ka at pacific.net (Ken A) Date: Fri Jul 2 15:42:51 2010 Subject: retrieving quarantine spam In-Reply-To: References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> Message-ID: <4C2DFA80.3020709@pacific.net> You can just copy the qf* df* from your quarantine to your outgoing queue to avoid rescanning. You'll have to change Quarantine Whole Messages As Queue Files = yes for this to work though.. Ken On 7/1/2010 5:06 PM, John Win wrote: > Alex, > That sent the message through the spam filter again so it created another > quarantine message. It didn't reach the user mailbox. > > Sincerely, > > John Win > > > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 2:34 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > Try "formail -s sendmail -v user< message" > ------Original Message------ > From: John Win > Sender: mailscanner-bounces@lists.mailscanner.info > To: MailScanner discussion > ReplyTo: MailScanner discussion > Subject: retrieving quarantine spam > Sent: Jul 1, 2010 4:21 PM > > Could someone point me into right direction on how to retrieve or release > spam from quarantine? > I don't have MailWatch yet, so just looking for a way to manually retrieve > into a mail client. > > I tried cat ./Mailscanner/quarantine/spam/20100701/*>> ./mail/user > But my mail client doesn't seem to recognize it. > > Thank you all in advance, > > > My quarantine setup is as below.. > > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > > ------------------------ > Mailscanner 4.79.11-1 > Spamassassin 3.3.1-2 > Sendmail 8.14.3 > Dovecot 1.2.11-3 > ------------------------- > > Sincerely, > > John Win > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > -- Ken Anderson Pacific Internet - http://www.pacific.net From alex at rtpty.com Fri Jul 2 16:06:14 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 2 16:06:27 2010 Subject: retrieving quarantine spam In-Reply-To: <4C2DFA80.3020709@pacific.net> References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><4C2DFA80.3020709@pacific.net> Message-ID: <1591482076-1278083175-cardhu_decombobulator_blackberry.rim.net-1884232578-@bda942.bisx.prod.on.blackberry> I for one like to keep the quarantine messages in rfc822 format for the convenience, but that's another valid form. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Ken A Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 02 Jul 2010 09:41:04 To: Reply-To: MailScanner discussion Subject: Re: retrieving quarantine spam You can just copy the qf* df* from your quarantine to your outgoing queue to avoid rescanning. You'll have to change Quarantine Whole Messages As Queue Files = yes for this to work though.. Ken On 7/1/2010 5:06 PM, John Win wrote: > Alex, > That sent the message through the spam filter again so it created another > quarantine message. It didn't reach the user mailbox. > > Sincerely, > > John Win > > > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 2:34 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > Try "formail -s sendmail -v user< message" > ------Original Message------ > From: John Win > Sender: mailscanner-bounces@lists.mailscanner.info > To: MailScanner discussion > ReplyTo: MailScanner discussion > Subject: retrieving quarantine spam > Sent: Jul 1, 2010 4:21 PM > > Could someone point me into right direction on how to retrieve or release > spam from quarantine? > I don't have MailWatch yet, so just looking for a way to manually retrieve > into a mail client. > > I tried cat ./Mailscanner/quarantine/spam/20100701/*>> ./mail/user > But my mail client doesn't seem to recognize it. > > Thank you all in advance, > > > My quarantine setup is as below.. > > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > > ------------------------ > Mailscanner 4.79.11-1 > Spamassassin 3.3.1-2 > Sendmail 8.14.3 > Dovecot 1.2.11-3 > ------------------------- > > Sincerely, > > John Win > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > -- Ken Anderson Pacific Internet - http://www.pacific.net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Jul 2 16:24:15 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 2 16:24:31 2010 Subject: MailScanner Bug - Privacy Advisory In-Reply-To: <1278023945.7521.30.camel@tardis> References: <1278023945.7521.30.camel@tardis> <4C2E049F.2090601@ecs.soton.ac.uk> Message-ID: This only occurs if you choose to use the "$to" variable in your inline.spam.warning.txt. It is not present in the default templates I ship. I would therefore suggest 2 things: 1. You remove the "Dear $to" line from your own inline.spam.warning.txt report file. 2. I remove "$to" from the list of available variables which can be used in that report file. How about it? Jules. On 01/07/2010 23:39, Noel Butler wrote: > Directed at: Those using : Inline Spam Warning, > %report-dir%/inline.spam.warning.txt > > Date first reported: May 17, 2010 (noticed one > month earlier, delayed reporting in case kernel.org messed up) > Date subsequently reported: June 11, 2010 > Initial response June 12, 2010 > Response update June 12, 2010 > Acknowledgment none received > > Severity: Moderate (IMO) > > Summary: "inline spam warning" report to multiple recipients, > displays all recipients in the warning message that are sent to all users. > > Description: This lets other users know not only who else may exist > on the system, but also on, for example this mailing list. > This must be a failure of the privacy mechanism. > Message headers in each delivered message received by the recipient > (verified by my own and one other recipient of that list who was kind > enough to forward full headers,) do not include the other envelope > recipients, it is only contained in the MailScanner generated message. > > > > Example: > > Dear user1@domain, user2@domain, user3@domain , ... > (This messages yielded 7 addresses in the Dear ... field all up in the > one I personally got) > > MailScanner believes the attached message which was sent to you, > From : linux-kernel-announce-owner@removed > (but I'm sure most here > are smart enough to know the domain) > > ... (nothing else is relevant so is not included) > > > > I am posting this to make those using the same method aware of this > privacy issue given no action has been taken (yes, I read the > changelog, I have been keeping an eye on it often) > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jul 2 16:25:55 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 2 16:26:15 2010 Subject: Mailscanner Phishing Warning In-Reply-To: References: <4C2E0503.7090501@ecs.soton.ac.uk> Message-ID: Look in your /etc/MailScanner/reports//languages.conf and you will find the settings for all the text strings used in everything MailScanner ever sends to a user. So the short answer is "yes" :-) Jules. On 01/07/2010 13:27, JC Putter wrote: > Hi, > Is it possible to change the Mailscanner phishing warnings text ? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Jul 2 17:20:08 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Jul 2 17:20:19 2010 Subject: MailScanner Bug - Privacy Advisory In-Reply-To: References: <1278023945.7521.30.camel@tardis> <4C2E049F.2090601@ecs.soton.ac.uk> Message-ID: <4C2E11B8.3030401@vanderkooij.org> On 02/07/10 17:24, Julian Field wrote: > This only occurs if you choose to use the "$to" variable in your > inline.spam.warning.txt. > It is not present in the default templates I ship. > > I would therefore suggest 2 things: > 1. You remove the "Dear $to" line from your own inline.spam.warning.txt > report file. > 2. I remove "$to" from the list of available variables which can be used > in that report file. I suggest we keep the variable available. The "privacy leakage" is a choice made by the administrator in this case. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From Kevin_Miller at ci.juneau.ak.us Fri Jul 2 17:35:20 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 2 17:35:32 2010 Subject: MailScanner Bug - Privacy Advisory In-Reply-To: <4C2E11B8.3030401@vanderkooij.org> References: <1278023945.7521.30.camel@tardis> <4C2E049F.2090601@ecs.soton.ac.uk> <4C2E11B8.3030401@vanderkooij.org> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D1859C@city-exchange07> Hugo van der Kooij wrote: > On 02/07/10 17:24, Julian Field wrote: >> This only occurs if you choose to use the "$to" variable in your >> inline.spam.warning.txt. It is not present in the default templates >> I ship. >> >> I would therefore suggest 2 things: >> 1. You remove the "Dear $to" line from your own >> inline.spam.warning.txt report file. >> 2. I remove "$to" from the list of available variables which can be >> used in that report file. > > I suggest we keep the variable available. > > The "privacy leakage" is a choice made by the administrator in this > case. > > Hugo. I agree, given it's not the default... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From alex at rtpty.com Fri Jul 2 17:53:04 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 2 17:53:16 2010 Subject: MailScanner Bug - Privacy Advisory In-Reply-To: <4A09477D575C2C4B86497161427DD94C15B0D1859C@city-exchange07> References: <1278023945.7521.30.camel@tardis><4C2E049F.2090601@ecs.soton.ac.uk><4C2E11B8.3030401@vanderkooij.org><4A09477D575C2C4B86497161427DD94C15B0D1859C@city-exchange07> Message-ID: <1075022668-1278089585-cardhu_decombobulator_blackberry.rim.net-1046989481-@bda942.bisx.prod.on.blackberry> But does it show if there is "recipient split" going on at the mta? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Kevin Miller Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 2 Jul 2010 08:35:20 To: 'MailScanner discussion' Reply-To: MailScanner discussion Subject: RE: MailScanner Bug - Privacy Advisory Hugo van der Kooij wrote: > On 02/07/10 17:24, Julian Field wrote: >> This only occurs if you choose to use the "$to" variable in your >> inline.spam.warning.txt. It is not present in the default templates >> I ship. >> >> I would therefore suggest 2 things: >> 1. You remove the "Dear $to" line from your own >> inline.spam.warning.txt report file. >> 2. I remove "$to" from the list of available variables which can be >> used in that report file. > > I suggest we keep the variable available. > > The "privacy leakage" is a choice made by the administrator in this > case. > > Hugo. I agree, given it's not the default... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jwin at senegence.com Fri Jul 2 19:20:27 2010 From: jwin at senegence.com (John Win) Date: Fri Jul 2 19:22:38 2010 Subject: retrieving quarantine spam References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry> <1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry> Message-ID: Thanks Alex, I put the rule set for 127.0.01 in spam.whitelist.rules and works. It didn't work when I used the rule set scan.messages.rules though as I thought it would skip the spam test, may be not. (When you said webmail messages won't be scanned) I have webmail clients but if it effects those users, it would be only for outgoing correct? John -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 3:16 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam You need to create a rule so that messages sent from localhost don't get scanned. One problem with this might be that if you have web forms or webmail those messages won't be scanned. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "John Win" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 1 Jul 2010 15:06:33 To: MailScanner discussion Reply-To: MailScanner discussion Subject: RE: retrieving quarantine spam Alex, That sent the message through the spam filter again so it created another quarantine message. It didn't reach the user mailbox. Sincerely, John Win -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 2:34 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam Try "formail -s sendmail -v user < message" ------Original Message------ From: John Win Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner discussion ReplyTo: MailScanner discussion Subject: retrieving quarantine spam Sent: Jul 1, 2010 4:21 PM Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Fri Jul 2 19:41:58 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 2 19:42:13 2010 Subject: retrieving quarantine spam In-Reply-To: References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry> Message-ID: <936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry> "Affects the users". Effect is what follows a cause. Affect means "to do something to". It's also "personal effects". Sorry about the spelling nazism but it's a pet peeve :) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "John Win" Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 2 Jul 2010 11:20:27 To: MailScanner discussion Reply-To: MailScanner discussion Subject: RE: retrieving quarantine spam Thanks Alex, I put the rule set for 127.0.01 in spam.whitelist.rules and works. It didn't work when I used the rule set scan.messages.rules though as I thought it would skip the spam test, may be not. (When you said webmail messages won't be scanned) I have webmail clients but if it effects those users, it would be only for outgoing correct? John -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 3:16 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam You need to create a rule so that messages sent from localhost don't get scanned. One problem with this might be that if you have web forms or webmail those messages won't be scanned. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "John Win" Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 1 Jul 2010 15:06:33 To: MailScanner discussion Reply-To: MailScanner discussion Subject: RE: retrieving quarantine spam Alex, That sent the message through the spam filter again so it created another quarantine message. It didn't reach the user mailbox. Sincerely, John Win -----Original Message----- From: Alex Neuman [mailto:alex@rtpty.com] Sent: Thursday, July 01, 2010 2:34 PM To: MailScanner discussion Subject: Re: retrieving quarantine spam Try "formail -s sendmail -v user < message" ------Original Message------ From: John Win Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner discussion ReplyTo: MailScanner discussion Subject: retrieving quarantine spam Sent: Jul 1, 2010 4:21 PM Could someone point me into right direction on how to retrieve or release spam from quarantine? I don't have MailWatch yet, so just looking for a way to manually retrieve into a mail client. I tried cat ./Mailscanner/quarantine/spam/20100701/* >> ./mail/user But my mail client doesn't seem to recognize it. Thank you all in advance, My quarantine setup is as below.. Quarantine User = Quarantine Group = Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no ------------------------ Mailscanner 4.79.11-1 Spamassassin 3.3.1-2 Sendmail 8.14.3 Dovecot 1.2.11-3 ------------------------- Sincerely, John Win -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Fri Jul 2 20:12:32 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Fri Jul 2 20:12:43 2010 Subject: How to White List from MailScanner In-Reply-To: <542660860.55094.1278097719019.JavaMail.root@mail021.dti> Message-ID: <2085759284.55102.1278097952670.JavaMail.root@mail021.dti> Hello Everyone, How do I whitelist a server from MailScanner? Allow me to explain. I know how to whitelist someone in postfix through the access table. I know how to whitelist someone from MailScanner's spamassassin through the rules/spam.whitelist.rules and similarly for the virus scanning. But MailScanner has a function where it disarms html tags like script, img, a, etc. I can whitelist an address from spam, virus, and at the MTA, but how do I whitelist so that specific domains are not disarmed by MailScanner? p From ka at pacific.net Fri Jul 2 20:14:10 2010 From: ka at pacific.net (Ken A) Date: Fri Jul 2 20:15:55 2010 Subject: retrieving quarantine spam In-Reply-To: <936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry> References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry> <936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry> Message-ID: <4C2E3A82.4060205@pacific.net> wouldn't want your pet peeve to cause a change in your affect. heh heh.. friday is here. Ken On 7/2/2010 1:41 PM, Alex Neuman wrote: > "Affects the users". Effect is what follows a cause. Affect means "to do something to". It's also "personal effects". Sorry about the spelling nazism but it's a pet peeve :) > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: "John Win" > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Fri, 2 Jul 2010 11:20:27 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: RE: retrieving quarantine spam > > Thanks Alex, I put the rule set for 127.0.01 in spam.whitelist.rules and > works. It didn't work when I used the rule set scan.messages.rules though as > I thought it would skip the spam test, may be not. > > (When you said webmail messages won't be scanned) > I have webmail clients but if it effects those users, it would be only for > outgoing correct? > > John > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 3:16 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > You need to create a rule so that messages sent from localhost don't get > scanned. > > One problem with this might be that if you have web forms or webmail those > messages won't be scanned. > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: "John Win" > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 15:06:33 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: RE: retrieving quarantine spam > > Alex, > That sent the message through the spam filter again so it created another > quarantine message. It didn't reach the user mailbox. > > Sincerely, > > John Win > > > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 2:34 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > Try "formail -s sendmail -v user< message" > ------Original Message------ > From: John Win > Sender: mailscanner-bounces@lists.mailscanner.info > To: MailScanner discussion > ReplyTo: MailScanner discussion > Subject: retrieving quarantine spam > Sent: Jul 1, 2010 4:21 PM > > Could someone point me into right direction on how to retrieve or release > spam from quarantine? > I don't have MailWatch yet, so just looking for a way to manually retrieve > into a mail client. > > I tried cat ./Mailscanner/quarantine/spam/20100701/*>> ./mail/user > But my mail client doesn't seem to recognize it. > > Thank you all in advance, > > > My quarantine setup is as below.. > > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > > ------------------------ > Mailscanner 4.79.11-1 > Spamassassin 3.3.1-2 > Sendmail 8.14.3 > Dovecot 1.2.11-3 > ------------------------- > > Sincerely, > > John Win > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ken Anderson Pacific Internet - http://www.pacific.net From alex at rtpty.com Fri Jul 2 20:32:00 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 2 20:32:23 2010 Subject: retrieving quarantine spam In-Reply-To: <4C2E3A82.4060205@pacific.net> References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry><936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry><4C2E3A82.4060205@pacific.net> Message-ID: <730964535-1278099123-cardhu_decombobulator_blackberry.rim.net-1448350549-@bda942.bisx.prod.on.blackberry> You're absolutely right. We should be discussing more important subjects with our friends from across the pond, like whether beer should be served warm (yuck!) or ice cold (mmmm beer...) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Ken A Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 02 Jul 2010 14:14:10 To: Reply-To: MailScanner discussion Subject: Re: retrieving quarantine spam wouldn't want your pet peeve to cause a change in your affect. heh heh.. friday is here. Ken On 7/2/2010 1:41 PM, Alex Neuman wrote: > "Affects the users". Effect is what follows a cause. Affect means "to do something to". It's also "personal effects". Sorry about the spelling nazism but it's a pet peeve :) > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: "John Win" > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Fri, 2 Jul 2010 11:20:27 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: RE: retrieving quarantine spam > > Thanks Alex, I put the rule set for 127.0.01 in spam.whitelist.rules and > works. It didn't work when I used the rule set scan.messages.rules though as > I thought it would skip the spam test, may be not. > > (When you said webmail messages won't be scanned) > I have webmail clients but if it effects those users, it would be only for > outgoing correct? > > John > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 3:16 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > You need to create a rule so that messages sent from localhost don't get > scanned. > > One problem with this might be that if you have web forms or webmail those > messages won't be scanned. > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: "John Win" > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 1 Jul 2010 15:06:33 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: RE: retrieving quarantine spam > > Alex, > That sent the message through the spam filter again so it created another > quarantine message. It didn't reach the user mailbox. > > Sincerely, > > John Win > > > > -----Original Message----- > From: Alex Neuman [mailto:alex@rtpty.com] > Sent: Thursday, July 01, 2010 2:34 PM > To: MailScanner discussion > Subject: Re: retrieving quarantine spam > > Try "formail -s sendmail -v user< message" > ------Original Message------ > From: John Win > Sender: mailscanner-bounces@lists.mailscanner.info > To: MailScanner discussion > ReplyTo: MailScanner discussion > Subject: retrieving quarantine spam > Sent: Jul 1, 2010 4:21 PM > > Could someone point me into right direction on how to retrieve or release > spam from quarantine? > I don't have MailWatch yet, so just looking for a way to manually retrieve > into a mail client. > > I tried cat ./Mailscanner/quarantine/spam/20100701/*>> ./mail/user > But my mail client doesn't seem to recognize it. > > Thank you all in advance, > > > My quarantine setup is as below.. > > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > > > ------------------------ > Mailscanner 4.79.11-1 > Spamassassin 3.3.1-2 > Sendmail 8.14.3 > Dovecot 1.2.11-3 > ------------------------- > > Sincerely, > > John Win > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Ken Anderson Pacific Internet - http://www.pacific.net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Fri Jul 2 22:51:58 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 2 22:52:11 2010 Subject: retrieving quarantine spam In-Reply-To: <730964535-1278099123-cardhu_decombobulator_blackberry.rim.net-1448350549-@bda942.bisx.prod.on.blackberry> References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry><936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry><4C2E3A82.4060205@pacific.net> <730964535-1278099123-cardhu_decombobulator_blackberry.rim.net-1448350549-@bda942.bisx.prod.on.blackberry> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D185A1@city-exchange07> Alex Neuman wrote: > You're absolutely right. We should be discussing more important > subjects with our friends from across the pond, like whether beer > should be served warm (yuck!) or ice cold (mmmm beer...) That's right. If the British had served cold beer in 1776 the American Revolution would never have happened... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From peter.ong at hypermediasystems.com Fri Jul 2 23:21:28 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Fri Jul 2 23:21:38 2010 Subject: How to White List from MailScanner In-Reply-To: <2085759284.55102.1278097952670.JavaMail.root@mail021.dti> Message-ID: <1566770933.55170.1278109288247.JavaMail.root@mail021.dti> Gee, why do I never get any love for my questions? p ----- Original Message ----- > From: "Peter Ong" > To: "mailscanner" > Sent: Friday, July 2, 2010 12:12:32 PM > Subject: How to White List from MailScanner > > Hello Everyone, > > How do I whitelist a server from MailScanner? Allow me to explain. > > I know how to whitelist someone in postfix through the access table. I > know how to whitelist someone from MailScanner's spamassassin through > the rules/spam.whitelist.rules and similarly for the virus scanning. > But MailScanner has a function where it disarms html tags like script, > img, a, etc. > > I can whitelist an address from spam, virus, and at the MTA, but how > do I whitelist so that specific domains are not disarmed by > MailScanner? > > p From bonivart at opencsw.org Fri Jul 2 23:45:38 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Fri Jul 2 23:46:07 2010 Subject: How to White List from MailScanner In-Reply-To: <1566770933.55170.1278109288247.JavaMail.root@mail021.dti> References: <2085759284.55102.1278097952670.JavaMail.root@mail021.dti> <1566770933.55170.1278109288247.JavaMail.root@mail021.dti> Message-ID: On Sat, Jul 3, 2010 at 12:21 AM, Peter Ong wrote: > Gee, why do I never get any love for my questions? > > p > ----- Original Message ----- > >> From: "Peter Ong" >> To: "mailscanner" >> Sent: Friday, July 2, 2010 12:12:32 PM >> Subject: How to White List from MailScanner >> >> Hello Everyone, >> >> How do I whitelist a server from MailScanner? Allow me to explain. >> >> I know how to whitelist someone in postfix through the access table. I >> know how to whitelist someone from MailScanner's spamassassin through >> the rules/spam.whitelist.rules and similarly for the virus scanning. >> But MailScanner has a function where it disarms html tags like script, >> img, a, etc. >> >> I can whitelist an address from spam, virus, and at the MTA, but how >> do I whitelist so that specific domains are not disarmed by >> MailScanner? It's the same as for spam.whitelist.rules, (almost) every option in MailScanner.conf can have it's own ruleset just like you have for whitelists. Read the readme/example files in the rules directory. -- /peter From peter.ong at hypermediasystems.com Sat Jul 3 01:00:26 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Sat Jul 3 01:00:37 2010 Subject: How to White List from MailScanner In-Reply-To: Message-ID: <2050782879.55235.1278115226949.JavaMail.root@mail021.dti> What do you put in the third column? From: *@*.mydomain.junk yes do I put disarm? What word goes there? Thanks. p ----- Original Message ----- > From: "Peter Bonivart" > To: "MailScanner discussion" > Sent: Friday, July 2, 2010 3:45:38 PM > Subject: Re: How to White List from MailScanner > > On Sat, Jul 3, 2010 at 12:21 AM, Peter Ong > wrote: > > Gee, why do I never get any love for my questions? > > > > p > > ----- Original Message ----- > > > >> From: "Peter Ong" > >> To: "mailscanner" > >> Sent: Friday, July 2, 2010 12:12:32 PM > >> Subject: How to White List from MailScanner > >> > >> Hello Everyone, > >> > >> How do I whitelist a server from MailScanner? Allow me to explain. > >> > >> I know how to whitelist someone in postfix through the access > table. I > >> know how to whitelist someone from MailScanner's spamassassin > through > >> the rules/spam.whitelist.rules and similarly for the virus > scanning. > >> But MailScanner has a function where it disarms html tags like > script, > >> img, a, etc. > >> > >> I can whitelist an address from spam, virus, and at the MTA, but > how > >> do I whitelist so that specific domains are not disarmed by > >> MailScanner? > > It's the same as for spam.whitelist.rules, (almost) every option in > MailScanner.conf can have it's own ruleset just like you have for > whitelists. Read the readme/example files in the rules directory. > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martyn at invictawiz.com Sat Jul 3 07:51:58 2010 From: martyn at invictawiz.com (Martyn Routley) Date: Sat Jul 3 07:52:19 2010 Subject: retrieving quarantine spam In-Reply-To: <730964535-1278099123-cardhu_decombobulator_blackberry.rim.net-1448350549-@bda942.bisx.prod.on.blackberry> References: <1277407315-1278020018-cardhu_decombobulator_blackberry.rim.net-1391616719-@bda942.bisx.prod.on.blackberry><1255353029-1278022589-cardhu_decombobulator_blackberry.rim.net-62708707-@bda942.bisx.prod.on.blackberry><936174110-1278096120-cardhu_decombobulator_blackberry.rim.net-514663448-@bda942.bisx.prod.on.blackberry><4C2E3A82.4060205@pacific.net> <730964535-1278099123-cardhu_decombobulator_blackberry.rim.net-1448350549-@bda942.bisx.prod.on.blackberry> Message-ID: <4C2EDE0E.3020307@invictawiz.com> On 02/07/2010 20:32, Alex Neuman wrote: > You're absolutely right. We should be discussing more important subjects with our friends from across the pond, like whether beer should be served warm (yuck!) or ice cold (mmmm beer...) > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Ken A > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Fri, 02 Jul 2010 14:14:10 > To: > Reply-To: MailScanner discussion > Subject: Re: retrieving quarantine spam > Now, there you have the big thing. The Brits drink Beer - which should be served warm(ish) Everyone else drinks Lager - which should be served Ice cold. -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- From bonivart at opencsw.org Sat Jul 3 09:33:52 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Sat Jul 3 09:34:22 2010 Subject: How to White List from MailScanner In-Reply-To: <2050782879.55235.1278115226949.JavaMail.root@mail021.dti> References: <2050782879.55235.1278115226949.JavaMail.root@mail021.dti> Message-ID: On Sat, Jul 3, 2010 at 2:00 AM, Peter Ong wrote: > What do you put in the third column? > From: *@*.mydomain.junk yes > > do I put disarm? What word goes there? The third column is the answer to the option in question. If the option takes yes/no then it should be one of those but it could also be something else. Here's a list of all options and their allowed values: http://mailscanner.info/MailScanner.conf.index.html. Note that for disarm you usually need rulesets for several options (form, iframe, object, script and so on) but often they need the same answer so you can actually use the same ruleset for all those options which means less to administer. -- /peter From MailScanner at ecs.soton.ac.uk Sat Jul 3 14:42:31 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 3 14:42:46 2010 Subject: How to White List from MailScanner In-Reply-To: <1566770933.55170.1278109288247.JavaMail.root@mail021.dti> References: <1566770933.55170.1278109288247.JavaMail.root@mail021.dti> <4C2F3E47.1020507@ecs.soton.ac.uk> Message-ID: If you want the "big switch" setting to put a ruleset on, it's called "Scan Messages". You can whitelist a particular IP or hostname like this: Set in MailScanner.conf: Scan Messages = %rules-dir%/scan.messages.rules And then in /etc/MailScanner/rules/scan.messages.rules put things like this: From: 192.168. no From: host:yoursafedomain.com no FromOrTo: default yes This will whitelist all machines whose IP addresses start with 192.168 and any host whose hostname is in "yoursafedomain.com" (notice the "host:" in this rule!). If you leave out the "host:" bit, then it will whitelist all mail whose sender address claims to be anything@yoursafedomain.com which is very dangerous as the sender address can be trivially faked! Hope that helps get you going. The next finer controls than "Scan Messages" are "Virus Scanning = yes", "Dangerous Content Scanning = yes" and "Spam Checks = yes", if you want to control certain major areas of processing. Jules. On 02/07/2010 23:21, Peter Ong wrote: > From: "Peter Ong" >> To: "mailscanner" >> Sent: Friday, July 2, 2010 12:12:32 PM >> Subject: How to White List from MailScanner >> >> Hello Everyone, >> >> How do I whitelist a server from MailScanner? Allow me to explain. >> >> I know how to whitelist someone in postfix through the access table. I >> know how to whitelist someone from MailScanner's spamassassin through >> the rules/spam.whitelist.rules and similarly for the virus scanning. >> But MailScanner has a function where it disarms html tags like script, >> img, a, etc. >> >> I can whitelist an address from spam, virus, and at the MTA, but how >> do I whitelist so that specific domains are not disarmed by >> MailScanner? >> >> p >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at rtpty.com Sat Jul 3 18:21:59 2010 From: alex at rtpty.com (Alex Neuman) Date: Sat Jul 3 18:22:11 2010 Subject: Salsalabs Message-ID: <7A9B0061-8C6E-48A1-9566-518B9489F665@rtpty.com> Somebody's server, running MailScanner, has been compromised. http://pastebin.com/TQjYQCuG It looks like "salsalabs.net". If the owner/admin reads this list, check it out. Thanks... From terence.km.chan at gmail.com Sun Jul 4 12:18:37 2010 From: terence.km.chan at gmail.com (Terence Chan) Date: Sun Jul 4 12:18:45 2010 Subject: Deny File MIME Types not working Message-ID: Hi, I need to selectively allow certain people to send image files, and I have ran into problems. I have the following configuration. Deny File MIME Types = %rules-dir%/deny.filemimetypes.rules in the %rules-dir%/deny.filemimetypes.rules file From: terence@vicosys.com.hk image/png When I try to send a email attached a png file - the mail can still pass thru. I tested the file using file -i command, the mime type is "image/png" I traced the code and found out that the coding for "file -i" has not been used. ($MailScanner::Config::UsingFileICommand = 0), so it has never tried to look at the MIME type. if I hack the Config.pm and force $MailScanner::Config::UsingFileICommand = 1, it all works. Is this a bug or if it is some misconfiguration on my part? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100704/50f35d3f/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jul 5 16:17:22 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 5 16:17:41 2010 Subject: Deny File MIME Types not working In-Reply-To: References: <4C31F782.5020204@ecs.soton.ac.uk> Message-ID: Bug. Well found. Try applying this patch to /usr/lib/MailScanner/MailScanner/SweepOther.pm. Take off the start and end line I have added. Please let me know if this fixes it for you. Jules. --- PATCH START --- --- SweepOther.pm 2010-04-22 17:12:43.000000000 +0100 +++ SweepOther.pm.new 2010-07-05 16:13:32.000000000 +0100 @@ -471,7 +471,9 @@ # If we are not using "file -i" at all, then just short-circuit all # of this, and check file command output only. - unless ($MailScanner::Config::UsingFileICommand) { + unless ($MailScanner::Config::UsingFileICommand || + MailScanner::Config::Value('denyfilemimetypes') || + MailScanner::Config::Value('adenyfilemimetypes')) { $Counter = CheckFileTypesRules($batch, \%FileTypes, undef); return $Counter; } --- PATCH END --- On 04/07/2010 12:18, Terence Chan wrote: > > Hi, > > > I need to selectively allow certain people to send image files, and I > have ran into problems. > > > I have the following configuration. > > > Deny File MIME Types = %rules-dir%/deny.filemimetypes.rules > > > in the %rules-dir%/deny.filemimetypes.rules file > > > From: terence@vicosys.com.hk image/png > > > When I try to send a email attached a png file - the mail can still > pass thru. I tested the file using file -i command, the mime type is > "image/png" > > > I traced the code and found out that the coding for "file -i" has not > been used. ($MailScanner::Config::UsingFileICommand = 0), so it has > never tried to look at the MIME type. > > > if I hack the Config.pm and > force $MailScanner::Config::UsingFileICommand = 1, it all works. > > > Is this a bug or if it is some misconfiguration on my part? > > > Thanks > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bbecken at aafp.org Tue Jul 6 13:52:12 2010 From: bbecken at aafp.org (Brad Beckenhauer) Date: Tue Jul 6 13:52:31 2010 Subject: OT: KAM.cf and rescoring Message-ID: I've been using KAM.cf for awhile and it's doing a wonderful job, but I now have a need to rescore the KAM_MX3 ruleset. What should I name the new .cf file so that it overrides the KAM score? thanks Brad From prandal at herefordshire.gov.uk Tue Jul 6 14:15:13 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 6 14:15:31 2010 Subject: KAM.cf and rescoring In-Reply-To: References: Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45C12696@HC-MBX01.herefordshire.gov.uk> I do it by adding a new score into my mailscanner.cf file. I've scored KAM_MXURI down to zero as there are way too many false positives for it to be useful in this environment. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer Sent: 06 July 2010 13:52 To: mailscanner@lists.mailscanner.info Subject: OT: KAM.cf and rescoring I've been using KAM.cf for awhile and it's doing a wonderful job, but I now have a need to rescore the KAM_MX3 ruleset. What should I name the new .cf file so that it overrides the KAM score? thanks Brad -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From ms-list at alexb.ch Tue Jul 6 14:17:01 2010 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 6 14:17:05 2010 Subject: OT: KAM.cf and rescoring In-Reply-To: References: Message-ID: <4C332CCD.9050809@alexb.ch> On 2010-07-06 14:52, Brad Beckenhauer wrote: > I've been using KAM.cf for awhile and it's doing a wonderful job, but I > now have a need to rescore the KAM_MX3 ruleset. > > What should I name the new .cf file so that it overrides the KAM score? you can just use /etc/mail/spamassassin/local.cf score KAM_MX3 0.01 (or whatever you want to score it) From peter.ong at hypermediasystems.com Tue Jul 6 16:43:18 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 16:43:29 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1791280444.55220.1278113049106.JavaMail.root@mail021.dti> Message-ID: <51591715.56102.1278430998431.JavaMail.root@mail021.dti> Hello Everyone, I really need help on this filetype issue. First, when I scan the original message it shows as "data", and when I scan the mime version, it shows as "text/x-mail; charset=unknown". I keep getting this message even after I have edited the filetype.conf.rules file: At Tue Jul 6 08:29:47 2010 the virus scanner said: MailScanner: No programs allowed (msg-16388-1.txt) Proof: [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 64BCE572B7: data [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt msg-16388-1.txt: text/x-mail; charset=unknown HELP!!! What can I do? Thank you in advance. These are the contents of my filetype.conf.rules file: allow - text - - allow - text - - allow - text/x-mail - - allow - text/plain - - allow - message/rfc822 - - allow - text/x-mail - - allow - text/x-mail; charset=unknown - - <<<<<<<<<<<<<<< I added this allow - text/plain - - allow - text/plain; charset=unknown - - allow - text/plain; charset=iso-8859-1 - - allow - text/plain; charset=utf-8 - - allow - text/plain; charset=iso-8859-1 - - allow text text/x-mail - - allow text text/plain - - allow text message/rfc822 - - allow data text/x-mail; charset=unknown - - <<<<<<<<<<<<<< I added this allow data text/x-mail - - allow data text/plain - - allow data text/plain; charset=unknown - - allow data text/plain; charset=iso-8859-1 - - allow data text/plain; charset=utf-8 - - allow RFC 822 mail text text/plain; charset=iso-8859-1 - - allow text - - allow data - - allow \bscript - - allow archive - - allow postscript - - deny self-extract No self-extracting archives No self-extracting archives allowed deny executable No executables No executables allowed <<<<<<<<<<<<<<<<<<< keeps getting caught here... #EXAMPLE: deny - x-dosexec No DOS executables No DOS programs allowed deny - x-dosexec No DOS executables No DOS programs allowed deny ELF No executables No programs allowed deny Registry No Windows Registry entries No Windows Registry files allowed #deny MPEG No MPEG movies No MPEG movies allowed #deny AVI No AVI movies No AVI movies allowed #deny MNG No MNG/PNG movies No MNG movies allowed #deny QuickTime No QuickTime movies No QuickTime movies allowed #deny ASF No Windows media No Windows media files allowed #deny metafont No Windows Metafont drawings No WMF drawings allowed From ka at pacific.net Tue Jul 6 17:11:44 2010 From: ka at pacific.net (Ken A) Date: Tue Jul 6 17:13:32 2010 Subject: Salsalabs In-Reply-To: <7A9B0061-8C6E-48A1-9566-518B9489F665@rtpty.com> References: <7A9B0061-8C6E-48A1-9566-518B9489F665@rtpty.com> Message-ID: <4C3355C0.7090305@pacific.net> It looks intentional to me, not a compromised box. It appears to have come from the poorly designed democracyinaction website "tell a friend" stupidity. See: http://salsa.democracyinaction.org/o/696/t/1681/tellafriend.jsp In other words, the system was designed to forward spam. Ken On 7/3/2010 12:21 PM, Alex Neuman wrote: > Somebody's server, running MailScanner, has been compromised. > > http://pastebin.com/TQjYQCuG > > It looks like "salsalabs.net". If the owner/admin reads this list, check it out. > > Thanks...-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Ken Anderson Pacific Internet - http://www.pacific.net From alex at rtpty.com Tue Jul 6 17:20:45 2010 From: alex at rtpty.com (Alex Neuman) Date: Tue Jul 6 17:20:57 2010 Subject: Salsalabs In-Reply-To: <4C3355C0.7090305@pacific.net> References: <7A9B0061-8C6E-48A1-9566-518B9489F665@rtpty.com> <4C3355C0.7090305@pacific.net> Message-ID: <597F4AB7-B2A3-4907-97CB-694049EE07BD@rtpty.com> There's a mailscanner system in the middle, so I thought the owner might be aware of the problem by reading about it on the list. On Jul 6, 2010, at 11:11 AM, Ken A wrote: > It looks intentional to me, not a compromised box. It appears to have come from the poorly designed democracyinaction website "tell a friend" stupidity. See: > http://salsa.democracyinaction.org/o/696/t/1681/tellafriend.jsp > > In other words, the system was designed to forward spam. > > Ken > > > > On 7/3/2010 12:21 PM, Alex Neuman wrote: >> Somebody's server, running MailScanner, has been compromised. >> >> http://pastebin.com/TQjYQCuG >> >> It looks like "salsalabs.net". If the owner/admin reads this list, check it out. >> >> Thanks...-- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > Ken Anderson > Pacific Internet - http://www.pacific.net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ka at pacific.net Tue Jul 6 17:34:21 2010 From: ka at pacific.net (Ken A) Date: Tue Jul 6 17:36:08 2010 Subject: Salsalabs In-Reply-To: <597F4AB7-B2A3-4907-97CB-694049EE07BD@rtpty.com> References: <7A9B0061-8C6E-48A1-9566-518B9489F665@rtpty.com> <4C3355C0.7090305@pacific.net> <597F4AB7-B2A3-4907-97CB-694049EE07BD@rtpty.com> Message-ID: <4C335B0D.6000209@pacific.net> On 7/6/2010 11:20 AM, Alex Neuman wrote: > There's a mailscanner system in the middle, so I thought the owner > might be aware of the problem by reading about it on the list. Yes, looks like it squeezed by with "sssss" ! Something like: header LOCAL_SPAM1 X-Salsa-Referer =~ /tellafriend.jsp/ describe LOCAL_SPAM1 spam from stupid web app score LOCAL_SPAM1 3.5 should work nicely! :-) Ken > On Jul 6, 2010, at 11:11 AM, Ken A wrote: > >> It looks intentional to me, not a compromised box. It appears to >> have come from the poorly designed democracyinaction website "tell >> a friend" stupidity. See: >> http://salsa.democracyinaction.org/o/696/t/1681/tellafriend.jsp >> >> In other words, the system was designed to forward spam. >> >> Ken >> >> >> >> On 7/3/2010 12:21 PM, Alex Neuman wrote: >>> Somebody's server, running MailScanner, has been compromised. >>> >>> http://pastebin.com/TQjYQCuG >>> >>> It looks like "salsalabs.net". If the owner/admin reads this >>> list, check it out. >>> >>> Thanks...-- MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- Ken Anderson Pacific Internet - http://www.pacific.net -- >> MailScanner mailing list mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- Ken Anderson Pacific Internet - http://www.pacific.net From MailScanner at ecs.soton.ac.uk Tue Jul 6 18:00:13 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 6 18:00:27 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <51591715.56102.1278430998431.JavaMail.root@mail021.dti> References: <51591715.56102.1278430998431.JavaMail.root@mail021.dti> <4C33611D.6000708@ecs.soton.ac.uk> Message-ID: It's talking about the attachment in the message, not the message body+headers itself. Do a "file" on msg-16388-1.txt (not a "file -i"). On 06/07/2010 16:43, Peter Ong wrote: > Hello Everyone, > > I really need help on this filetype issue. > > First, when I scan the original message it shows as "data", and when I scan the mime version, it shows as "text/x-mail; charset=unknown". > > I keep getting this message even after I have edited the filetype.conf.rules file: > At Tue Jul 6 08:29:47 2010 the virus scanner said: > MailScanner: No programs allowed (msg-16388-1.txt) > > > Proof: > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > 64BCE572B7: data > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > msg-16388-1.txt: text/x-mail; charset=unknown > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > allow - text - - > allow - text - - > allow - text/x-mail - - > allow - text/plain - - > allow - message/rfc822 - - > allow - text/x-mail - - > allow - text/x-mail; charset=unknown - -<<<<<<<<<<<<<<< I added this > allow - text/plain - - > allow - text/plain; charset=unknown - - > allow - text/plain; charset=iso-8859-1 - - > allow - text/plain; charset=utf-8 - - > allow - text/plain; charset=iso-8859-1 - - > allow text text/x-mail - - > allow text text/plain - - > allow text message/rfc822 - - > allow data text/x-mail; charset=unknown - -<<<<<<<<<<<<<< I added this > allow data text/x-mail - - > allow data text/plain - - > allow data text/plain; charset=unknown - - > allow data text/plain; charset=iso-8859-1 - - > allow data text/plain; charset=utf-8 - - > allow RFC 822 mail text text/plain; charset=iso-8859-1 - - > > allow text - - > allow data - - > allow \bscript - - > allow archive - - > allow postscript - - > deny self-extract No self-extracting archives No self-extracting archives allowed > deny executable No executables No executables allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > #EXAMPLE: deny - x-dosexec No DOS executables No DOS programs allowed > deny - x-dosexec No DOS executables No DOS programs allowed > deny ELF No executables No programs allowed > deny Registry No Windows Registry entries No Windows Registry files allowed > > #deny MPEG No MPEG movies No MPEG movies allowed > #deny AVI No AVI movies No AVI movies allowed > #deny MNG No MNG/PNG movies No MNG movies allowed > #deny QuickTime No QuickTime movies No QuickTime movies allowed > #deny ASF No Windows media No Windows media files allowed > #deny metafont No Windows Metafont drawings No WMF drawings allowed > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From peter.ong at hypermediasystems.com Tue Jul 6 18:25:13 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 18:25:24 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: Message-ID: <178836761.56246.1278437113954.JavaMail.root@mail021.dti> But there is no attachment. p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 10:00:13 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > It's talking about the attachment in the message, not the message > body+headers itself. > > Do a "file" on msg-16388-1.txt (not a "file -i"). > > On 06/07/2010 16:43, Peter Ong wrote: > > Hello Everyone, > > > > I really need help on this filetype issue. > > > > First, when I scan the original message it shows as "data", and when > I scan the mime version, it shows as "text/x-mail; charset=unknown". > > > > I keep getting this message even after I have edited the > filetype.conf.rules file: > > At Tue Jul 6 08:29:47 2010 the virus scanner said: > > MailScanner: No programs allowed (msg-16388-1.txt) > > > > > > Proof: > > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > > 64BCE572B7: data > > > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > > msg-16388-1.txt: text/x-mail; charset=unknown > > > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > > > > > allow - text - - > > allow - text - - > > allow - text/x-mail - - > > allow - text/plain - - > > allow - message/rfc822 - - > > allow - text/x-mail - - > > allow - text/x-mail; charset=unknown - > -<<<<<<<<<<<<<<< I added this > > allow - text/plain - - > > allow - text/plain; charset=unknown - - > > allow - text/plain; charset=iso-8859-1 - - > > allow - text/plain; charset=utf-8 - - > > allow - text/plain; charset=iso-8859-1 - - > > allow text text/x-mail - - > > allow text text/plain - - > > allow text message/rfc822 - - > > allow data text/x-mail; charset=unknown - > -<<<<<<<<<<<<<< I added this > > allow data text/x-mail - - > > allow data text/plain - - > > allow data text/plain; charset=unknown - - > > allow data text/plain; charset=iso-8859-1 - - > > allow data text/plain; charset=utf-8 - - > > allow RFC 822 mail text text/plain; charset=iso-8859-1 - > - > > > > allow text - - > > allow data - - > > allow \bscript - - > > allow archive - - > > allow postscript - - > > deny self-extract No self-extracting archives No > self-extracting archives allowed > > deny executable No executables No executables > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > > #EXAMPLE: deny - x-dosexec No DOS executables No > DOS programs allowed > > deny - x-dosexec No DOS executables No DOS > programs allowed > > deny ELF No executables No programs allowed > > deny Registry No Windows Registry entries No Windows > Registry files allowed > > > > #deny MPEG No MPEG movies No MPEG movies > allowed > > #deny AVI No AVI movies No AVI movies > allowed > > #deny MNG No MNG/PNG movies No MNG movies > allowed > > #deny QuickTime No QuickTime movies No QuickTime movies > allowed > > #deny ASF No Windows media No Windows media > files allowed > > #deny metafont No Windows Metafont drawings No WMF > drawings allowed > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Tue Jul 6 18:27:00 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 18:27:09 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: Message-ID: <1016920298.56256.1278437220245.JavaMail.root@mail021.dti> That message msg-16388-1.txt is the message itself. p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 10:00:13 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > It's talking about the attachment in the message, not the message > body+headers itself. > > Do a "file" on msg-16388-1.txt (not a "file -i"). > > On 06/07/2010 16:43, Peter Ong wrote: > > Hello Everyone, > > > > I really need help on this filetype issue. > > > > First, when I scan the original message it shows as "data", and when > I scan the mime version, it shows as "text/x-mail; charset=unknown". > > > > I keep getting this message even after I have edited the > filetype.conf.rules file: > > At Tue Jul 6 08:29:47 2010 the virus scanner said: > > MailScanner: No programs allowed (msg-16388-1.txt) > > > > > > Proof: > > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > > 64BCE572B7: data > > > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > > msg-16388-1.txt: text/x-mail; charset=unknown > > > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > > > > > allow - text - - > > allow - text - - > > allow - text/x-mail - - > > allow - text/plain - - > > allow - message/rfc822 - - > > allow - text/x-mail - - > > allow - text/x-mail; charset=unknown - > -<<<<<<<<<<<<<<< I added this > > allow - text/plain - - > > allow - text/plain; charset=unknown - - > > allow - text/plain; charset=iso-8859-1 - - > > allow - text/plain; charset=utf-8 - - > > allow - text/plain; charset=iso-8859-1 - - > > allow text text/x-mail - - > > allow text text/plain - - > > allow text message/rfc822 - - > > allow data text/x-mail; charset=unknown - > -<<<<<<<<<<<<<< I added this > > allow data text/x-mail - - > > allow data text/plain - - > > allow data text/plain; charset=unknown - - > > allow data text/plain; charset=iso-8859-1 - - > > allow data text/plain; charset=utf-8 - - > > allow RFC 822 mail text text/plain; charset=iso-8859-1 - > - > > > > allow text - - > > allow data - - > > allow \bscript - - > > allow archive - - > > allow postscript - - > > deny self-extract No self-extracting archives No > self-extracting archives allowed > > deny executable No executables No executables > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > > #EXAMPLE: deny - x-dosexec No DOS executables No > DOS programs allowed > > deny - x-dosexec No DOS executables No DOS > programs allowed > > deny ELF No executables No programs allowed > > deny Registry No Windows Registry entries No Windows > Registry files allowed > > > > #deny MPEG No MPEG movies No MPEG movies > allowed > > #deny AVI No AVI movies No AVI movies > allowed > > #deny MNG No MNG/PNG movies No MNG movies > allowed > > #deny QuickTime No QuickTime movies No QuickTime movies > allowed > > #deny ASF No Windows media No Windows media > files allowed > > #deny metafont No Windows Metafont drawings No WMF > drawings allowed > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Tue Jul 6 19:05:17 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 19:05:28 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1100961280.56307.1278439392220.JavaMail.root@mail021.dti> Message-ID: <1213049040.56309.1278439517885.JavaMail.root@mail021.dti> I am thoroughly confused. ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) It is not getting caught on this line in the logs... it clearly says "No programs allowed". Is there documentation somewhere I'm neglecting to read? p ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 10:00:13 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > It's talking about the attachment in the message, not the message > body+headers itself. > > Do a "file" on msg-16388-1.txt (not a "file -i"). > > On 06/07/2010 16:43, Peter Ong wrote: > > Hello Everyone, > > > > I really need help on this filetype issue. > > > > First, when I scan the original message it shows as "data", and when > I scan the mime version, it shows as "text/x-mail; charset=unknown". > > > > I keep getting this message even after I have edited the > filetype.conf.rules file: > > At Tue Jul 6 08:29:47 2010 the virus scanner said: > > MailScanner: No programs allowed (msg-16388-1.txt) > > > > > > Proof: > > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > > 64BCE572B7: data > > > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > > msg-16388-1.txt: text/x-mail; charset=unknown > > > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > > > > > allow - text - - > > allow - text - - > > allow - text/x-mail - - > > allow - text/plain - - > > allow - message/rfc822 - - > > allow - text/x-mail - - > > allow - text/x-mail; charset=unknown - > -<<<<<<<<<<<<<<< I added this > > allow - text/plain - - > > allow - text/plain; charset=unknown - - > > allow - text/plain; charset=iso-8859-1 - - > > allow - text/plain; charset=utf-8 - - > > allow - text/plain; charset=iso-8859-1 - - > > allow text text/x-mail - - > > allow text text/plain - - > > allow text message/rfc822 - - > > allow data text/x-mail; charset=unknown - > -<<<<<<<<<<<<<< I added this > > allow data text/x-mail - - > > allow data text/plain - - > > allow data text/plain; charset=unknown - - > > allow data text/plain; charset=iso-8859-1 - - > > allow data text/plain; charset=utf-8 - - > > allow RFC 822 mail text text/plain; charset=iso-8859-1 - > - > > > > allow text - - > > allow data - - > > allow \bscript - - > > allow archive - - > > allow postscript - - > > deny self-extract No self-extracting archives No > self-extracting archives allowed > > deny executable No executables No executables > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > > #EXAMPLE: deny - x-dosexec No DOS executables No > DOS programs allowed > > deny - x-dosexec No DOS executables No DOS > programs allowed > > deny ELF No executables No programs allowed > > deny Registry No Windows Registry entries No Windows > Registry files allowed > > > > #deny MPEG No MPEG movies No MPEG movies > allowed > > #deny AVI No AVI movies No AVI movies > allowed > > #deny MNG No MNG/PNG movies No MNG movies > allowed > > #deny QuickTime No QuickTime movies No QuickTime movies > allowed > > #deny ASF No Windows media No Windows media > files allowed > > #deny metafont No Windows Metafont drawings No WMF > drawings allowed > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Tue Jul 6 20:14:02 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 20:14:13 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <457355533.56360.1278443539145.JavaMail.root@mail021.dti> Message-ID: <1603327126.56362.1278443642502.JavaMail.root@mail021.dti> I hate to keep beating a dead horse, but would anyone else have any ideas? This problem is a serious interruption in our day to day communications. p ----- Original Message ----- > From: "Peter Ong" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 11:05:17 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > I am thoroughly confused. > > ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) > > It is not getting caught on this line in the logs... it clearly says > "No programs allowed". > > Is there documentation somewhere I'm neglecting to read? > > p > > ----- Original Message ----- > > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Tuesday, July 6, 2010 10:00:13 AM > > Subject: Re: FileType rules show executable even though file shows > data -- Please help fix. > > > > It's talking about the attachment in the message, not the message > > body+headers itself. > > > > Do a "file" on msg-16388-1.txt (not a "file -i"). > > > > On 06/07/2010 16:43, Peter Ong wrote: > > > Hello Everyone, > > > > > > I really need help on this filetype issue. > > > > > > First, when I scan the original message it shows as "data", and > when > > I scan the mime version, it shows as "text/x-mail; charset=unknown". > > > > > > I keep getting this message even after I have edited the > > filetype.conf.rules file: > > > At Tue Jul 6 08:29:47 2010 the virus scanner said: > > > MailScanner: No programs allowed (msg-16388-1.txt) > > > > > > > > > Proof: > > > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > > > 64BCE572B7: data > > > > > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > > > msg-16388-1.txt: text/x-mail; charset=unknown > > > > > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > > > > > > > > > allow - text - - > > > allow - text - - > > > allow - text/x-mail - - > > > allow - text/plain - - > > > allow - message/rfc822 - - > > > allow - text/x-mail - - > > > allow - text/x-mail; charset=unknown - > > -<<<<<<<<<<<<<<< I added this > > > allow - text/plain - - > > > allow - text/plain; charset=unknown - - > > > allow - text/plain; charset=iso-8859-1 - - > > > allow - text/plain; charset=utf-8 - - > > > allow - text/plain; charset=iso-8859-1 - - > > > allow text text/x-mail - - > > > allow text text/plain - - > > > allow text message/rfc822 - - > > > allow data text/x-mail; charset=unknown - > > -<<<<<<<<<<<<<< I added this > > > allow data text/x-mail - - > > > allow data text/plain - - > > > allow data text/plain; charset=unknown - - > > > allow data text/plain; charset=iso-8859-1 - - > > > allow data text/plain; charset=utf-8 - - > > > allow RFC 822 mail text text/plain; charset=iso-8859-1 - > > - > > > > > > allow text - - > > > allow data - - > > > allow \bscript - - > > > allow archive - - > > > allow postscript - - > > > deny self-extract No self-extracting archives No > > self-extracting archives allowed > > > deny executable No executables No executables > > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > > > #EXAMPLE: deny - x-dosexec No DOS executables No > > DOS programs allowed > > > deny - x-dosexec No DOS executables No DOS > > programs allowed > > > deny ELF No executables No programs > allowed > > > deny Registry No Windows Registry entries No Windows > > Registry files allowed > > > > > > #deny MPEG No MPEG movies No MPEG movies > > allowed > > > #deny AVI No AVI movies No AVI movies > > allowed > > > #deny MNG No MNG/PNG movies No MNG movies > > allowed > > > #deny QuickTime No QuickTime movies No QuickTime > movies > > allowed > > > #deny ASF No Windows media No Windows media > > files allowed > > > #deny metafont No Windows Metafont drawings No WMF > > drawings allowed > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Tue Jul 6 20:57:49 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jul 6 20:58:09 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1603327126.56362.1278443642502.JavaMail.root@mail021.dti> References: <1603327126.56362.1278443642502.JavaMail.root@mail021.dti> Message-ID: <4C338ABD.1000409@USherbrooke.ca> Le 2010-07-06 15:14, Peter Ong a ?crit : > I hate to keep beating a dead horse, but would anyone else have any ideas? This problem is a serious interruption in our day to day communications. > > p > > ----- Original Message ----- > >> From: "Peter Ong" >> To: "MailScanner discussion" >> Sent: Tuesday, July 6, 2010 11:05:17 AM >> Subject: Re: FileType rules show executable even though file shows data -- Please help fix. >> >> I am thoroughly confused. >> >> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) >> >> It is not getting caught on this line in the logs... it clearly says >> "No programs allowed". >> >> Is there documentation somewhere I'm neglecting to read? >> >> p Peter, A "DOS executable" is a program. Thus the warning is telling the truth. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From peter.ong at hypermediasystems.com Tue Jul 6 21:13:07 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 21:13:16 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <4C338ABD.1000409@USherbrooke.ca> Message-ID: <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> Sorry guys... The DOS warning is correct -- from the file command. The problem is that isn't the line where the message fails in the filetype.conf.rules. It fails on deny executable No executables No executables allowed There are two lines that shows "No programs allowed", but I changed one to say "No executables allowed" so depending on the error message I know that it failed on one of them, and it does fail on the "No executables" line. I only ran file on the msg file because Julian suggested it, and for everyone's edification, I posted the result here. The fact that the file command shows DOS executable (COM) should trigger the correct line in the error message which is: deny - x-dosexec No DOS executables No DOS programs allowed But clearly based on my repeatable error messages, it fails not on this line, but "No exetables allowed". There is no attachment. It simply contains japanese characters. The documentation on the top of the file said that I can have an optional third field which I have filled out, but there doesn't seem to be a known established way of filling it out. Our operation is being severely affected by this, and I don't know what else to do. I could really use help here. p ----- Original Message ----- > From: "Denis Beauchemin" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 12:57:49 PM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > Le 2010-07-06 15:14, Peter Ong a ?crit : > > I hate to keep beating a dead horse, but would anyone else have any > ideas? This problem is a serious interruption in our day to day > communications. > > > > p > > > > ----- Original Message ----- > > > >> From: "Peter Ong" > >> To: "MailScanner discussion" > >> Sent: Tuesday, July 6, 2010 11:05:17 AM > >> Subject: Re: FileType rules show executable even though file shows > data -- Please help fix. > >> > >> I am thoroughly confused. > >> > >> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) > >> > >> It is not getting caught on this line in the logs... it clearly > says > >> "No programs allowed". > >> > >> Is there documentation somewhere I'm neglecting to read? > >> > >> p > > Peter, > > A "DOS executable" is a program. Thus the warning is telling the > truth. > > Denis > > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rob at poeweb.com Tue Jul 6 21:22:58 2010 From: rob at poeweb.com (Rob Poe) Date: Tue Jul 6 21:23:09 2010 Subject: High Scoring Spam Rules Issue Message-ID: <4C3390A2.2030604@poeweb.com> I have a user who insists on getting all email (even spam). He's finally relented on letting me at least TAG them as {spam}, but here's an issue I'm having. I made a rule file for high scoring spam actions. In the rule file, I put To: user1@domain.com deliver FromOrTo: default store That works swimmingly. Here's the problem. Say the spam is addressed to user1@domain.com, but also addressed to user2@domain.com. They BOTH get it delivered with the {spam} tag. If just user2@domain.com gets the email, then it gets stored. Any thoughts on how to deal with this? MTA: Sendmail (most up to date that yum update gives) on Centos 4.7 From mikael at syska.dk Tue Jul 6 21:39:27 2010 From: mikael at syska.dk (Mikael Syska) Date: Tue Jul 6 21:39:40 2010 Subject: High Scoring Spam Rules Issue In-Reply-To: <4C3390A2.2030604@poeweb.com> References: <4C3390A2.2030604@poeweb.com> Message-ID: Hi, http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient mvh Mikael Syska On Tue, Jul 6, 2010 at 10:22 PM, Rob Poe wrote: > ?I have a user who insists on getting all email (even spam). ?He's finally > relented on letting me at least TAG them as {spam}, but here's an issue I'm > having. > > I made a rule file for high scoring spam actions. > > In the rule file, I put > > To: user1@domain.com deliver > FromOrTo: default store > > That works swimmingly. ?Here's the problem. ?Say the spam is addressed to > user1@domain.com, but also addressed to user2@domain.com. ?They BOTH get it > delivered with the {spam} tag. ?If just user2@domain.com gets the email, > then it gets stored. > > Any thoughts on how to deal with this? > > MTA: Sendmail (most up to date that yum update gives) on Centos 4.7 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mikael at syska.dk Tue Jul 6 21:42:51 2010 From: mikael at syska.dk (Mikael Syska) Date: Tue Jul 6 21:43:03 2010 Subject: High Scoring Spam Rules Issue In-Reply-To: References: <4C3390A2.2030604@poeweb.com> Message-ID: Woops ... wrong link ... Heres the one for sendmail :-) http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient This should result in mails not being delivered to the other addresses if rules are applied. mvh On Tue, Jul 6, 2010 at 10:39 PM, Mikael Syska wrote: > Hi, > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > > mvh > Mikael Syska > > On Tue, Jul 6, 2010 at 10:22 PM, Rob Poe wrote: >> ?I have a user who insists on getting all email (even spam). ?He's finally >> relented on letting me at least TAG them as {spam}, but here's an issue I'm >> having. >> >> I made a rule file for high scoring spam actions. >> >> In the rule file, I put >> >> To: user1@domain.com deliver >> FromOrTo: default store >> >> That works swimmingly. ?Here's the problem. ?Say the spam is addressed to >> user1@domain.com, but also addressed to user2@domain.com. ?They BOTH get it >> delivered with the {spam} tag. ?If just user2@domain.com gets the email, >> then it gets stored. >> >> Any thoughts on how to deal with this? >> >> MTA: Sendmail (most up to date that yum update gives) on Centos 4.7 >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > From raubvogel at gmail.com Tue Jul 6 21:46:18 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue Jul 6 21:46:27 2010 Subject: High Scoring Spam Rules Issue In-Reply-To: <4C3390A2.2030604@poeweb.com> References: <4C3390A2.2030604@poeweb.com> Message-ID: On Tue, Jul 6, 2010 at 4:22 PM, Rob Poe wrote: > ?I have a user who insists on getting all email (even spam). ?He's finally > relented on letting me at least TAG them as {spam}, but here's an issue I'm > having. > > I made a rule file for high scoring spam actions. > > In the rule file, I put > > To: user1@domain.com deliver > FromOrTo: default store > > That works swimmingly. ?Here's the problem. ?Say the spam is addressed to > user1@domain.com, but also addressed to user2@domain.com. ?They BOTH get it > delivered with the {spam} tag. ?If just user2@domain.com gets the email, > then it gets stored. > > Any thoughts on how to deal with this? > > MTA: Sendmail (most up to date that yum update gives) on Centos 4.7 > This will not solve your problem, but it is something to think about: I only tag spam as such, and only in the header. What I then do is use dovecot's sieve to move the emails marked as spam to the spam folder. Then users can decide if the spam-marked email is indeed spam. If not, they can move it out of that folder. In any case, they do not lose any email (I can always purge spam that is more than X days old if disk space becomes an issue) but their Inbox still looks rather clean. Now, I can have a specific sieve scripts that only run for specific users. So I can handle very specific cases as needed. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From rob at poeweb.com Tue Jul 6 21:58:06 2010 From: rob at poeweb.com (Rob Poe) Date: Tue Jul 6 21:58:16 2010 Subject: High Scoring Spam Rules Issue In-Reply-To: References: <4C3390A2.2030604@poeweb.com> Message-ID: <4C3398DE.9010509@poeweb.com> That's exactly what I needed, Thank you! Rob On 7/6/2010 3:39 PM, Mikael Syska wrote: > Hi, > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient > > mvh > Mikael Syska > > On Tue, Jul 6, 2010 at 10:22 PM, Rob Poe wrote: >> I have a user who insists on getting all email (even spam). He's finally >> relented on letting me at least TAG them as {spam}, but here's an issue I'm >> having. >> >> I made a rule file for high scoring spam actions. >> >> In the rule file, I put >> >> To: user1@domain.com deliver >> FromOrTo: default store >> >> That works swimmingly. Here's the problem. Say the spam is addressed to >> user1@domain.com, but also addressed to user2@domain.com. They BOTH get it >> delivered with the {spam} tag. If just user2@domain.com gets the email, >> then it gets stored. >> >> Any thoughts on how to deal with this? >> >> MTA: Sendmail (most up to date that yum update gives) on Centos 4.7 >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Tue Jul 6 22:05:00 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Tue Jul 6 22:05:09 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> Message-ID: <563153804.56416.1278450300261.JavaMail.root@mail021.dti> What if I wanted to get commercial support? Would they be able to solve this? p ----- Original Message ----- > From: "Peter Ong" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 1:13:07 PM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > Sorry guys... > > The DOS warning is correct -- from the file command. The problem is > that isn't the line where the message fails in the > filetype.conf.rules. It fails on > deny executable No executables No executables > allowed > > There are two lines that shows "No programs allowed", but I changed > one to say "No executables allowed" so depending on the error message > I know that it failed on one of them, and it does fail on the "No > executables" line. > > I only ran file on the msg file because Julian suggested it, and for > everyone's edification, I posted the result here. The fact that the > file command shows DOS executable (COM) should trigger the correct > line in the error message which is: > > deny - x-dosexec No DOS executables No DOS > programs allowed > > But clearly based on my repeatable error messages, it fails not on > this line, but "No exetables allowed". There is no attachment. It > simply contains japanese characters. > > The documentation on the top of the file said that I can have an > optional third field which I have filled out, but there doesn't seem > to be a known established way of filling it out. Our operation is > being severely affected by this, and I don't know what else to do. > > I could really use help here. > > p > > > ----- Original Message ----- > > > From: "Denis Beauchemin" > > To: "MailScanner discussion" > > Sent: Tuesday, July 6, 2010 12:57:49 PM > > Subject: Re: FileType rules show executable even though file shows > data -- Please help fix. > > > > Le 2010-07-06 15:14, Peter Ong a ?crit : > > > I hate to keep beating a dead horse, but would anyone else have > any > > ideas? This problem is a serious interruption in our day to day > > communications. > > > > > > p > > > > > > ----- Original Message ----- > > > > > >> From: "Peter Ong" > > >> To: "MailScanner discussion" > > >> Sent: Tuesday, July 6, 2010 11:05:17 AM > > >> Subject: Re: FileType rules show executable even though file > shows > > data -- Please help fix. > > >> > > >> I am thoroughly confused. > > >> > > >> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable > (COM) > > >> > > >> It is not getting caught on this line in the logs... it clearly > > says > > >> "No programs allowed". > > >> > > >> Is there documentation somewhere I'm neglecting to read? > > >> > > >> p > > > > Peter, > > > > A "DOS executable" is a program. Thus the warning is telling the > > truth. > > > > Denis > > > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x62252 F: 819.821.8045 > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From mark at msapiro.net Wed Jul 7 02:05:43 2010 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 7 02:05:59 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> References: <4C338ABD.1000409@USherbrooke.ca> <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> Message-ID: <20100707010543.GA31358@sbh16.songbird.com> On Wed, Jul 07, 2010 at 04:13:07AM +0000, Peter Ong wrote: > > The DOS warning is correct -- from the file command. The problem is that isn't the line where the message fails in the filetype.conf.rules. It fails on > deny executable No executables No executables allowed As it should because the output of "file msg-16388-1.txt: is "DOS executable (COM)" and that is matched by the regexp "executable" in the rule. > There are two lines that shows "No programs allowed", but I changed one to say "No executables allowed" so depending on the error message I know that it failed on one of them, and it does fail on the "No executables" line. > > I only ran file on the msg file because Julian suggested it, and for everyone's edification, I posted the result here. The fact that the file command shows DOS executable (COM) should trigger the correct line in the error message which is: > > deny - x-dosexec No DOS executables No DOS programs allowed The hyphen in the above rule makes it a "5 field" rule in which case, the third field is matched against the mime type (output of file -i) which in this case is "text/x-mail" so no match. > But clearly based on my repeatable error messages, it fails not on this line, but "No exetables allowed". There is no attachment. It simply contains japanese characters. The file command run against the message text (body without headers) says this is a DOS executable and MailScanner is acting accordingly. > The documentation on the top of the file said that I can have an optional third field which I have filled out, but there doesn't seem to be a known established way of filling it out. Our operation is being severely affected by this, and I don't know what else to do. Both the second of four fields and the third of five fields (tab delimited) are regexps that are matched respectively against the output of "file" or the MIME type. I think the reason your "allow - text/x-mail - -" rules don't work is that FileType Rules is an "all match" ruleset and not a "first match" ruleset. > I could really use help here. > > p > > > ----- Original Message ----- > > > From: "Denis Beauchemin" > > To: "MailScanner discussion" > > Sent: Tuesday, July 6, 2010 12:57:49 PM > > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > > > Le 2010-07-06 15:14, Peter Ong a ?crit : > > > I hate to keep beating a dead horse, but would anyone else have any > > ideas? This problem is a serious interruption in our day to day > > communications. > > > > > > p > > > > > > ----- Original Message ----- > > > > > >> From: "Peter Ong" > > >> To: "MailScanner discussion" > > >> Sent: Tuesday, July 6, 2010 11:05:17 AM > > >> Subject: Re: FileType rules show executable even though file shows > > data -- Please help fix. > > >> > > >> I am thoroughly confused. > > >> > > >> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) > > >> > > >> It is not getting caught on this line in the logs... it clearly > > says > > >> "No programs allowed". > > >> > > >> Is there documentation somewhere I'm neglecting to read? > > >> > > >> p > > > > Peter, > > > > A "DOS executable" is a program. Thus the warning is telling the > > truth. > > > > Denis > > > > -- > > Denis Beauchemin, analyste > > Universit? de Sherbrooke, S.T.I. > > T: 819.821.8000x62252 F: 819.821.8045 > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From MailScanner at ecs.soton.ac.uk Wed Jul 7 09:37:08 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 7 09:37:25 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> References: <1055709471.56405.1278447187052.JavaMail.root@mail021.dti> <4C343CB4.8020209@ecs.soton.ac.uk> Message-ID: Please can you zip up the original raw queue message file and mail it to me off-list. Jules. On 06/07/2010 21:13, Peter Ong wrote: > Sorry guys... > > The DOS warning is correct -- from the file command. The problem is that isn't the line where the message fails in the filetype.conf.rules. It fails on > deny executable No executables No executables allowed > > There are two lines that shows "No programs allowed", but I changed one to say "No executables allowed" so depending on the error message I know that it failed on one of them, and it does fail on the "No executables" line. > > I only ran file on the msg file because Julian suggested it, and for everyone's edification, I posted the result here. The fact that the file command shows DOS executable (COM) should trigger the correct line in the error message which is: > > deny - x-dosexec No DOS executables No DOS programs allowed > > But clearly based on my repeatable error messages, it fails not on this line, but "No exetables allowed". There is no attachment. It simply contains japanese characters. > > The documentation on the top of the file said that I can have an optional third field which I have filled out, but there doesn't seem to be a known established way of filling it out. Our operation is being severely affected by this, and I don't know what else to do. > > I could really use help here. > > p > > > ----- Original Message ----- > > >> From: "Denis Beauchemin" >> To: "MailScanner discussion" >> Sent: Tuesday, July 6, 2010 12:57:49 PM >> Subject: Re: FileType rules show executable even though file shows data -- Please help fix. >> >> Le 2010-07-06 15:14, Peter Ong a ?crit : >> >>> I hate to keep beating a dead horse, but would anyone else have any >>> >> ideas? This problem is a serious interruption in our day to day >> communications. >> >>> p >>> >>> ----- Original Message ----- >>> >>> >>>> From: "Peter Ong" >>>> To: "MailScanner discussion" >>>> Sent: Tuesday, July 6, 2010 11:05:17 AM >>>> Subject: Re: FileType rules show executable even though file shows >>>> >> data -- Please help fix. >> >>>> I am thoroughly confused. >>>> >>>> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) >>>> >>>> It is not getting caught on this line in the logs... it clearly >>>> >> says >> >>>> "No programs allowed". >>>> >>>> Is there documentation somewhere I'm neglecting to read? >>>> >>>> p >>>> >> Peter, >> >> A "DOS executable" is a program. Thus the warning is telling the >> truth. >> >> Denis >> >> -- >> Denis Beauchemin, analyste >> Universit? de Sherbrooke, S.T.I. >> T: 819.821.8000x62252 F: 819.821.8045 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ram at netcore.co.in Wed Jul 7 10:34:55 2010 From: ram at netcore.co.in (Ram) Date: Wed Jul 7 10:36:59 2010 Subject: Can I use a regex in messagesize.rules Message-ID: <1278495296.17048.8.camel@darkstar.netcore.co.in> I have MailScanner version 4.70.7 on CentOS 5.2 If I have a rule in MailScanner messagesize like To: ram@netcore.co.in 10000 This works fine Some regular expressions like these work too To: ram@(mumbai\.)?netcore.co.in 10000 But Expressions like these dont work To: ram@(.+\.)?netcore.co.in Are these regular expressions supported From ms-list at alexb.ch Wed Jul 7 11:19:02 2010 From: ms-list at alexb.ch (Alex Broens) Date: Wed Jul 7 11:19:08 2010 Subject: Can I use a regex in messagesize.rules In-Reply-To: <1278495296.17048.8.camel@darkstar.netcore.co.in> References: <1278495296.17048.8.camel@darkstar.netcore.co.in> Message-ID: <4C345496.9060901@alexb.ch> On 2010-07-07 11:34, Ram wrote: > I have MailScanner version 4.70.7 on CentOS 5.2 > > If I have a rule in MailScanner messagesize like > > To: ram@netcore.co.in 10000 > This works fine > > > > Some regular expressions like these work too > To: ram@(mumbai\.)?netcore.co.in 10000 > > > But Expressions like these dont work > To: ram@(.+\.)?netcore.co.in > what about ? To: ram@(.*\.)?netcore.co.in From MailScanner at ecs.soton.ac.uk Wed Jul 7 11:51:04 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Jul 7 11:51:19 2010 Subject: Can I use a regex in messagesize.rules In-Reply-To: <1278495296.17048.8.camel@darkstar.netcore.co.in> References: <1278495296.17048.8.camel@darkstar.netcore.co.in> <4C345C18.80708@ecs.soton.ac.uk> Message-ID: Yes, but if you read the docs you will find you need to put '/' characters around the regexp. On 07/07/2010 10:34, Ram wrote: > I have MailScanner version 4.70.7 on CentOS 5.2 > > If I have a rule in MailScanner messagesize like > > To: ram@netcore.co.in 10000 > This works fine > > > > Some regular expressions like these work too > To: ram@(mumbai\.)?netcore.co.in 10000 > > > But Expressions like these dont work > To: ram@(.+\.)?netcore.co.in > > > > > Are these regular expressions supported > > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From peter.ong at hypermediasystems.com Wed Jul 7 21:32:33 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Jul 7 21:32:45 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <623745740.57047.1278534713218.JavaMail.root@mail021.dti> Message-ID: <1104829441.57049.1278534753285.JavaMail.root@mail021.dti> Hi Mark, Thanks for that. Help me clarify a few things: > As it should because the output of "file msg-16388-1.txt: is > "DOS executable (COM)" and that is matched by the regexp "executable" > in the rule. I see. And that would be the second of four fields counting from the left, correct? I thought it was only regexp if it they were enclosed in slashes such as /executable/. Am I wrong? > > There are two lines that shows "No programs allowed", but I changed > one to say "No executables allowed" so depending on the error message > I know that it failed on one of them, and it does fail on the "No > executables" line. > > > > I only ran file on the msg file because Julian suggested it, and for > everyone's edification, I posted the result here. The fact that the > file command shows DOS executable (COM) should trigger the correct > line in the error message which is: > > > > deny - x-dosexec No DOS executables No DOS > programs allowed I apologize. In my frustration, I pasted the wrong line from the filetypes.conf.rules file. I meant to paste this one: deny executable No executables No executables allowed This is where I had changed the word "programs" to "executables" so I can determine which line is triggering. > The hyphen in the above rule makes it a "5 field" rule in which case, > the third field is matched against the mime type (output of file -i) > which in this case is "text/x-mail" so no match. Can someone explain how these fields work? The instructions on top of the file are too terse for me. The second of five field is for the result of the "file" command, and the third of five field is for the output of "file -i". Do both fields have to be filled out or just one? Are they evaluated as && or ||? I'm not sure. As you can see in my original post, I tried to put in all combinations, just in case. Are those fields always evaluated as regex? Because if so that means I need to escape special characters, but I don't know whether it's always regex or just as a string. I thought it went this way... there are two files in the folder. One is named after a postfix unique identifier... 012A34ABC and the other is msg-1234-1.txt. I thought the first file was scanned by "file" and the second scanned by "file -i". Tell me if I got this wrong. > I think the reason your "allow - text/x-mail - -" rules don't work is > that > FileType Rules is an "all match" ruleset and not a "first match" > ruleset. Can you please explain what you mean by this? p From peter.ong at hypermediasystems.com Wed Jul 7 21:33:52 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Jul 7 21:34:03 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: Message-ID: <68894554.57051.1278534832043.JavaMail.root@mail021.dti> Thanks Jules. Will do that, and I'll explain some more. p ----- Original Message ----- > From: "Jules Field" > To: "MailScanner discussion" > Sent: Wednesday, July 7, 2010 1:37:08 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > Please can you zip up the original raw queue message file and mail it > to > me off-list. > > Jules. > > On 06/07/2010 21:13, Peter Ong wrote: > > Sorry guys... > > > > The DOS warning is correct -- from the file command. The problem is > that isn't the line where the message fails in the > filetype.conf.rules. It fails on > > deny executable No executables No executables > allowed > > > > There are two lines that shows "No programs allowed", but I changed > one to say "No executables allowed" so depending on the error message > I know that it failed on one of them, and it does fail on the "No > executables" line. > > > > I only ran file on the msg file because Julian suggested it, and for > everyone's edification, I posted the result here. The fact that the > file command shows DOS executable (COM) should trigger the correct > line in the error message which is: > > > > deny - x-dosexec No DOS executables No DOS > programs allowed > > > > But clearly based on my repeatable error messages, it fails not on > this line, but "No exetables allowed". There is no attachment. It > simply contains japanese characters. > > > > The documentation on the top of the file said that I can have an > optional third field which I have filled out, but there doesn't seem > to be a known established way of filling it out. Our operation is > being severely affected by this, and I don't know what else to do. > > > > I could really use help here. > > > > p > > > > > > ----- Original Message ----- > > > > > >> From: "Denis Beauchemin" > >> To: "MailScanner discussion" > >> Sent: Tuesday, July 6, 2010 12:57:49 PM > >> Subject: Re: FileType rules show executable even though file shows > data -- Please help fix. > >> > >> Le 2010-07-06 15:14, Peter Ong a ?crit : > >> > >>> I hate to keep beating a dead horse, but would anyone else have > any > >>> > >> ideas? This problem is a serious interruption in our day to day > >> communications. > >> > >>> p > >>> > >>> ----- Original Message ----- > >>> > >>> > >>>> From: "Peter Ong" > >>>> To: "MailScanner discussion" > >>>> Sent: Tuesday, July 6, 2010 11:05:17 AM > >>>> Subject: Re: FileType rules show executable even though file > shows > >>>> > >> data -- Please help fix. > >> > >>>> I am thoroughly confused. > >>>> > >>>> ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable > (COM) > >>>> > >>>> It is not getting caught on this line in the logs... it clearly > >>>> > >> says > >> > >>>> "No programs allowed". > >>>> > >>>> Is there documentation somewhere I'm neglecting to read? > >>>> > >>>> p > >>>> > >> Peter, > >> > >> A "DOS executable" is a program. Thus the warning is telling the > >> truth. > >> > >> Denis > >> > >> -- > >> Denis Beauchemin, analyste > >> Universit? de Sherbrooke, S.T.I. > >> T: 819.821.8000x62252 F: 819.821.8045 > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your > boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Wed Jul 7 22:58:09 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Jul 7 22:58:20 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <20100707010543.GA31358@sbh16.songbird.com> Message-ID: <4202839.57206.1278539889332.JavaMail.root@mail021.dti> Hi Mark, > I think the reason your "allow - text/x-mail - -" rules don't work is > that > FileType Rules is an "all match" ruleset and not a "first match" > ruleset. What do you mean by this? Does it go down the lines and stop at the first match or does it behave differently? Do both 2/5 or 2/4 and 3/5 (fields) have to be filled out or only one? If it's regex, do I have to escape the spaces so string1\ string2 and so on? p From mark at msapiro.net Wed Jul 7 23:49:42 2010 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 7 23:49:57 2010 Subject: FileType rules show executable even though file shows data --Please help fix. In-Reply-To: <4202839.57206.1278539889332.JavaMail.root@mail021.dti> Message-ID: Peter Ong wrote: > >> I think the reason your "allow - text/x-mail - -" rules don't work is >> that >> FileType Rules is an "all match" ruleset and not a "first match" >> ruleset. > >What do you mean by this? Does it go down the lines and stop at the first match or does it behave differently? See . This says that Filetype Rules is an "All Match" rule set. MailScanner rulesets are either "First Match" or "All Match". In processing a First Match ruleset, MailScanner goes through the rules in order and does what ever is specified in the first rule that matches. In processing an All Match ruleset, MailScanner matches all the rules and from the matching rules, picks one. In the case of Yes/No rules, it does Yes if any Yes rule matches, even if No rules also match. (See "Further Information" near the top of <) It is not at all clear to me how Allow/Deny rules are supposed to work in an All Match context, but your experience seems to say that if any Deny rule matches, that's what's done. >Do both 2/5 or 2/4 and 3/5 (fields) have to be filled out or only one? If it's regex, do I have to escape the spaces so string1\ string2 and so on? In the 5 field rules for Filetype Rules, I *think* the second field is ignored and only the third field counts. I also *think* that since the fields are tab delimited, having spaces in the match field is OK. Spaces don't need to be escaped for meaning in a regexp. They only need to be escaped if it is necessary to treat them as part of the field rather than a field separator. Jules or someone else who knows this more than I may have a better answer. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From mark at msapiro.net Thu Jul 8 00:41:40 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu Jul 8 00:41:56 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1104829441.57049.1278534753285.JavaMail.root@mail021.dti> References: <623745740.57047.1278534713218.JavaMail.root@mail021.dti> <1104829441.57049.1278534753285.JavaMail.root@mail021.dti> Message-ID: <20100707234140.GA31982@sbh16.songbird.com> On Thu, Jul 08, 2010 at 04:32:33AM +0000, Peter Ong wrote: > Hi Mark, > > Thanks for that. Help me clarify a few things: > > > As it should because the output of "file msg-16388-1.txt: is > > "DOS executable (COM)" and that is matched by the regexp "executable" > > in the rule. > > I see. And that would be the second of four fields counting from the left, correct? I thought it was only regexp if it they were enclosed in slashes such as /executable/. Am I wrong? I don't know for sure. I'm going for regexp because that's what it says at the top of the file, but regexp or "substring match" would give the same result in this case with no "pattern characters". It seems clear it's not an "exact full string" match in any case. > > > There are two lines that shows "No programs allowed", but I changed > > one to say "No executables allowed" so depending on the error message > > I know that it failed on one of them, and it does fail on the "No > > executables" line. > > > > > > I only ran file on the msg file because Julian suggested it, and for > > everyone's edification, I posted the result here. The fact that the > > file command shows DOS executable (COM) should trigger the correct > > line in the error message which is: > > > > > > deny - x-dosexec No DOS executables No DOS > > programs allowed > > I apologize. In my frustration, I pasted the wrong line from the filetypes.conf.rules file. I meant to paste this one: > deny executable No executables No executables allowed > > This is where I had changed the word "programs" to "executables" so I can determine which line is triggering. Right, and that's the rule you said matched and it matches because "file" says "DOS executable (COM)" which is matched by "executable". > > The hyphen in the above rule makes it a "5 field" rule in which case, > > the third field is matched against the mime type (output of file -i) > > which in this case is "text/x-mail" so no match. > > Can someone explain how these fields work? The instructions on top of the file are too terse for me. > > The second of five field is for the result of the "file" command, and the third of five field is for the output of "file -i". Do both fields have to be filled out or just one? I think that's not quite right. I *think* if you want to match against the "file" output, you use a four field rule and the second field is the match, and if you want to match "file -i", you use a five field rule and the third field is the match. In the latter case, in the example, the second field is a "-" because, I think, it is ignored. Clearly the two field matches are not anded because the hyphen in the example wouldn't match and the rule wouldn't match. I don't think they are ored either, I *think* in a five field rule the second field is merely a placeholder to make five fields and is ignored. > Are they evaluated as && or ||? I'm not sure. As you can see in my original post, I tried to put in all combinations, just in case. Are those fields always evaluated as regex? Because if so that means I need to escape special characters, but I don't know whether it's always regex or just as a string. I don't really know the answer to that. > I thought it went this way... there are two files in the folder. One is named after a postfix unique identifier... 012A34ABC and the other is msg-1234-1.txt. I thought the first file was scanned by "file" and the second scanned by "file -i". Tell me if I got this wrong. That's not the way it works in my quarantine. In mine, for messages with content issues I have a directory under the date directory named, e.g. "BB7596900BE.A6E7E", and under that there is a file named "message" which contains the entire raw message. This is not examined by either "file" or "file -i" because they just say "RFC 822 mail text" and "message/rfc822" respectively. Also under the "queue id + entropy" directory are one or more files, such as your msg-1234-1.txt file which are the contents of the message body and/or multiple MIME message parts. It is these message parts which are examined by "file" and/or "file -i". > > I think the reason your "allow - text/x-mail - -" rules don't work is > > that > > FileType Rules is an "all match" ruleset and not a "first match" > > ruleset. > > Can you please explain what you mean by this? I did explain this somewhat in another reply, but basically, in this context, I think if any Deny rule matches, the message will be denied even if Allow rules that match precede or follow the matching Deny rule. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From cbe at acha.nl Thu Jul 8 07:27:22 2010 From: cbe at acha.nl (=?windows-1252?Q?ACHA_|_Cor_van_den_Berghe?=) Date: Thu Jul 8 07:27:30 2010 Subject: Watermarking, checking bounced mail with sender address Message-ID: Hi all, As I understand it MailScanner only checks the watermark on bounced email with no sender address. Is it somehow possible to have MaiScanner check the watermark on all bounced email? Lately I get a lot of backscatter mail that have a From: address and I have no idea how to stop it Thanks for any help you can give me Regards, Cor van den Berghe From MailScanner at ecs.soton.ac.uk Thu Jul 8 09:17:39 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 8 09:17:55 2010 Subject: Watermarking, checking bounced mail with sender address In-Reply-To: References: <4C3589A3.1040604@ecs.soton.ac.uk> Message-ID: Do you mean the From: address or the envelope sender address? MailScanner does nothing with the From: address. On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > Hi all, > > As I understand it MailScanner only checks the watermark on bounced email with no sender address. Is it somehow possible to have MaiScanner check the watermark on all bounced email? > Lately I get a lot of backscatter mail that have a From: address and I have no idea how to stop it > Thanks for any help you can give me > > Regards, > Cor van den Berghe > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cbe at acha.nl Thu Jul 8 09:40:24 2010 From: cbe at acha.nl (=?windows-1252?Q?ACHA_|_Cor_van_den_Berghe?=) Date: Thu Jul 8 09:40:33 2010 Subject: Watermarking, checking bounced mail with sender address In-Reply-To: References: Message-ID: Sorry that I didn't make it clear enough. I was under the impression that MailScanner does 2 checks before it checks the watermark: 1. check if the mail has no sender 2. check if the mail is bounced If these 2 conditions are true than MailScanner checks the watermark. When I check the mail that has been proccessed by MailScanner I find that some messages which have no sender are marked as spam because MailScanner checked the watermark. On other bounced message, which do have a sender address the watermark is not checked Below is a header of a bounced message which was not marked as spam and was not send to the person who got the error message ---------------------------- Return-Path: Received: from 75-44-14-134.hadlaw.com (75-44-14-134.hadlaw.com [75.44.14.134] (may be forged)) by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 for ; Wed, 7 Jul 2010 17:47:26 +0200 Received: from 75.44.14.134 (75.44.14.134:87288) by rmwlaw.com.inbound15.mxlogic.net (envelope-from ) (ecelerity 2.2.2.45 r(34067)) with ECSTREAM id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) by www.facebook.com with HTTP (ZuckMail); Date: Wed, 7 Jul 2010 11:47:06 -0500 To: kruining@fakecompany.com From: Reply-to: drollnessnpr76@rmwlaw.com Subject: Delivery Status Notification (Failure) Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Notify: password_reset; mailid= Errors-To: drollnessnpr76@rmwlaw.com X-FACEBOOK-PRIORITY: 1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------4B7BE4D399338AA1" -------------------------------------------------- Again please forgive me if I can't make it more clear but English is not my native language Regards, Cor. -----Original Message----- From: MailScanner@ecs.soton.ac.uk [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: donderdag 8 juli 2010 10:18 To: MailScanner discussion Subject: Re: Watermarking, checking bounced mail with sender address Do you mean the From: address or the envelope sender address? MailScanner does nothing with the From: address. On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > Hi all, > > As I understand it MailScanner only checks the watermark on bounced email with no sender address. Is it somehow possible to have MaiScanner check the watermark on all bounced email? > Lately I get a lot of backscatter mail that have a From: address and I have no idea how to stop it > Thanks for any help you can give me > > Regards, > Cor van den Berghe > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Thu Jul 8 09:50:02 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 8 09:50:17 2010 Subject: Watermarking, checking bounced mail with sender address In-Reply-To: References: Message-ID: Hi are these headers before or after mailscanner should have checked the message? If it's after then I see indication that mailscanner has scanned the message as there are no X-Mailscanner headers. On 8 July 2010 09:40, ACHA | Cor van den Berghe wrote: > Sorry that I didn't make it clear enough. > > I was under the impression that MailScanner does 2 checks before it checks > the watermark: > 1. check if the mail has no sender > 2. check if the mail is bounced > > If these 2 conditions are true than MailScanner checks the watermark. > > When I check the mail that has been proccessed by MailScanner I find that > some messages which have no sender are marked as spam because MailScanner > checked the watermark. On other bounced message, which do have a sender > address the watermark is not checked > > Below is a header of a bounced message which was not marked as spam and was > not send to the person who got the error message > > ---------------------------- > Return-Path: > Received: from 75-44-14-134.hadlaw.com (75-44-14-134.hadlaw.com[75.44.14.134] (may be forged)) > by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 > for ; Wed, 7 Jul 2010 17:47:26 +0200 > Received: from 75.44.14.134 (75.44.14.134:87288) > by rmwlaw.com.inbound15.mxlogic.net (envelope-from < > drollnessnpr76@rmwlaw.com>) > (ecelerity 2.2.2.45 r(34067)) with ECSTREAM > id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 > X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) > by www.facebook.com with HTTP (ZuckMail); > Date: Wed, 7 Jul 2010 11:47:06 -0500 > To: kruining@fakecompany.com > From: > Reply-to: drollnessnpr76@rmwlaw.com > Subject: Delivery Status Notification (Failure) > Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 > X-Priority: 3 > X-Mailer: ZuckMail [version 1.00] > X-Facebook-Notify: password_reset; mailid= > Errors-To: drollnessnpr76@rmwlaw.com > X-FACEBOOK-PRIORITY: 1 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----------4B7BE4D399338AA1" > -------------------------------------------------- > > Again please forgive me if I can't make it more clear but English is not my > native language > > Regards, > Cor. > > > > -----Original Message----- > From: MailScanner@ecs.soton.ac.uk [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: donderdag 8 juli 2010 10:18 > To: MailScanner discussion > Subject: Re: Watermarking, checking bounced mail with sender address > > Do you mean the From: address or the envelope sender address? > MailScanner does nothing with the From: address. > > On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > > Hi all, > > > > As I understand it MailScanner only checks the watermark on bounced email > with no sender address. Is it somehow possible to have MaiScanner check the > watermark on all bounced email? > > Lately I get a lot of backscatter mail that have a From: address and I > have no idea how to stop it > > Thanks for any help you can give me > > > > Regards, > > Cor van den Berghe > > > > > > Jules > > -- > Julian Field MEng CITP CEng > > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100708/6ff82c4e/attachment.html From cbe at acha.nl Thu Jul 8 10:01:16 2010 From: cbe at acha.nl (=?windows-1252?Q?ACHA_|_Cor_van_den_Berghe?=) Date: Thu Jul 8 10:01:25 2010 Subject: Watermarking, checking bounced mail with sender address In-Reply-To: References: Message-ID: Hmm?. now that you mention it? It should be after MailScanner checked it, but it looks like they were skipped. I'll check the configuration for any rules that might explain why they were not checked Thanks! ? From: maxsec@gmail.com [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: donderdag 8 juli 2010 10:50 To: MailScanner discussion Subject: Re: Watermarking, checking bounced mail with sender address ? Hi are these headers before or after mailscanner should have checked the message? If it's after then I see indication that mailscanner has scanned the message as there are no X-Mailscanner headers. On 8 July 2010 09:40, ACHA | Cor van den Berghe wrote: Sorry that I didn't make it clear enough. I was under the impression that MailScanner does 2 checks before it checks the watermark: 1. check if the mail has no sender 2. check if the mail is bounced If these 2 conditions are true than MailScanner checks the watermark. When I check the mail that has been proccessed by MailScanner I find that some messages which have no sender are marked as spam because MailScanner checked the watermark. On other bounced message, which do have a sender address the watermark is not checked Below is a header of a bounced message which was not marked as spam and was not send to the person who got the error message ---------------------------- Return-Path: Received: from 75-44-14-134.hadlaw.com (75-44-14-134.hadlaw.com [75.44.14.134] (may be forged)) ? ? by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 ? ? for ; Wed, 7 Jul 2010 17:47:26 +0200 Received: from 75.44.14.134 (75.44.14.134:87288) ? ? by rmwlaw.com.inbound15.mxlogic.net (envelope-from ) ? ? (ecelerity 2.2.2.45 r(34067)) with ECSTREAM ? ? id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) ? ? by www.facebook.com with HTTP (ZuckMail); Date: Wed, 7 Jul 2010 11:47:06 -0500 To: kruining@fakecompany.com From: Reply-to: drollnessnpr76@rmwlaw.com Subject: Delivery Status Notification (Failure) Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Notify: password_reset; mailid= Errors-To: drollnessnpr76@rmwlaw.com X-FACEBOOK-PRIORITY: 1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------4B7BE4D399338AA1" -------------------------------------------------- Again please forgive me if I can't make it more clear but English is not my native language Regards, Cor. -----Original Message----- From: MailScanner@ecs.soton.ac.uk [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: donderdag 8 juli 2010 10:18 To: MailScanner discussion Subject: Re: Watermarking, checking bounced mail with sender address Do you mean the From: address or the envelope sender address? MailScanner does nothing with the From: address. On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > Hi all, > > As I understand it MailScanner only checks the watermark on bounced email with no sender address. Is it somehow possible to have MaiScanner check the watermark on all bounced email? > Lately I get a lot of backscatter mail that have a From: address and I have no idea how to stop it > Thanks for any help you can give me > > Regards, > Cor van den Berghe > > Jules -- Julian Field MEng CITP CEng -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100708/0aad4960/attachment.html From MailScanner at ecs.soton.ac.uk Thu Jul 8 10:13:59 2010 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 8 10:14:14 2010 Subject: {Disarmed} RE: Watermarking, checking bounced mail with sender address In-Reply-To: References: <4C3596D7.1060106@ecs.soton.ac.uk> Message-ID: Do remember that you can test the output of your rulesets for specific addresses and so on. Run "MailScanner --help" and it will print the usage for you, which includes a tool for printing the result of a configuration setting. Jules. On 08/07/2010 10:01, ACHA | Cor van den Berghe wrote: > > Hmm?. now that you mention it? It should be after MailScanner checked > it, but it looks like they were skipped. > I'll check the configuration for any rules that might explain why they > were not checked > Thanks! > > *From:* maxsec@gmail.com > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Martin Hepworth > *Sent:* donderdag 8 juli 2010 10:50 > *To:* MailScanner discussion > *Subject:* Re: Watermarking, checking bounced mail with sender address > > Hi > > are these headers before or after mailscanner should have checked the > message? If it's after then I see indication that mailscanner has > scanned the message as there are no X-Mailscanner headers. > > On 8 July 2010 09:40, ACHA | Cor van den Berghe > wrote: > > Sorry that I didn't make it clear enough. > > I was under the impression that MailScanner does 2 checks before it > checks the watermark: > 1. check if the mail has no sender > 2. check if the mail is bounced > > If these 2 conditions are true than MailScanner checks the watermark. > > When I check the mail that has been proccessed by MailScanner I find > that some messages which have no sender are marked as spam because > MailScanner checked the watermark. On other bounced message, which do > have a sender address the watermark is not checked > > Below is a header of a bounced message which was not marked as spam > and was not send to the person who got the error message > > ---------------------------- > Return-Path: > Received: from 75-44-14-134.hadlaw.com > (75-44-14-134.hadlaw.com > [75.44.14.134] (may be forged)) > by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 > for >; > Wed, 7 Jul 2010 17:47:26 +0200 > Received: from 75.44.14.134 (*MailScanner warning: numerical links are > often malicious:* 75.44.14.134:87288 ) > by rmwlaw.com.inbound15.mxlogic.net > (envelope-from > >) > (ecelerity 2.2.2.45 r(34067)) with ECSTREAM > id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 > X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) > by www.facebook.com with HTTP (ZuckMail); > Date: Wed, 7 Jul 2010 11:47:06 -0500 > To: kruining@fakecompany.com > From: > > Reply-to: drollnessnpr76@rmwlaw.com > Subject: Delivery Status Notification (Failure) > Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 > X-Priority: 3 > X-Mailer: ZuckMail [version 1.00] > X-Facebook-Notify: password_reset; mailid= > Errors-To: drollnessnpr76@rmwlaw.com > X-FACEBOOK-PRIORITY: 1 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----------4B7BE4D399338AA1" > -------------------------------------------------- > > Again please forgive me if I can't make it more clear but English is > not my native language > > Regards, > Cor. > > > > > -----Original Message----- > From: MailScanner@ecs.soton.ac.uk > [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of > Julian Field > Sent: donderdag 8 juli 2010 10:18 > To: MailScanner discussion > Subject: Re: Watermarking, checking bounced mail with sender address > > Do you mean the From: address or the envelope sender address? > MailScanner does nothing with the From: address. > > On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > > Hi all, > > > > As I understand it MailScanner only checks the watermark on bounced > email with no sender address. Is it somehow possible to have > MaiScanner check the watermark on all bounced email? > > Lately I get a lot of backscatter mail that have a From: address and > I have no idea how to stop it > > Thanks for any help you can give me > > > > Regards, > > Cor van den Berghe > > > > > > Jules > > -- > Julian Field MEng CITP CEng > > > > -- > Martin Hepworth > Oxford, UK > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From cbe at acha.nl Thu Jul 8 10:34:29 2010 From: cbe at acha.nl (=?windows-1252?Q?ACHA_|_Cor_van_den_Berghe?=) Date: Thu Jul 8 10:34:37 2010 Subject: {Disarmed} RE: Watermarking, checking bounced mail with senderaddress In-Reply-To: References: Message-ID: A question before I check the settings; should MailScanner have checked the message and marked it as spam (or whatever you set in the configuration)? I mean a message with a header as the one I included in an earlier e-mail Cor. -----Original Message----- From: MailScanner@ecs.soton.ac.uk [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: donderdag 8 juli 2010 11:14 To: MailScanner discussion Subject: Re: {Disarmed} RE: Watermarking, checking bounced mail with senderaddress Do remember that you can test the output of your rulesets for specific addresses and so on. Run "MailScanner --help" and it will print the usage for you, which includes a tool for printing the result of a configuration setting. Jules. On 08/07/2010 10:01, ACHA | Cor van den Berghe wrote: > > Hmm?. now that you mention it? It should be after MailScanner checked > it, but it looks like they were skipped. > I'll check the configuration for any rules that might explain why they > were not checked > Thanks! > > *From:* maxsec@gmail.com > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Martin Hepworth > *Sent:* donderdag 8 juli 2010 10:50 > *To:* MailScanner discussion > *Subject:* Re: Watermarking, checking bounced mail with sender address > > Hi > > are these headers before or after mailscanner should have checked the > message? If it's after then I see indication that mailscanner has > scanned the message as there are no X-Mailscanner headers. > > On 8 July 2010 09:40, ACHA | Cor van den Berghe > wrote: > > Sorry that I didn't make it clear enough. > > I was under the impression that MailScanner does 2 checks before it > checks the watermark: > 1. check if the mail has no sender > 2. check if the mail is bounced > > If these 2 conditions are true than MailScanner checks the watermark. > > When I check the mail that has been proccessed by MailScanner I find > that some messages which have no sender are marked as spam because > MailScanner checked the watermark. On other bounced message, which do > have a sender address the watermark is not checked > > Below is a header of a bounced message which was not marked as spam > and was not send to the person who got the error message > > ---------------------------- > Return-Path: > Received: from 75-44-14-134.hadlaw.com > (75-44-14-134.hadlaw.com > [75.44.14.134] (may be forged)) > by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 > for >; > Wed, 7 Jul 2010 17:47:26 +0200 > Received: from 75.44.14.134 (*MailScanner warning: numerical links are > often malicious:* 75.44.14.134:87288 ) > by rmwlaw.com.inbound15.mxlogic.net > (envelope-from > >) > (ecelerity 2.2.2.45 r(34067)) with ECSTREAM > id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 > X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) > by www.facebook.com with HTTP (ZuckMail); > Date: Wed, 7 Jul 2010 11:47:06 -0500 > To: kruining@fakecompany.com > From: > > Reply-to: drollnessnpr76@rmwlaw.com > Subject: Delivery Status Notification (Failure) > Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 > X-Priority: 3 > X-Mailer: ZuckMail [version 1.00] > X-Facebook-Notify: password_reset; mailid= > Errors-To: drollnessnpr76@rmwlaw.com > X-FACEBOOK-PRIORITY: 1 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----------4B7BE4D399338AA1" > -------------------------------------------------- > > Again please forgive me if I can't make it more clear but English is > not my native language > > Regards, > Cor. > > > > > -----Original Message----- > From: MailScanner@ecs.soton.ac.uk > [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of > Julian Field > Sent: donderdag 8 juli 2010 10:18 > To: MailScanner discussion > Subject: Re: Watermarking, checking bounced mail with sender address > > Do you mean the From: address or the envelope sender address? > MailScanner does nothing with the From: address. > > On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > > Hi all, > > > > As I understand it MailScanner only checks the watermark on bounced > email with no sender address. Is it somehow possible to have > MaiScanner check the watermark on all bounced email? > > Lately I get a lot of backscatter mail that have a From: address and > I have no idea how to stop it > > Thanks for any help you can give me > > > > Regards, > > Cor van den Berghe > > > > > > Jules > > -- > Julian Field MEng CITP CEng > > > > -- > Martin Hepworth > Oxford, UK > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From peter.ong at hypermediasystems.com Thu Jul 8 15:29:16 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Thu Jul 8 15:29:29 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <1760714607.57393.1278598817364.JavaMail.root@mail021.dti> Message-ID: <1282988062.57411.1278599356248.JavaMail.root@mail021.dti> Hey Mark, So much of the time, I'm playing catch up as I quell fires and I miss the little details. Thanks for the edifying replies. Last night, I actually had some quiet time to read through the links you posted, and now I understand better. Although, I do not understand what "All Match" means and how it applies or behaves in the case of the filetype rules file. Initially, I thought it went down the line and stopped at the first match as described in "First Match", but the documentation clearly says otherwise. Also, based on the other replies, I had the mechanics of scanning all wrong; I learned that the msg-1234-1.txt is scanned by file and file -i. Now I just don't know how that, the All Match behavior, and whether one field is ignored or both are accepted or if the third of five is filled whether second of five is required, etc. You've alluded to this already, but there was behavior last week that keeps me confused. I'll experiment more today. I emailed Jules the original as he had requested. Maybe he will have something about it today. p ----- Original Message ----- > From: "Mark Sapiro" > To: "Peter Ong" > Cc: mailscanner@lists.mailscanner.info > Sent: Wednesday, July 7, 2010 4:41:40 PM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > On Thu, Jul 08, 2010 at 04:32:33AM +0000, Peter Ong wrote: > > Hi Mark, > > > > Thanks for that. Help me clarify a few things: > > > > > As it should because the output of "file msg-16388-1.txt: is > > > "DOS executable (COM)" and that is matched by the regexp > "executable" > > > in the rule. > > > > I see. And that would be the second of four fields counting from the > left, correct? I thought it was only regexp if it they were enclosed > in slashes such as /executable/. Am I wrong? > > > I don't know for sure. I'm going for regexp because that's what it > says > at the top of the file, but regexp or "substring match" would give > the > same result in this case with no "pattern characters". It seems clear > it's not an "exact full string" match in any case. > > > > > > There are two lines that shows "No programs allowed", but I > changed > > > one to say "No executables allowed" so depending on the error > message > > > I know that it failed on one of them, and it does fail on the "No > > > executables" line. > > > > > > > > I only ran file on the msg file because Julian suggested it, and > for > > > everyone's edification, I posted the result here. The fact that > the > > > file command shows DOS executable (COM) should trigger the > correct > > > line in the error message which is: > > > > > > > > deny - x-dosexec No DOS executables No DOS > > > programs allowed > > > > I apologize. In my frustration, I pasted the wrong line from the > filetypes.conf.rules file. I meant to paste this one: > > deny executable No executables No executables > allowed > > > > This is where I had changed the word "programs" to "executables" so > I can determine which line is triggering. > > > Right, and that's the rule you said matched and it matches because > "file" > says "DOS executable (COM)" which is matched by "executable". > > > > > The hyphen in the above rule makes it a "5 field" rule in which > case, > > > the third field is matched against the mime type (output of file > -i) > > > which in this case is "text/x-mail" so no match. > > > > Can someone explain how these fields work? The instructions on top > of the file are too terse for me. > > > > The second of five field is for the result of the "file" command, > and the third of five field is for the output of "file -i". Do both > fields have to be filled out or just one? > > > I think that's not quite right. I *think* if you want to match > against > the "file" output, you use a four field rule and the second field is > the > match, and if you want to match "file -i", you use a five field rule > and > the third field is the match. In the latter case, in the example, the > second field is a "-" because, I think, it is ignored. Clearly the > two > field matches are not anded because the hyphen in the example > wouldn't > match and the rule wouldn't match. I don't think they are ored > either, > I *think* in a five field rule the second field is merely a > placeholder > to make five fields and is ignored. > > > > Are they evaluated as && or ||? I'm not sure. As you can see in my > original post, I tried to put in all combinations, just in case. Are > those fields always evaluated as regex? Because if so that means I > need to escape special characters, but I don't know whether it's > always regex or just as a string. > > > I don't really know the answer to that. > > > > I thought it went this way... there are two files in the folder. One > is named after a postfix unique identifier... 012A34ABC and the other > is msg-1234-1.txt. I thought the first file was scanned by "file" and > the second scanned by "file -i". Tell me if I got this wrong. > > > That's not the way it works in my quarantine. In mine, for messages > with > content issues I have a directory under the date directory named, > e.g. > "BB7596900BE.A6E7E", and under that there is a file named "message" > which > contains the entire raw message. This is not examined by either "file" > or > "file -i" because they just say "RFC 822 mail text" and > "message/rfc822" > respectively. Also under the "queue id + entropy" directory are one > or > more files, such as your msg-1234-1.txt file which are the contents > of > the message body and/or multiple MIME message parts. It is these > message > parts which are examined by "file" and/or "file -i". > > > > > I think the reason your "allow - text/x-mail - -" rules don't work > is > > > that > > > FileType Rules is an "all match" ruleset and not a "first match" > > > ruleset. > > > > Can you please explain what you mean by this? > > > I did explain this somewhat in another reply, but basically, in this > context, I think if any Deny rule matches, the message will be denied > even if Allow rules that match precede or follow the matching Deny > rule. > > -- > Mark Sapiro The highway is for gamblers, > San Francisco Bay Area, California better use your sense - B. Dylan From peter.ong at hypermediasystems.com Thu Jul 8 17:34:35 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Thu Jul 8 17:34:50 2010 Subject: FileType rules show executable even though file shows data -- Please help fix. In-Reply-To: <560383238.57462.1278602923131.JavaMail.root@mail021.dti> Message-ID: <657482016.57494.1278606875114.JavaMail.root@mail021.dti> Hello Everyone, I searched through my entire quarantine folder and grep'd for files named in this format msg-12341-1.txt. I scanned them with file and file -i. The following are the results. I entered them into my filetype.conf.rules and it seems to work. allow ASCII English text, with escape sequences text/plain; charset=us-ascii - - allow ASCII text text/plain; charset=us-ascii - - allow DOS executable text/plain; charset=iso-8859-1 - - allow DOS executable text/plain; charset=unknown - - allow DOS executable text/plain; charset=utf-8 - - allow DOS executable text/x-mail; charset=unknown - - allow DOS executable text/x-mail; charset=utf-8 - - allow HTML document text text/html - - allow UTF-8 Unicode English text text/plain; charset=utf-8 - - I tested that I'm not inadvertently letting DOS executables through, and it they remain blocked. It appears that when both 2/5 and 3/5 are true, they are a match and thus allowed through. If someone could verify that would be nice. In the time when I didn't have a solution, I changed the /usr/bin/file to /usr/bin/file -i just to alleviate the problem. But I think this one solves it, but I don't know whether this is the right way to do it. I have prepended to my filetype.rules.conf. p ----- Original Message ----- > From: "Peter Ong" > To: "MailScanner discussion" > Sent: Tuesday, July 6, 2010 11:05:17 AM > Subject: Re: FileType rules show executable even though file shows data -- Please help fix. > > I am thoroughly confused. > > ./20100706/64BCE572B7.A0F44/msg-16388-1.txt: DOS executable (COM) > > It is not getting caught on this line in the logs... it clearly says > "No programs allowed". > > Is there documentation somewhere I'm neglecting to read? > > p > > ----- Original Message ----- > > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Tuesday, July 6, 2010 10:00:13 AM > > Subject: Re: FileType rules show executable even though file shows > data -- Please help fix. > > > > It's talking about the attachment in the message, not the message > > body+headers itself. > > > > Do a "file" on msg-16388-1.txt (not a "file -i"). > > > > On 06/07/2010 16:43, Peter Ong wrote: > > > Hello Everyone, > > > > > > I really need help on this filetype issue. > > > > > > First, when I scan the original message it shows as "data", and > when > > I scan the mime version, it shows as "text/x-mail; charset=unknown". > > > > > > I keep getting this message even after I have edited the > > filetype.conf.rules file: > > > At Tue Jul 6 08:29:47 2010 the virus scanner said: > > > MailScanner: No programs allowed (msg-16388-1.txt) > > > > > > > > > Proof: > > > [root@gateway005.inf 64BCE572B7.A0F44]# file 64BCE572B7 > > > 64BCE572B7: data > > > > > > [root@gateway005.inf 64BCE572B7.A0F44]# file -i msg-16388-1.txt > > > msg-16388-1.txt: text/x-mail; charset=unknown > > > > > > HELP!!! What can I do? Thank you in advance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > These are the contents of my filetype.conf.rules file: > > > > > > > > > > > > allow - text - - > > > allow - text - - > > > allow - text/x-mail - - > > > allow - text/plain - - > > > allow - message/rfc822 - - > > > allow - text/x-mail - - > > > allow - text/x-mail; charset=unknown - > > -<<<<<<<<<<<<<<< I added this > > > allow - text/plain - - > > > allow - text/plain; charset=unknown - - > > > allow - text/plain; charset=iso-8859-1 - - > > > allow - text/plain; charset=utf-8 - - > > > allow - text/plain; charset=iso-8859-1 - - > > > allow text text/x-mail - - > > > allow text text/plain - - > > > allow text message/rfc822 - - > > > allow data text/x-mail; charset=unknown - > > -<<<<<<<<<<<<<< I added this > > > allow data text/x-mail - - > > > allow data text/plain - - > > > allow data text/plain; charset=unknown - - > > > allow data text/plain; charset=iso-8859-1 - - > > > allow data text/plain; charset=utf-8 - - > > > allow RFC 822 mail text text/plain; charset=iso-8859-1 - > > - > > > > > > allow text - - > > > allow data - - > > > allow \bscript - - > > > allow archive - - > > > allow postscript - - > > > deny self-extract No self-extracting archives No > > self-extracting archives allowed > > > deny executable No executables No executables > > allowed<<<<<<<<<<<<<<<<<<< keeps getting caught here... > > > #EXAMPLE: deny - x-dosexec No DOS executables No > > DOS programs allowed > > > deny - x-dosexec No DOS executables No DOS > > programs allowed > > > deny ELF No executables No programs > allowed > > > deny Registry No Windows Registry entries No Windows > > Registry files allowed > > > > > > #deny MPEG No MPEG movies No MPEG movies > > allowed > > > #deny AVI No AVI movies No AVI movies > > allowed > > > #deny MNG No MNG/PNG movies No MNG movies > > allowed > > > #deny QuickTime No QuickTime movies No QuickTime > movies > > allowed > > > #deny ASF No Windows media No Windows media > > files allowed > > > #deny metafont No Windows Metafont drawings No WMF > > drawings allowed > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! From cbe at acha.nl Fri Jul 9 07:23:16 2010 From: cbe at acha.nl (=?windows-1252?Q?ACHA_|_Cor_van_den_Berghe?=) Date: Fri Jul 9 07:23:25 2010 Subject: {Disarmed} RE: Watermarking, checking bounced mail withsenderaddress In-Reply-To: References: Message-ID: Hi, I'm sorry, I included the wrong headers, well not really the wrong headers but not the complete headers, thanks Martin for pointing that out. What I did was I took the header from the web interface in Mailwatch, sorry for the confusion I've setup procmail to filter out the Delivery status notification mail, as soon as I have a good example I'll post those headers. Cor. -----Original Message----- From: cbe@acha.nl [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ACHA | Cor van den Berghe Sent: donderdag 8 juli 2010 11:34 To: MailScanner discussion Subject: RE: {Disarmed} RE: Watermarking, checking bounced mail withsenderaddress A question before I check the settings; should MailScanner have checked the message and marked it as spam (or whatever you set in the configuration)? I mean a message with a header as the one I included in an earlier e-mail Cor. -----Original Message----- From: MailScanner@ecs.soton.ac.uk [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: donderdag 8 juli 2010 11:14 To: MailScanner discussion Subject: Re: {Disarmed} RE: Watermarking, checking bounced mail with senderaddress Do remember that you can test the output of your rulesets for specific addresses and so on. Run "MailScanner --help" and it will print the usage for you, which includes a tool for printing the result of a configuration setting. Jules. On 08/07/2010 10:01, ACHA | Cor van den Berghe wrote: > > Hmm?. now that you mention it? It should be after MailScanner checked > it, but it looks like they were skipped. > I'll check the configuration for any rules that might explain why they > were not checked > Thanks! > > *From:* maxsec@gmail.com > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Martin Hepworth > *Sent:* donderdag 8 juli 2010 10:50 > *To:* MailScanner discussion > *Subject:* Re: Watermarking, checking bounced mail with sender address > > Hi > > are these headers before or after mailscanner should have checked the > message? If it's after then I see indication that mailscanner has > scanned the message as there are no X-Mailscanner headers. > > On 8 July 2010 09:40, ACHA | Cor van den Berghe > wrote: > > Sorry that I didn't make it clear enough. > > I was under the impression that MailScanner does 2 checks before it > checks the watermark: > 1. check if the mail has no sender > 2. check if the mail is bounced > > If these 2 conditions are true than MailScanner checks the watermark. > > When I check the mail that has been proccessed by MailScanner I find > that some messages which have no sender are marked as spam because > MailScanner checked the watermark. On other bounced message, which do > have a sender address the watermark is not checked > > Below is a header of a bounced message which was not marked as spam > and was not send to the person who got the error message > > ---------------------------- > Return-Path: > Received: from 75-44-14-134.hadlaw.com > (75-44-14-134.hadlaw.com > [75.44.14.134] (may be forged)) > by standic-ls.standic.lan (8.13.8/8.13.8) with ESMTP id o67FlPaf022789 > for >; > Wed, 7 Jul 2010 17:47:26 +0200 > Received: from 75.44.14.134 (*MailScanner warning: numerical links are > often malicious:* 75.44.14.134:87288 ) > by rmwlaw.com.inbound15.mxlogic.net > (envelope-from > >) > (ecelerity 2.2.2.45 r(34067)) with ECSTREAM > id 41/73-73224-F30ZP2Q6; Wed, 7 Jul 2010 11:47:06 -0500 > X-Facebook: from HADXP6 ([LBX2RvMgJV5q]) > by www.facebook.com with HTTP (ZuckMail); > Date: Wed, 7 Jul 2010 11:47:06 -0500 > To: kruining@fakecompany.com > From: > > Reply-to: drollnessnpr76@rmwlaw.com > Subject: Delivery Status Notification (Failure) > Message-ID: 47B7B9EDAC6340DE905D63D452E09AC6@HADXP6 > X-Priority: 3 > X-Mailer: ZuckMail [version 1.00] > X-Facebook-Notify: password_reset; mailid= > Errors-To: drollnessnpr76@rmwlaw.com > X-FACEBOOK-PRIORITY: 1 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----------4B7BE4D399338AA1" > -------------------------------------------------- > > Again please forgive me if I can't make it more clear but English is > not my native language > > Regards, > Cor. > > > > > -----Original Message----- > From: MailScanner@ecs.soton.ac.uk > [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of > Julian Field > Sent: donderdag 8 juli 2010 10:18 > To: MailScanner discussion > Subject: Re: Watermarking, checking bounced mail with sender address > > Do you mean the From: address or the envelope sender address? > MailScanner does nothing with the From: address. > > On 08/07/2010 07:27, ACHA | Cor van den Berghe wrote: > > Hi all, > > > > As I understand it MailScanner only checks the watermark on bounced > email with no sender address. Is it somehow possible to have > MaiScanner check the watermark on all bounced email? > > Lately I get a lot of backscatter mail that have a From: address and > I have no idea how to stop it > > Thanks for any help you can give me > > > > Regards, > > Cor van den Berghe > > > > > > Jules > > -- > Julian Field MEng CITP CEng > > > > -- > Martin Hepworth > Oxford, UK > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM and twitter.com/MailScanner -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jplorier at montecarlotv.com.uy Fri Jul 9 21:04:12 2010 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Fri Jul 9 21:04:50 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <201007091101.o69B0Evj011962@safir.blacknight.ie> References: <201007091101.o69B0Evj011962@safir.blacknight.ie> Message-ID: <1278705852.2796.709.camel@localhost> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Juan pablo Lorier.jpg Type: image/jpeg Size: 9193 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100709/25a8192d/JuanpabloLorier.jpg From raubvogel at gmail.com Fri Jul 9 21:16:06 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Fri Jul 9 21:16:17 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <1278705852.2796.709.camel@localhost> References: <201007091101.o69B0Evj011962@safir.blacknight.ie> <1278705852.2796.709.camel@localhost> Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 9193 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100709/be34c634/attachment.jpe From whatisee1 at yahoo.com Fri Jul 9 22:57:14 2010 From: whatisee1 at yahoo.com (W S) Date: Fri Jul 9 22:57:24 2010 Subject: How-to setup Proxy:Port within /usr/sbin/update_bad_phishing_sites Message-ID: <784909.80923.qm@web57609.mail.re1.yahoo.com> Folks, Seems like my "/usr/sbin/update_bad_phishing_sites" is not?functioning [I'm not allowed to connect directly to ?www.mailscanner.tv:80 --- I must use Proxy:Port] Now, I see there are some paragraphs related to Proxy settings, but what would be the proper syntax for Proxy and Port, for example my.local.proxy:1977? # Create a user agent objectmy $ua = LWP::UserAgent->new;$ua->agent("UpdateBadPhishingSites/0.1 ");# Patch from Heinz.Knutzen@dataport.de$ua->env_proxy; Thanks a lot,-WS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100709/46863a3d/attachment.html From mark at msapiro.net Sat Jul 10 17:36:48 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sat Jul 10 17:37:03 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <1278705852.2796.709.camel@localhost> References: <201007091101.o69B0Evj011962@safir.blacknight.ie> <1278705852.2796.709.camel@localhost> Message-ID: <4C38A1A0.8020006@msapiro.net> On 11:59 AM, Juan Pablo Lorier wrote: > I also checked if we are blacklisted and it seems we are not, but we > have 4 servers blocking our mails (all us servers). How do these servers respond? If they reject you at SMTP, what reason do they give (from your sendmail logs)? If they accept you at SMTP and then send a bounce DSN, what does it say? > I used one web tool I found in google (http://www.checkor.com/) to check > if I was relaying and I had this results: > > 220 antispam.montecarlotv.com.uy ESMTP Sendmail 8.13.8/8.13.8; Fri, 9 > Jul 2010 09:10:35 -0300 > HELO ortest.checkor.com > 250 antispam.montecarlotv.com.uy Hello www.no-ip.com [204.16.252.112], > pleased to meet you > RSET > 250 2.0.0 Reset state > MAIL FROM: test@checkor.com > 250 2.1.0 test@checkor.com... Sender ok > RCPT TO: test1@checkor.com > 550 5.7.1 test1@checkor.com... Relaying denied. Proper authentication > required. [...] > RSET > 250 2.0.0 Reset state > MAIL FROM: spam@correo.montecarlotv.com.uy > 250 2.1.0 spam@correo.montecarlotv.com.uy... Sender ok > RCPT TO: test1@correo.montecarlotv.com.uy > * Test Failed, 250 2.1.5 test1@correo.montecarlotv.com.uy... Recipient ok * This 'failure' looks bogus to me. Why should you not accept mail for your own domain? Perhaps they expect an "unknown recipient" response, but even then they don't know that 'test1' is not a valid local part in your domain. Further, even if you were relaying mail that you shouldn't be, this may get you blacklisted (i.e. added to various blacklists which you say you have checked and are not on), but if you are not on a blacklist, it won't get your mail blocked. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From chris at techquility.net Sat Jul 10 20:59:33 2010 From: chris at techquility.net (Chris Barber) Date: Sat Jul 10 20:59:44 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <4C38A1A0.8020006@msapiro.net> References: <201007091101.o69B0Evj011962@safir.blacknight.ie><1278705852.2796.709.camel@localhost> <4C38A1A0.8020006@msapiro.net> Message-ID: <43F62CA225017044BC84CFAF92B4333B118E02@sbsserver.Techquility.net> The error is fairly clear. It says "Proper authentication required". Since this is an MX mail server, it should not require authentication. Do you get this error if the sending domain is not your domain? Either way, you have a misconfiguration in your MTA. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mark Sapiro Sent: Saturday, July 10, 2010 12:37 PM To: MailScanner discussion Cc: Juan Pablo Lorier Subject: Re: I need help, I'm been blacklisted On 11:59 AM, Juan Pablo Lorier wrote: > I also checked if we are blacklisted and it seems we are not, but we > have 4 servers blocking our mails (all us servers). How do these servers respond? If they reject you at SMTP, what reason do they give (from your sendmail logs)? If they accept you at SMTP and then send a bounce DSN, what does it say? > I used one web tool I found in google (http://www.checkor.com/) to > check if I was relaying and I had this results: > > 220 antispam.montecarlotv.com.uy ESMTP Sendmail 8.13.8/8.13.8; Fri, 9 > Jul 2010 09:10:35 -0300 HELO ortest.checkor.com > 250 antispam.montecarlotv.com.uy Hello www.no-ip.com [204.16.252.112], > pleased to meet you RSET > 250 2.0.0 Reset state > MAIL FROM: test@checkor.com > 250 2.1.0 test@checkor.com... Sender ok RCPT TO: test1@checkor.com > 550 5.7.1 test1@checkor.com... Relaying denied. Proper authentication > required. [...] > RSET > 250 2.0.0 Reset state > MAIL FROM: spam@correo.montecarlotv.com.uy > 250 2.1.0 spam@correo.montecarlotv.com.uy... Sender ok RCPT TO: > test1@correo.montecarlotv.com.uy > * Test Failed, 250 2.1.5 test1@correo.montecarlotv.com.uy... Recipient > ok * This 'failure' looks bogus to me. Why should you not accept mail for your own domain? Perhaps they expect an "unknown recipient" response, but even then they don't know that 'test1' is not a valid local part in your domain. Further, even if you were relaying mail that you shouldn't be, this may get you blacklisted (i.e. added to various blacklists which you say you have checked and are not on), but if you are not on a blacklist, it won't get your mail blocked. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mark at msapiro.net Sun Jul 11 14:55:05 2010 From: mark at msapiro.net (Mark Sapiro) Date: Sun Jul 11 14:55:22 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <43F62CA225017044BC84CFAF92B4333B118E02@sbsserver.Techquility.net> References: <201007091101.o69B0Evj011962@safir.blacknight.ie><1278705852.2796.709.camel@localhost> <4C38A1A0.8020006@msapiro.net> <43F62CA225017044BC84CFAF92B4333B118E02@sbsserver.Techquility.net> Message-ID: <4C39CD39.7010305@msapiro.net> On 11:59 AM, Chris Barber wrote: > The error is fairly clear. It says "Proper authentication required". > Since this is an MX mail server, it should not require authentication. > Do you get this error if the sending domain is not your domain? Either > way, you have a misconfiguration in your MTA. That is not the OP's issue. The OP ran an 'open relay' tester against his server. The 'error' that you are talking about is actually a report of a PASSED test, namely the OP's server refused to relay mail from an unauthenticated, non-local sender to a foreign domain. The OP was concerned about the second result I quoted which was a test that failed. I don't think his MTA is misconfigured at all. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mark > Sapiro > Sent: Saturday, July 10, 2010 12:37 PM > To: MailScanner discussion > Cc: Juan Pablo Lorier > Subject: Re: I need help, I'm been blacklisted > > On 11:59 AM, Juan Pablo Lorier wrote: > >> I also checked if we are blacklisted and it seems we are not, but we >> have 4 servers blocking our mails (all us servers). > > > How do these servers respond? If they reject you at SMTP, what reason do > they give (from your sendmail logs)? If they accept you at SMTP and then > send a bounce DSN, what does it say? > > >> I used one web tool I found in google (http://www.checkor.com/) to >> check if I was relaying and I had this results: >> >> 220 antispam.montecarlotv.com.uy ESMTP Sendmail 8.13.8/8.13.8; Fri, 9 >> Jul 2010 09:10:35 -0300 HELO ortest.checkor.com >> 250 antispam.montecarlotv.com.uy Hello www.no-ip.com [204.16.252.112], > >> pleased to meet you RSET >> 250 2.0.0 Reset state >> MAIL FROM: test@checkor.com >> 250 2.1.0 test@checkor.com... Sender ok RCPT TO: test1@checkor.com >> 550 5.7.1 test1@checkor.com... Relaying denied. Proper authentication >> required. > [...] >> RSET >> 250 2.0.0 Reset state >> MAIL FROM: spam@correo.montecarlotv.com.uy >> 250 2.1.0 spam@correo.montecarlotv.com.uy... Sender ok RCPT TO: >> test1@correo.montecarlotv.com.uy >> * Test Failed, 250 2.1.5 test1@correo.montecarlotv.com.uy... Recipient > >> ok * > > > This 'failure' looks bogus to me. Why should you not accept mail for > your own domain? Perhaps they expect an "unknown recipient" response, > but even then they don't know that 'test1' is not a valid local part in > your domain. > > Further, even if you were relaying mail that you shouldn't be, this may > get you blacklisted (i.e. added to various blacklists which you say you > have checked and are not on), but if you are not on a blacklist, it > won't get your mail blocked. > -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From sonidhaval at gmail.com Mon Jul 12 10:10:09 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Mon Jul 12 10:10:18 2010 Subject: How to add POP authentication with MailWatch and MailScanner? Message-ID: Dear All, I have configured MailScanner and Mailwatch as a MS web interface. Is it possible to add POP authentication in Mailwatch, Instead of creating new users? How to do it? Thank you, -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100712/2a1ac21a/attachment.html From nick at inticon.net.au Mon Jul 12 10:39:33 2010 From: nick at inticon.net.au (Nick Brown) Date: Mon Jul 12 10:39:55 2010 Subject: How to add POP authentication with MailWatch and MailScanner? In-Reply-To: References: Message-ID: <009001cb21a6$22c03260$68409720$@net.au> Dear All, I have configured MailScanner and Mailwatch as a MS web interface. Is it possible to add POP authentication in Mailwatch, Instead of creating new users? How to do it? Probably better suited for the MailWatch list, however we developed our own frontend making use of the MW DB and custom function scripts, however doing an IMAP authenticate, creating a MW ?user? on first login if required. If you have multiple servers check out Perdition. Rgds Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100712/200d021d/attachment.html From jplorier at montecarlotv.com.uy Mon Jul 12 20:04:52 2010 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Mon Jul 12 20:05:35 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <201007121103.o6CB1Q1m014822@safir.blacknight.ie> References: <201007121103.o6CB1Q1m014822@safir.blacknight.ie> Message-ID: <1278961492.2796.761.camel@localhost> Hi everybody, First of all, thanks for trying to help. I still don't have a clue of what is going on, but one of the 3 servers that was bloking us is letting us pass now. For you to have some extra info, I can send you the header of a bounced mail and the "reason" for it was bounced. Return-path: Recibido: from localhost (localhost) by correo.montecarlotv.com.uy (8.13.8/8.13.8) id o6CCtUvS029759; Mon, 12 Jul 2010 09:55:30 -0300 Fecha: 12/07/10 09:55:30 De: Mail Delivery Subsystem Para: Juan Pablo Lorier Message-id: <201007121255.o6CCtUvS029759@correo.montecarlotv.com.uy> Asunto: Returned mail: see transcript for details Auto-submitted: auto-generated (failure) Mime-version: 1.0 Content-type: multipart/report; report-type="delivery-status"; boundary="o6CCtUvS029759.1278939330/correo.montecarlotv.com.uy" X-evolution-source: imap://xxxx@correo.montecarlotv.com.uy/ Original-Envelope-Id: 1278939151.2796.725.camel@localhost Reporting-MTA: dns; correo.montecarlotv.com.uy Received-From-MTA: dns; localhost.localdomain Arrival-Date: Mon, 12 Jul 2010 09:52:49 -0300 Final-Recipient: rfc822; xxxx@uy.nestle.com X-Actual-Recipient: RFC822; xxxx@uy.nestle.com Action: failed Status: 5.0.0 Remote-MTA: DNS; amsmail6.nestle.com Diagnostic-Code: SMTP; 554 Transaction Failed. Spam Message not queued. Last-Attempt-Date: Mon, 12 Jul 2010 09:55:30 -0300 What is bugging me is that it just started without any strange change in the server (just changed the server for a virtual one with a more up to date MS and spf in spamassasin) and a DNS record so I can do round robin between 2 of my public ips (to have link failure tolerance) and it seems to be fixing on its own. I also want to understand if I have something missconfigured in my gateway and that's why it validated recipients that don't exist in the mail server. Regards, PS: I have tones of errors in my dns log trying to reach spamhaus and other blacklist providers: network unreachable resolving '0.100.88.71.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:1#53: 1 Time(s) network unreachable resolving '0.100.88.71.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:2#53: 1 Time(s) network unreachable resolving '0.110.20.24.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:2#53: 1 Time(s) network unreachable resolving '0.113.49.188.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:2#53: 1 Time(s) network unreachable resolving '0.115.132.88.in-addr.arpa/PTR/IN': 2001:dc0:1:0:4777::140#53: 1 Time(s) network unreachable resolving '0.124.110.88.in-addr.arpa/PTR/IN': 2001:6b0:7::2#53: 1 Time(s) network unreachable resolving '0.124.110.88.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:1#53: 1 Time(s) network unreachable resolving '0.15.90.64.zen.spamhaus.org/A/IN': 2001:7b8:3:1f:0:2:53:2#53: 1 Time(s) network unreachable resolving '0.17.172.89.in-addr.arpa/PTR/IN': 2001:610:240:0:53::3#53: 1 Time(s) network unreachable resolving '0.17.172.89.in-addr.arpa/PTR/IN': 2001:dc0:2001:a:4608::59#53: 1 Time(s) As well as many other fqdn (I think that it might be due to the server is trying send a reply to the forged senders). Thanks a lot to everyone. Regards, -- Toda la información contenida en este correo electrónico es confidencial y para conocimiento exclusivo de su destinatario. Agradeceremos que Ud. nos comunique inmediatamente si ha recibido este correo por error. En tal caso, evite hacer uso del mismo en forma alguna y elimínelo inmediatamente de su sistema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100712/3cf9e76f/attachment.html From mark at msapiro.net Tue Jul 13 16:54:39 2010 From: mark at msapiro.net (Mark Sapiro) Date: Tue Jul 13 16:54:51 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <1278961492.2796.761.camel@localhost> References: <201007121103.o6CB1Q1m014822@safir.blacknight.ie> <1278961492.2796.761.camel@localhost> Message-ID: <4C3C8C3F.5080900@msapiro.net> On 11:59 AM, Juan Pablo Lorier wrote: > > > Hi everybody, > > First of all, thanks for trying to help. I still don't have a clue of what is going on, but one of the 3 servers that was bloking us is letting us pass now. > For you to have some extra info, I can send you the header of a bounced mail and the "reason" for it was bounced. > > Return-path: > > Recibido: from localhost (localhost) by correo.montecarlotv.com.uy > (8.13.8/8.13.8) id o6CCtUvS029759; Mon, 12 Jul 2010 09:55:30 -0300 > *Fecha:* 12/07/10 09:55:30 > *De:* Mail Delivery Subsystem > > *Para:* Juan Pablo Lorier > > Message-id: <201007121255.o6CCtUvS029759@correo.montecarlotv.com.uy > > > *Asunto:* Returned mail: see transcript for details > Auto-submitted: auto-generated (failure) > Mime-version: 1.0 > Content-type: multipart/report; report-type="delivery-status"; > boundary="o6CCtUvS029759.1278939330/correo.montecarlotv.com.uy" > X-evolution-source: imap://xxxx@correo.montecarlotv.com.uy > / The above are the headers from the DSN failure report from your own MTA. They have no relevance to this issue. The headers from the message that was rejected may or may not be helpful in that they could indicate some problem such as lack of full circle DNS (see and rfc 1912) for your server. I don't know from what IP address your server actually sends, but if I look up correo.montecarlotv.com.uy in DNS I get IP's 200.40.187.18 and 200.40.139.179. Both of these IP's have full circle DNS, but the PTR records point to r200-40-187-18.su-static.anteldata.net.uy and 179.139.40.200.static.netgate.com.uy respectively. The fact that these are generic "IP pool" names and are not the name of your server (correo.montecarlotv.com.uy) will be considered suspicious by some ISPs. > Original-Envelope-Id: 1278939151.2796.725.camel@localhost > > Reporting-MTA: dns; correo.montecarlotv.com.uy > Received-From-MTA: dns; localhost.localdomain > Arrival-Date: Mon, 12 Jul 2010 09:52:49 -0300 > > Final-Recipient: rfc822; xxxx > @uy.nestle.com > X-Actual-Recipient: RFC822; xxxx > @uy.nestle.com > Action: failed > Status: 5.0.0 > Remote-MTA: DNS; amsmail6.nestle.com > Diagnostic-Code: SMTP; 554 Transaction Failed. Spam Message not queued. > Last-Attempt-Date: Mon, 12 Jul 2010 09:55:30 -0300 So the receiving MX at amsmail6.nestle.com refused the message for reason "Spam Message not queued." Why they think your mail is spam is something only they know and probably won't tell you - they probably consider this proprietary information that would aid spammers. If you can get the DNS PTR records for IP's 200.40.187.18 and 200.40.139.179 to point to correo.montecarlotv.com.uy, that may help. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From peter.ong at hypermediasystems.com Wed Jul 14 15:23:40 2010 From: peter.ong at hypermediasystems.com (Peter Ong) Date: Wed Jul 14 15:23:52 2010 Subject: How to singularly scan an email? In-Reply-To: <1551874366.60941.1279117155812.JavaMail.root@mail021.dti> Message-ID: <90526594.60943.1279117420807.JavaMail.root@mail021.dti> Hello Everyone, How do you single out an email to be scanned? I will explain. In my mail server, there are many domains. Every domain except one is exempted from spamassassin. I did this in spam.whitelist.rules: To: *@foobar.com yes # don't scan this one through spamassassin However, there is one email inside of @foobar.com that I want scanned in spamassassin. So, I added this to the same file: To: user@foobar.com no # but scan this one through spamassassin. Did I do this right? Is this effectively going to scan emails going to user@foobar.com, but not for any other in @foobar.com? Thank you. Peter From chris at techquility.net Wed Jul 14 15:33:20 2010 From: chris at techquility.net (Chris Barber) Date: Wed Jul 14 15:33:31 2010 Subject: How to singularly scan an email? In-Reply-To: <90526594.60943.1279117420807.JavaMail.root@mail021.dti> References: <1551874366.60941.1279117155812.JavaMail.root@mail021.dti> <90526594.60943.1279117420807.JavaMail.root@mail021.dti> Message-ID: <43F62CA225017044BC84CFAF92B4333B118E29@sbsserver.Techquility.net> >Hello Everyone, > >How do you single out an email to be scanned? I will explain. > >In my mail server, there are many domains. Every domain except one is exempted from spamassassin. I did this in spam.whitelist.rules: > >To: *@foobar.com yes # don't scan this one through spamassassin > >However, there is one email inside of @foobar.com that I want scanned in spamassassin. So, I added this to the same file: > >To: user@foobar.com no # but scan this one through spamassassin. > >Did I do this right? Is this effectively going to scan emails going to user@foobar.com, but not for any other in @foobar.com? Thank you. > >Peter You have the right idea. The rules file will go down the list until it hits the first matching rule. So make sure your "To: user@foobar.com no" line is above the "To: *@foobar.com yes" line in the spam.whitelist.rules file. Chris From campbell at cnpapers.com Thu Jul 15 17:21:44 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 15 17:22:03 2010 Subject: OT: Moving URIBL from SA to MTA Message-ID: <4C3F3598.2000002@cnpapers.com> I could have sworn this was discussed before, but couldn't find it so: I'm considering moving URIBL to my MTA instead of scoring it in SA. A quick scan of the emails that are hitting the rule indicates all most all of them are true spam. I might be willing to accept a false positive once in a while (maybe?). I don't block email with SA RBLs other than to score them. Can anyone throw some light on their experiences with this? What do I need to add to my sendmail.mc file to enable this if I DO move it to my MTA? Thanks for any help Steve Campbell From alex at rtpty.com Thu Jul 15 17:29:54 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 15 17:30:06 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F3598.2000002@cnpapers.com> References: <4C3F3598.2000002@cnpapers.com> Message-ID: <5610DFA3-727F-446F-8C5A-00C9EDF0CCF6@rtpty.com> You may need a milter for that, since URIBL blocks URIs and not IP addresses or domains, am I correct? On Jul 15, 2010, at 11:21 AM, Steve Campbell wrote: > I could have sworn this was discussed before, but couldn't find it so: > > I'm considering moving URIBL to my MTA instead of scoring it in SA. A quick scan of the emails that are hitting the rule indicates all most all of them are true spam. I might be willing to accept a false positive once in a while (maybe?). I don't block email with SA RBLs other than to score them. > > Can anyone throw some light on their experiences with this? > > What do I need to add to my sendmail.mc file to enable this if I DO move it to my MTA? > > Thanks for any help > > Steve Campbell > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Thu Jul 15 17:34:02 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 15 17:34:16 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F3598.2000002@cnpapers.com> References: <4C3F3598.2000002@cnpapers.com> Message-ID: <4C3F387A.8030606@fsl.com> On 15/07/10 17:21, Steve Campbell wrote: > I could have sworn this was discussed before, but couldn't find it so: > > I'm considering moving URIBL to my MTA instead of scoring it in SA. A > quick scan of the emails that are hitting the rule indicates all most > all of them are true spam. I might be willing to accept a false positive > once in a while (maybe?). I don't block email with SA RBLs other than to > score them. > > Can anyone throw some light on their experiences with this? Sure - all of FSL customers do this. We've had the occasional FP; but doing it at the SMTP level ensures that any issues are mitigated (e.g. the sender gets a bounce). > What do I need to add to my sendmail.mc file to enable this if I DO move > it to my MTA? You'll need a milter such as milter-link to do this in Sendmail. Kind regards, Steve. From ms-list at alexb.ch Thu Jul 15 18:01:16 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 15 18:01:24 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F387A.8030606@fsl.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> Message-ID: <4C3F3EDC.1060203@alexb.ch> On 2010-07-15 18:34, Steve Freegard wrote: > On 15/07/10 17:21, Steve Campbell wrote: >> I could have sworn this was discussed before, but couldn't find it so: >> >> I'm considering moving URIBL to my MTA instead of scoring it in SA. A >> quick scan of the emails that are hitting the rule indicates all most >> all of them are true spam. I might be willing to accept a false positive >> once in a while (maybe?). I don't block email with SA RBLs other than to >> score them. >> >> Can anyone throw some light on their experiences with this? > > Sure - all of FSL customers do this. We've had the occasional FP; but > doing it at the SMTP level ensures that any issues are mitigated (e.g. > the sender gets a bounce). > >> What do I need to add to my sendmail.mc file to enable this if I DO move >> it to my MTA? > > You'll need a milter such as milter-link to do this in Sendmail. If you want to be on the safer side, I'd recommend using milter-link with Spamhaus' DBL and multi.surbl.og/64 which is JP only - the safest of the various SURBL zones. An often forgotten/unmentioned option is getting an invaluement.com datafeed and run a local rbldnsd. Alex From alex at rtpty.com Thu Jul 15 18:10:01 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Jul 15 18:10:14 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F3EDC.1060203@alexb.ch> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> Message-ID: <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> Just in case anyone is considering it, are there any free alternatives? On Jul 15, 2010, at 12:01 PM, Alex Broens wrote: > milter-link From steve.freegard at fsl.com Thu Jul 15 18:44:36 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 15 18:44:54 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> Message-ID: <4C3F4904.1010607@fsl.com> On 15/07/10 18:10, Alex Neuman wrote: > Just in case anyone is considering it, are there any free alternatives? > > On Jul 15, 2010, at 12:01 PM, Alex Broens wrote: > >> milter-link > Well a quick Google turned up: http://email.uoa.gr/projects/sendmail/URI-milter/index.php Or if you're feeling particularly brave - I wrote this ages ago: http://www.fsl.com/support/milter-uri.pl Regards, Steve. From campbell at cnpapers.com Thu Jul 15 18:52:15 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 15 18:52:28 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> Message-ID: <4C3F4ACF.5080908@cnpapers.com> Yep, that was going to be my next question. For one thing, I've not got Sendmail 8.14 running, I've got an older Cento 3 mailserver, and I'm already running an older libmilter (1.3 I think) and using milter-limit. So this sounds like a lot of work for me to run milter-link. We've (I've) got plans for upgrades next year, but I keep hearing that tight wallet slapping shut around here lately, so that may not happen either. Newspapers are really struggling lately (course this one here has always said that). Anyway, thanks for all the replies. steve On 7/15/2010 1:10 PM, Alex Neuman wrote: > Just in case anyone is considering it, are there any free alternatives? > > On Jul 15, 2010, at 12:01 PM, Alex Broens wrote: > > >> milter-link >> > From steve.freegard at fsl.com Thu Jul 15 18:58:21 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 15 18:58:33 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F4ACF.5080908@cnpapers.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> <4C3F4ACF.5080908@cnpapers.com> Message-ID: <4C3F4C3D.5030201@fsl.com> On 15/07/10 18:52, Steve Campbell wrote: > Yep, that was going to be my next question. > > For one thing, I've not got Sendmail 8.14 running, I've got an older > Cento 3 mailserver, and I'm already running an older libmilter (1.3 I > think) and using milter-limit. > milter-link does not require Sendmail 8.14 to run; I've used it on 8.12 and 8.13 just fine. Regards, Steve. From campbell at cnpapers.com Thu Jul 15 19:12:04 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 15 19:12:18 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F4904.1010607@fsl.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> <4C3F4904.1010607@fsl.com> Message-ID: <4C3F4F74.1010201@cnpapers.com> On 7/15/2010 1:44 PM, Steve Freegard wrote: > On 15/07/10 18:10, Alex Neuman wrote: >> Just in case anyone is considering it, are there any free alternatives? >> >> On Jul 15, 2010, at 12:01 PM, Alex Broens wrote: >> >>> milter-link >> > > Well a quick Google turned up: > > http://email.uoa.gr/projects/sendmail/URI-milter/index.php > > Or if you're feeling particularly brave - I wrote this ages ago: > > http://www.fsl.com/support/milter-uri.pl > > Regards, > Steve. Steve, I found that one you wrote on my first google trip, didn't find the other one. I gathered that your's was a work-in-progress. I also thought that I'd have to update libmilter to get milter-link to work. It didn't list the older Centos 3 stuff as being suitable. What's your reason for not using your milter? steve From stackerhush at gmail.com Thu Jul 15 20:49:57 2010 From: stackerhush at gmail.com (Stacker Hush) Date: Thu Jul 15 20:50:11 2010 Subject: how to mantain in quarantine Message-ID: <001d01cb2456$e90b2440$bb216cc0$@com> Hello to all, I wat to have my emails quarantined saved for long time period. How to configure mailscanner to retain the quarantined emails if i disable the clean.quarantine script? Thanks, Stacker -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100715/1a437c24/attachment.html From ms-list at alexb.ch Thu Jul 15 21:02:41 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 15 21:02:48 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> Message-ID: <4C3F6961.6020606@alexb.ch> On 2010-07-15 19:10, Alex Neuman wrote: > Just in case anyone is considering it, are there any free alternatives? SteveF mentioned some, but none of them compares with milter-link's features which makes it worth every penny & more (considering its a site license makes it even more appealing) Support and development is very active and Anthony is always receptive to feature requests (after some sweet talking and consultation with his guru :-) Alex PS: I don't own Snertsoft stock - I'm just a happy user. From ecasarero at gmail.com Thu Jul 15 21:05:14 2010 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Jul 15 21:05:45 2010 Subject: how to mantain in quarantine In-Reply-To: <001d01cb2456$e90b2440$bb216cc0$@com> References: <001d01cb2456$e90b2440$bb216cc0$@com> Message-ID: 2010/7/15 Stacker Hush > Hello to all, > > > > > > I wat to have my emails quarantined saved for long time period. How to > configure mailscanner to retain the quarantined emails if i disable the > clean.quarantine script? > Perhaps you should look the Archiving options, and disable the clean.quarantine script. > > > Thanks, > > Stacker > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100715/57a2aa9e/attachment.html From MailScanner at ecs.soton.ac.uk Thu Jul 15 21:07:19 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Jul 15 21:07:35 2010 Subject: how to mantain in quarantine In-Reply-To: <001d01cb2456$e90b2440$bb216cc0$@com> References: <001d01cb2456$e90b2440$bb216cc0$@com> <4C3F6A77.1000200@ecs.soton.ac.uk> Message-ID: If you disable the clean.quarantine cron job, then nothing will delete anything from the quarantine except you. If you are on a Linux system, you will find the clean.quarantine in /etc/cron.daily. On 15/07/2010 20:49, Stacker Hush wrote: > > Hello to all, > > I wat to have my emails quarantined saved for long time period. How > to configure mailscanner to retain the quarantined emails if i disable > the clean.quarantine script? > > Thanks, > > Stacker > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stackerhush at gmail.com Thu Jul 15 21:11:38 2010 From: stackerhush at gmail.com (Stacker Hush) Date: Thu Jul 15 21:11:54 2010 Subject: RES: how to mantain in quarantine In-Reply-To: References: <001d01cb2456$e90b2440$bb216cc0$@com> Message-ID: <003201cb2459$f1033680$d309a380$@com> I have disabled clean.quarantine but the emails quarantined after a period like 6 months still in mailwatch but i can't access the email quarantined to view it's contents. De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Em nome de Eduardo Casarero Enviada em: quinta-feira, 15 de julho de 2010 17:05 Para: MailScanner discussion Assunto: Re: how to mantain in quarantine 2010/7/15 Stacker Hush Hello to all, I wat to have my emails quarantined saved for long time period. How to configure mailscanner to retain the quarantined emails if i disable the clean.quarantine script? Perhaps you should look the Archiving options, and disable the clean.quarantine script. Thanks, Stacker -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100715/91768cbc/attachment.html From alex at rtpty.com Fri Jul 16 00:52:05 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Jul 16 00:52:20 2010 Subject: OT: Moving URIBL from SA to MTA In-Reply-To: <4C3F6961.6020606@alexb.ch> References: <4C3F3598.2000002@cnpapers.com> <4C3F387A.8030606@fsl.com> <4C3F3EDC.1060203@alexb.ch> <1695B7DA-79EB-4118-AF68-BB20A8330850@rtpty.com> <4C3F6961.6020606@alexb.ch> Message-ID: <44B4FDFA-69F9-49D6-88CB-FC797063E23E@rtpty.com> Namesake, I don't mean to imply you have any interests in Snert - in fact, I've had clients buy their software when necessary because it's - I concur with you - worth every penny and more. It's just that there may be people who need a free solution while they get additional funding. I've been in that situation before! Cheers, On Jul 15, 2010, at 3:02 PM, Alex Broens wrote: > On 2010-07-15 19:10, Alex Neuman wrote: >> Just in case anyone is considering it, are there any free alternatives? > > SteveF mentioned some, but none of them compares with milter-link's features which makes it worth every penny & more (considering its a site license makes it even more appealing) > Support and development is very active and Anthony is always receptive to feature requests (after some sweet talking and consultation with his guru :-) > > Alex > > PS: I don't own Snertsoft stock - I'm just a happy user. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From R.Sterenborg at netsourcing.nl Mon Jul 19 13:40:29 2010 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Mon Jul 19 13:40:37 2010 Subject: Email detected as spam but not tagged Message-ID: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> Hello, Today I got a complaint about spam email (2 messages, both have the same problem, but I imagine there might be more). I checked the email headers as received and noticed that MailScanner did not insert any lines. Then I traced it's path through the logs and noticed that the message really was scanned and also determined to be spam. In MailScanner.conf I have: Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes 'Always Include ...' isn't a ruleset here and there are no rules that I can imagine would turn off spam tagging (there are only some custom whitelisting rules that are not relevant for the receiving domain, 'domain2' in the log). Below is the email header with relevant Postfix/MailScanner logs. Using this information, can anyone tell me why these emails weren't tagged? If more info is needed, please let me know. -- Rob ========= X-MimeOLE: Produced By Microsoft Exchange V6.5 Received: from mx1.domain2.local ([ip.addr]) by mx2.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:37 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_004_01CB25F7.FEAB9A80" Received: from mx3.domain1.nl ([ip.addr]) by mx1.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:12 +0200 Received: from overscan.fr (web5.overscan.com [91.121.209.115]) by mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63 for ; Sat, 17 Jul 2010 23:35:09 +0200 (CEST) Received: by overscan.fr (Postfix, from userid 33) id 1D4CDB03ECE; Sat, 17 Jul 2010 21:10:17 +0200 (CEST) Content-Class: urn:content-classes:message Subject: Account Suspension Kennisgeving, Date: Sat, 17 Jul 2010 21:10:17 +0200 Message-ID: <13074633318.26896@ans.nl> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Account Suspension Kennisgeving, thread-index: Acsl9/85tMksS1O2Spynr0L9jx6l6g== From: "ASN Bank" To: "Lastname, Firstname" Jul 17 23:35:09 mx3 postfix/smtpd[17888]: connect from web5.overscan.com[91.121.209.115] Jul 17 23:35:09 mx3 postfix-policyd: connection from: 127.0.0.1 port: 56607 slots: 2 of 4096 used Jul 17 23:35:09 mx3 postfix-policyd: rcpt=222839, greylist=update, host=91.121.209.115 (web5.overscan.com), from=www-data@overscan.fr, to=user@domain2.nl, size=1048 Jul 17 23:35:09 mx3 postfix/smtpd[17888]: 1EB923AA63: client=web5.overscan.com[91.121.209.115] Jul 17 23:35:09 mx3 postfix/cleanup[20990]: 1EB923AA63: hold: header Received: from overscan.fr (web5.overscan.com [91.121.209.115])??by mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63??for ; Sat, 17 Jul 2010 23:35:09 +0200 (CEST) from web5.overscan.com[91.121.209.115]; from= to= proto=ESMTP helo= Jul 17 23:35:09 mx3 postfix/cleanup[20990]: 1EB923AA63: message-id=<13074633318.26896@ans.nl> Jul 17 23:35:09 mx3 postfix/smtpd[17888]: disconnect from web5.overscan.com[91.121.209.115] Jul 17 23:35:09 mx3 MailScanner[15316]: New Batch: Scanning 1 messages, 1896 bytes Jul 17 23:35:09 mx3 MailScanner[15316]: Spam Checks: Starting Jul 17 23:35:12 mx3 MailScanner[15316]: Message 1EB923AA63.89E1B from 91.121.209.115 (www-data@overscan.fr) to domain2.nl is spam, SpamAssassin (not cached, score=5.552, vereist 5, HTML_IMAGE_ONLY_08 2.43, HTML_MESSAGE 0.00, HTML_TAG_BALA NCE_HEAD 1.37, MIME_HTML_ONLY 1.67, TW_JZ 0.08) Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Checks: Found 1 spam messages Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Actions: message 1EB923AA63.89E1B actions are store,deliver,header Jul 17 23:35:12 mx3 MailScanner[15316]: Spam Checks completed at 693 bytes per second Jul 17 23:35:12 mx3 MailScanner[15316]: Virus and Content Scanning: Starting Jul 17 23:35:12 mx3 MailScanner[15316]: Virus Scanning completed at 20697 bytes per second Jul 17 23:35:12 mx3 MailScanner[15316]: Requeue: 1EB923AA63.89E1B to 2E5893AA65 Jul 17 23:35:12 mx3 MailScanner[15316]: Uninfected: Delivered 1 messages Jul 17 23:35:12 mx3 MailScanner[15316]: Virus Processing completed at 410658 bytes per second Jul 17 23:35:12 mx3 MailScanner[15316]: Batch completed at 668 bytes per second (1896 / 2) Jul 17 23:35:12 mx3 MailScanner[15316]: Batch (1 message) processed in 2.84 seconds Jul 17 23:35:12 mx3 MailScanner[15316]: Logging message 1EB923AA63.89E1B to SQL Jul 17 23:35:12 mx3 MailScanner[15316]: "Always Looked Up Last" took 0.00 seconds Jul 17 23:35:12 mx3 MailScanner[15318]: 1EB923AA63.89E1B: Logged to MailWatch SQL Jul 17 23:35:12 mx3 postfix/qmgr[32316]: 2E5893AA65: from=, size=1253, nrcpt=1 (queue active) Jul 17 23:35:12 mx3 postfix/smtp[21002]: 2E5893AA65: to=, relay=ip.addr[ip.addr]:25, delay=3.1, delays=3/0/0/0.05, dsn=2.6.0, status=sent (250 2.6.0 <13074633318.26896@ans.nl> Queued mail for delivery) Jul 17 23:35:12 mx3 postfix/qmgr[32316]: 2E5893AA65: removed From Kevin_Miller at ci.juneau.ak.us Mon Jul 19 17:15:08 2010 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jul 19 17:15:22 2010 Subject: Email detected as spam but not tagged In-Reply-To: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> References: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> Message-ID: <4A09477D575C2C4B86497161427DD94C15B0D18637@city-exchange07> Rob Sterenborg wrote: > Below is the email header with relevant Postfix/MailScanner logs. > Using this information, can anyone tell me why these emails weren't > tagged? If more info is needed, please let me know. When I've seen this behaviour it's usually when an instance of the MTA (in my case sendmail) and MailScanner are both running. Sometimes when I do an update, the sendmail daemon will be set to start in /etc/init.d by the patch. If I don't remember to disable it again, sendmail will start and process mail w/o sending it to MailScanner. Stop all your mail processes, check the runlevels and turn any off that shouldn't be on, then restart MailScanner. HTH... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From tkutergin at googlemail.com Tue Jul 20 05:54:11 2010 From: tkutergin at googlemail.com (Timofey Kutergin) Date: Tue Jul 20 05:54:21 2010 Subject: possible bug in Empty() method of MessageBatch.pm Message-ID: Hi all, here is possible bug in Empty() method: # Return true if all the messages in the batch are deleted! # Return false otherwise. sub Empty { my $this = shift; my($id, $message); while(($id,$message) = each %{$this->{messages}}) { return 0 unless $message->{deleted}; } return 1; } Problem is that if this function does return 0, it does not reset "each" iterator so next loop around $this->{messages} will continue with the same position. This may manifest itself in phishing not always detected since loop in ScanBatch() in SweepContent.pm exits due to not resetting iterator. >From my point of view, more proper code would be: # Return true if all the messages in the batch are deleted! # Return false otherwise. sub Empty { my $this = shift; my $res = 1; my($id, $message); while(($id,$message) = each %{$this->{messages}}) { $res = 0 unless $message->{deleted}; } return $res; } So iterator resets itself after completing cycle Am I terribly wrong? Regards Timofey -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100720/53d4d178/attachment.html From R.Sterenborg at netsourcing.nl Tue Jul 20 16:28:08 2010 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Tue Jul 20 16:28:12 2010 Subject: Email detected as spam but not tagged In-Reply-To: <4A09477D575C2C4B86497161427DD94C15B0D18637@city-exchange07> References: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> <4A09477D575C2C4B86497161427DD94C15B0D18637@city-exchange07> Message-ID: <3FBF8132AC2AA8478F6013604FECF5CB6C72726D@exbp002> > > Below is the email header with relevant Postfix/MailScanner > logs. > > Using this information, can anyone tell me why these emails > weren't > > tagged? If more info is needed, please let me know. > > When I've seen this behaviour it's usually when an instance of > the MTA (in my case sendmail) and MailScanner are both running. > Sometimes when I do an update, the sendmail daemon will be set > to start in /etc/init.d by the patch. If I don't remember to > disable it again, sendmail will start and process mail w/o > sending it to MailScanner. Stop all your mail processes, check > the runlevels and turn any off that shouldn't be on, then > restart MailScanner. Thanks for your response. AFAICS that shouldn't happen here. MS/PF are, of course, normally running. When performing maintenance, I start MS first, then PF. However, IMO the order shouldn't matter because when PF processes an email, it finally puts it in the HOLD queue where MS can pick it up when it's ready. So, the server will have high load if that queue builds up too much (because MS was not -yet- running), but in my experience MS just picks up the emails as they as put in the queue and process them. If there is a problem in the startup order with PF/MS: no one restarted PF or MS when the email I mentioned was processed. -- Rob From whatisee1 at yahoo.com Wed Jul 21 17:09:29 2010 From: whatisee1 at yahoo.com (W S) Date: Wed Jul 21 17:09:39 2010 Subject: Setting up Proxy:Port within /usr/sbin/update_bad_phishing_sites Message-ID: <397336.65262.qm@web57612.mail.re1.yahoo.com> Sorry folks - anyone can help me on this (Don't want to re-invent the wheel...) ? Seems like my "/usr/sbin/update_bad_phishing_sites" is not?functioning [I'm not allowed to connect directly to ?www.mailscanner.tv:80 --- I must use Proxy:Port] Now -?I see there are some paragraphs related to Proxy settings, but what would be the proper syntax for Proxy and Port, for example my.local.proxy:1977? ###snip### # Create a user agent objectmy $ua = LWP::UserAgent->new;$ua->agent("UpdateBadPhishingSites/0.1 ");# Patch from Heinz.Knutzen at dataport.de$ua->env_proxy; ###end_of_snip### Thanks in advance, ? Walter Smith -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100721/585dd79c/attachment.html From mark at msapiro.net Wed Jul 21 18:03:39 2010 From: mark at msapiro.net (Mark Sapiro) Date: Wed Jul 21 18:03:52 2010 Subject: Email detected as spam but not tagged In-Reply-To: <3FBF8132AC2AA8478F6013604FECF5CB6C72726D@exbp002> References: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> <4A09477D575C2C4B86497161427DD94C15B0D18637@city-exchange07> <3FBF8132AC2AA8478F6013604FECF5CB6C72726D@exbp002> Message-ID: <4C47286B.2010506@msapiro.net> On 11:59 AM, Rob Sterenborg wrote: >>> Below is the email header with relevant Postfix/MailScanner >> logs. >>> Using this information, can anyone tell me why these emails >> weren't >>> tagged? If more info is needed, please let me know. I looked at your OP at , and it seems clear that MailScanner did scan this message. The first few headers at the top of the message are X-MimeOLE: Produced By Microsoft Exchange V6.5 Received: from mx1.domain2.local ([ip.addr]) by mx2.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:37 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_004_01CB25F7.FEAB9A80" Received: from mx3.domain1.nl ([ip.addr]) by mx1.domain2.local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:12 +0200 Received: from overscan.fr (web5.overscan.com [91.121.209.115]) by mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63 for ; Sat, 17 Jul 2010 23:35:09 +0200 (CEST) It appears that mx1.domain2.local (or possibly mx2.domain2.local) has munged the message somehow as evidenced by the MIME-Version: and Content-Type: headers inserted between the received headers at that point. Is it possible that this is also responsible for dropping the MailScanner headers? Other than that, I have no ideas. It might help to know the MailScanner version. It appears to be older than 4.78.3 because the logs show spam scanning before virus scanning -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From derek.winkler at algorithmics.com Wed Jul 21 20:15:15 2010 From: derek.winkler at algorithmics.com (derek.winkler@algorithmics.com) Date: Wed Jul 21 20:15:50 2010 Subject: Upgrade to 4.79.11 Message-ID: <52B78B63BA55B44284ACE2DE5106D61103513518@TORMAIL1.algorithmics.com> I just upgraded from 4.69.9 to 4.79.11, SA from 3.2.5 to SA 3.3.1. Everything lints fine, can't find any problems. I'm getting spam that when processed by MS scores quite low, X-Algo-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, required 4.5, autolearn=disabled, RCVD_IN_BRBL 0.50) but when tested with SA within minutes on the same server scores quite high, Content analysis details: (23.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.5 RCVD_IN_BRBL RBL: Received via a relay in BRBL [198.7.242.169 listed in b.barracudacentral.org] 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [198.7.242.169 listed in bb.barracudacentral.org] 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [198.7.242.169 listed in zen.spamhaus.org] 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [198.7.242.169 listed in psbl.surriel.com] 4.5 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: erectgardiner81b.ru] 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: erectgardiner81b.ru] 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: erectgardiner81b.ru] 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: erectgardiner81b.ru] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: erectgardiner81b.ru] 0.0 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.0 T_SURBL_MULTI2 T_SURBL_MULTI2 0.0 T_SURBL_MULTI1 T_SURBL_MULTI1 Any ideas why? Using Sendmail on RHEL4. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100721/f4f5a96d/attachment.html From roy at kaldung.com Wed Jul 21 21:47:11 2010 From: roy at kaldung.com (Roy Kaldung) Date: Wed Jul 21 21:44:12 2010 Subject: {Spam?} Re: Setting up Proxy:Port within /usr/sbin/update_bad_phishing_sites In-Reply-To: <397336.65262.qm@web57612.mail.re1.yahoo.com> References: <397336.65262.qm@web57612.mail.re1.yahoo.com> Message-ID: On Jul 21, 2010, at 6:09 PM, W S wrote: > Sorry folks - anyone can help me on this (Don't want to re-invent the wheel...) > > Seems like my "/usr/sbin/update_bad_phishing_sites" is not functioning > [I'm not allowed to connect directly to www.mailscanner.tv:80 --- I must use Proxy:Port] > Now - I see there are some paragraphs related to Proxy settings, but what would be the proper syntax for Proxy and Port, for example my.local.proxy:1977? > ###snip### > # Create a user agent objectmy $ua = LWP::UserAgent->new;$ua->agent("UpdateBadPhishingSites/0.1 ");# Patch from Heinz.Knutzen at dataport.de$ua->env_proxy; > ###end_of_snip### > > Thanks in advance, > > Walter Smith > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Hi, you should set an environment variable for the proxy. try this command: http_proxy=http://my.local.proxy:1977/ /usr/sbin/updatd_bad_phishing_sites hth, Roy -- Roy Kaldung e-mail: roy@kaldung.com http://kaldung.com/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100721/875bc935/attachment.html From maxsec at gmail.com Thu Jul 22 08:42:54 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 22 08:43:03 2010 Subject: Upgrade to 4.79.11 In-Reply-To: <52B78B63BA55B44284ACE2DE5106D61103513518@TORMAIL1.algorithmics.com> References: <52B78B63BA55B44284ACE2DE5106D61103513518@TORMAIL1.algorithmics.com> Message-ID: On 21 July 2010 20:15, wrote: > I just upgraded from 4.69.9 to 4.79.11, SA from 3.2.5 to SA 3.3.1. > > > > Everything lints fine, can?t find any problems. > > > > I?m getting spam that when processed by MS scores quite low, > > > > X-Algo-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, > > required 4.5, autolearn=disabled, RCVD_IN_BRBL 0.50) > > > > but when tested with SA within minutes on the same server scores quite > high, > > > > Content analysis details: (23.7 points, 5.0 required) > > > > pts rule name description > > ---- ---------------------- > -------------------------------------------------- > > 0.5 RCVD_IN_BRBL RBL: Received via a relay in BRBL > > [198.7.242.169 listed in > b.barracudacentral.org] > > 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > > [Blocked - see < > http://www.spamcop.net/bl.shtml?198.7.242.169>] > > 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT > > [198.7.242.169 listed in > bb.barracudacentral.org] > > 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL > > [198.7.242.169 listed in zen.spamhaus.org] > > 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL > > [198.7.242.169 listed in psbl.surriel.com] > > 4.5 URIBL_AB_SURBL Contains an URL listed in the AB SURBL > blocklist > > [URIs: erectgardiner81b.ru] > > 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL > blocklist > > [URIs: erectgardiner81b.ru] > > 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL > blocklist > > [URIs: erectgardiner81b.ru] > > 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist > > [URIs: erectgardiner81b.ru] > > -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay > > domain > > 0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) > > 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist > > [URIs: erectgardiner81b.ru] > > 0.0 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of > words > > 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image > area > > 0.0 HTML_MESSAGE BODY: HTML included in message > > 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > > 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > > above 50% > > [cf: 100] > > 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > > [cf: 100] > > 0.4 RDNS_DYNAMIC Delivered to internal network by host with > > dynamic-looking rDNS > > 0.0 T_SURBL_MULTI2 T_SURBL_MULTI2 > > 0.0 T_SURBL_MULTI1 T_SURBL_MULTI1 > > > > Any ideas why? > > > > Using Sendmail on RHEL4. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Derek I'd check your mailscanner is checking against the correct spamassassin and not using cruft from the old version. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100722/ca06af92/attachment.html From derek.winkler at algorithmics.com Thu Jul 22 15:36:13 2010 From: derek.winkler at algorithmics.com (derek.winkler@algorithmics.com) Date: Thu Jul 22 15:37:36 2010 Subject: Upgrade to 4.79.11 In-Reply-To: References: Message-ID: <52B78B63BA55B44284ACE2DE5106D61103577634@TORMAIL1.algorithmics.com> Solved. When running SpamAssassin debug from MailScanner, 16:34:39 Jul 21 16:34:39.138 [20343] dbg: generic: Perl 5.008005, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib When running SpamAssassin debug from command line, Jul 21 13:34:40.776 [23659] dbg: generic: Perl 5.008005, PREFIX=/usr, DEF_RULES_DIR=/usr/share/spamassassin, LOCAL_RULES_DIR=/etc/mail/spamassassin, LOCAL_STATE_DIR=/var/lib/spamassassin Had to modify MailScanner.conf, SpamAssassin Local State Dir = /var/lib To SpamAssassin Local State Dir = /var/lib/spamassassin Did I jump too many versions for upgrade_MailScanner_conf to handle? Or does it need special case handling since its commented out by default? From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of derek.winkler@algorithmics.com Sent: Wednesday, July 21, 2010 3:15 PM To: mailscanner@lists.mailscanner.info Subject: Upgrade to 4.79.11 I just upgraded from 4.69.9 to 4.79.11, SA from 3.2.5 to SA 3.3.1. Everything lints fine, can't find any problems. I'm getting spam that when processed by MS scores quite low, X-Algo-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.5, required 4.5, autolearn=disabled, RCVD_IN_BRBL 0.50) but when tested with SA within minutes on the same server scores quite high, Content analysis details: (23.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.5 RCVD_IN_BRBL RBL: Received via a relay in BRBL [198.7.242.169 listed in b.barracudacentral.org] 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [198.7.242.169 listed in bb.barracudacentral.org] 0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL [198.7.242.169 listed in zen.spamhaus.org] 2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL [198.7.242.169 listed in psbl.surriel.com] 4.5 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: erectgardiner81b.ru] 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: erectgardiner81b.ru] 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: erectgardiner81b.ru] 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: erectgardiner81b.ru] -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: erectgardiner81b.ru] 0.0 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words 0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.0 T_SURBL_MULTI2 T_SURBL_MULTI2 0.0 T_SURBL_MULTI1 T_SURBL_MULTI1 Any ideas why? Using Sendmail on RHEL4. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100722/0c359cd9/attachment.html From R.Sterenborg at netsourcing.nl Thu Jul 22 16:36:50 2010 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Jul 22 16:36:52 2010 Subject: Email detected as spam but not tagged In-Reply-To: <4C47286B.2010506@msapiro.net> References: <3FBF8132AC2AA8478F6013604FECF5CB6C727210@exbp002> <4A09477D575C2C4B86497161427DD94C15B0D18637@city-exchange07> <3FBF8132AC2AA8478F6013604FECF5CB6C72726D@exbp002> <4C47286B.2010506@msapiro.net> Message-ID: <3FBF8132AC2AA8478F6013604FECF5CB6C727336@exbp002> > >>> Below is the email header with relevant Postfix/MailScanner > >> logs. > >>> Using this information, can anyone tell me why these emails > >> weren't > >>> tagged? If more info is needed, please let me know. > > > I looked at your OP at > July/096286.html>, > and it seems clear that MailScanner did scan this message. Yes it did. It's just that *some* emails aren't tagged and I can't see why. > The first few headers at the top of the message are > > X-MimeOLE: Produced By Microsoft Exchange V6.5 > Received: from mx1.domain2.local ([ip.addr]) by > mx2.domain2.local with > Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:37 > +0200 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----_=_NextPart_004_01CB25F7.FEAB9A80" > Received: from mx3.domain1.nl ([ip.addr]) by mx1.domain2.local > with > Microsoft SMTPSVC(6.0.3790.1830); Sat, 17 Jul 2010 23:35:12 > +0200 > Received: from overscan.fr (web5.overscan.com [91.121.209.115]) > by > mx3.domain1.nl (Postfix) with ESMTP id 1EB923AA63 for > ; Sat, 17 Jul 2010 23:35:09 +0200 (CEST) > > It appears that mx1.domain2.local (or possibly > mx2.domain2.local) has munged the message somehow as evidenced > by the MIME-Version: and Content-Type: headers inserted between > the received headers at that point. Is it possible that this is > also responsible for dropping the MailScanner headers? Unfortunately I cannot publicly disclose the real host-/domainnames; the logs would be clearer then. Mx3 is the mailrelay which runs MS, so this host should insert the headers. MX1 is the receiving frontend Exchange server, mx2 is the receiving backend Exchange server. I've checked with the Exchange admins and it seems they are also running Trend software and it could be it's doing unwanted things to the email. We're looking into that. > Other than that, I have no ideas. It might help to know the > MailScanner version. It appears to be older than 4.78.3 because > the logs show spam scanning before virus scanning Yes, it's an older version of MailScanner: 4.65.3. New relays with 4.79.11 installs are in the making but not yet finished/fully tested. -- Rob From stackerhush at gmail.com Fri Jul 23 16:11:48 2010 From: stackerhush at gmail.com (Stacker Hush) Date: Fri Jul 23 16:12:04 2010 Subject: problem with quarantine Message-ID: <016201cb2a79$6194c420$24be4c60$@com> Hello, I'm using 4.79.11 version of mailscanner. I have a problem with quarantine only retain emails from the last 9 days. I have pasted my .conf file into http://pastebin.com/QuNKEZR0 My clean.quarantine script has the option: $disabled = 1 but in my quarantine dir i have only that directorys (but my Server is in production for the last 60 days) drwxrws--- 21 postfix www-data 4096 2010-07-15 16:28 20100715/ drwxrws--- 19 postfix www-data 4096 2010-07-16 18:56 20100716/ drwxrws--- 8 postfix www-data 4096 2010-07-17 22:42 20100717/ drwxrws--- 4 postfix www-data 4096 2010-07-18 00:26 20100718/ drwxrws--- 21 postfix www-data 4096 2010-07-19 16:42 20100719/ drwxrws--- 41 postfix www-data 4096 2010-07-20 23:41 20100720/ drwxrws--- 14 postfix www-data 4096 2010-07-21 18:00 20100721/ drwxrws--- 14 postfix www-data 4096 2010-07-22 17:25 20100722/ drwxrws--- 10 postfix www-data 4096 2010-07-23 11:20 20100723/ Some Idea to fix this? Thanks, Stacker From stef at aoc-uk.com Fri Jul 23 16:47:46 2010 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Jul 23 16:48:22 2010 Subject: Bayes auto-rebuilds Message-ID: <201007231548.o6NFmEVv016142@safir.blacknight.ie> Hello, I have set in MailScanner.conf (MailScanner 4.79.11-1) the following: Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = yes I'm by no means convinced, however, that the autorebuilds are happening. I've had a look in the code and think I should be seeing the following in the logs "Bayes database rebuild is due" "MailScanner child dying after Bayes rebuild" neither of which I'm seeing, whilst I am seeing other entries such as "MailScanner child dying of old age" I recently moved to a mysql bayes, which I thought might be the fly in the ointment, but now I go back over old (pre mysql) logs I find I still can't see the bayes rebuild notifications. How can I tell if this rebuild is happening? If a lack of the notifications in the log is actually a dead giveaway, then how can I get some diagnostic information to help me fix it? Running MS as a debug batch doesn't mention bayes rebuilds at all (not that I see why it should, the batch doesn't take a day to run), though spamassassin is clearly able to read and act on the stored bayes data. Cheers Stef From paul.welsh.3 at googlemail.com Fri Jul 23 22:41:49 2010 From: paul.welsh.3 at googlemail.com (Paul Welsh) Date: Fri Jul 23 22:41:57 2010 Subject: Turn off recipient messages on file size rule Message-ID: Hi all I have mailscanner 4.74.16 acting as a relay for an MS Exchange server. Inbound and outbound mail goes via the mailscanner server. I know the current version is 4.79 so mine's a bit old but I use Postini to do the virus and spam scanning so mailscanner has spamassassin turned off and no anti-virus scanners configured. So the mail flow for outbound is Exchange -> mailscanner -> Postini. Using sendmail on the mailscanner box and sendmail uses Postini as a smart relay host. I want to restrict the size of outbound Internet email only (not inbound Internet mail, not internal mail) and mailscanner's max.message.size.rules file allows considerable granularity; more than Exchange itself, despite being able to change mail size settings in several places in Exchange and Active Directory. Anyhow, it took me a while to get it working because I didn't realise I needed to set: Dangerous Content Scanning = yes Other relevant settings: Notify Senders = yes Notify Senders Of Blocked Size Attachments = yes Size Modify Subject = no The sender gets sent sender.size.report.txt because of this setting, which is just what I want: # Set where to find the messages that are delivered to the sender, when they # sent an email containing either an error, banned content, a banned filename # or a virus infection. # These can also be the filenames of rulesets. Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt However, the recipient of the message that's too large is getting sent the contents of deleted.size.message.txt because, presumably of the following setting, even though the comments indicate that the sender gets this message: # Set where to find the message text sent to users when one of their # attachments has been deleted from a message. # These can also be the filenames of rulesets. Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Is there a way I can prevent the recipient getting sent a message? Thanks Paul From glenn at mail.txwes.edu Wed Jul 28 20:16:16 2010 From: glenn at mail.txwes.edu (Glenn) Date: Wed Jul 28 20:16:45 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <1278961492.2796.761.camel@localhost> References: <201007121103.o6CB1Q1m014822@safir.blacknight.ie> <1278961492.2796.761.camel@localhost> Message-ID: <20100728191534.M97059@mail.txwes.edu> I've found this site helpful for troubleshooting e-mail blocking: http://cbl.abuseat.org/lookup.cgi -G. ---------- Original Message ----------- From: Juan Pablo Lorier To: mailscanner@lists.mailscanner.info Sent: Mon, 12 Jul 2010 16:04:52 -0300 Subject: RE: I need help, I'm been blacklisted > Hi everybody, > > First of all, thanks for trying to help. I still don't have a clue > of what is going on, but one of the 3 servers that was bloking us is > letting us pass now. For you to have some extra info, I can send you > the header of a bounced mail and the "reason" for it was bounced. > From sandrews at andrewscompanies.com Wed Jul 28 23:29:35 2010 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Jul 28 23:29:45 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <20100728191534.M97059@mail.txwes.edu> References: <201007121103.o6CB1Q1m014822@safir.blacknight.ie> <1278961492.2796.761.camel@localhost> <20100728191534.M97059@mail.txwes.edu> Message-ID: Mxtoolbox.com as well. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Sent: Wednesday, July 28, 2010 3:16 PM To: MailScanner discussion Subject: RE: I need help, I'm been blacklisted I've found this site helpful for troubleshooting e-mail blocking: http://cbl.abuseat.org/lookup.cgi -G. ---------- Original Message ----------- From: Juan Pablo Lorier To: mailscanner@lists.mailscanner.info Sent: Mon, 12 Jul 2010 16:04:52 -0300 Subject: RE: I need help, I'm been blacklisted > Hi everybody, > > First of all, thanks for trying to help. I still don't have a clue > of what is going on, but one of the 3 servers that was bloking us is > letting us pass now. For you to have some extra info, I can send you > the header of a bounced mail and the "reason" for it was bounced. > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Thu Jul 29 18:56:34 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jul 29 19:00:01 2010 Subject: Bug with HTML messages? Message-ID: <4C51C0D2.7090902@USherbrooke.ca> Hello, I just deployed the latest MS (4.80.10) on a fully patched RHEL 5.5 system and it is behaving strangely with HTML-only emails in Thunderbird 3.1 (didn't test others). I tested it with an email with plenty of spam content but it got delivered with a really low score: 1.5. I then tested it with the same email sent with *both* HTML and text and it got a score of 13. Could there be a problem with some Perl-HTML module? SA scoring for HTML-only email: SpamAssassin (not cached, score=1.542, requis 4.5, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 0.82, MIME_HTML_ONLY 0.72, TVD_SPACE_RATIO 0.00) SA scoring for HTML+TXT email: (not cached, score=13.313, requis 4.5, BAYES_00 -1.90, DEAR_SOMETHING 1.97, DRUGS_ERECTILE 1.99, DRUGS_ERECTILE_OBFU 1.11, DRUG_ED_CAPS 0.94, HTML_MESSAGE 0.00, KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) Am I the only one with this problem? I was also able to replicate it on a much older MS setup (v. 4.63.2): SA scoring with HTML-only email: (not cached, score=12.639, requis 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) SA scoring with HTML+TXT email: (not cached, score=7.181, requis 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) The output from MailScanner --version on the newest server: Running on Linux smtpe3.usherbrooke.ca 2.6.18-194.8.1.el5PAE #1 SMP Wed Jun 23 11:16:22 EDT 2010 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux Server release 5.5 (Tikanga) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.80.10 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.04 Carp 1.42 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.121_08 Data::Dumper 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.20 File::Temp 0.90 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.05 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.03 MIME::QuotedPrint 5.427 MIME::Tools 0.13 Net::CIDR 1.25 Net::IP 0.16 OLE::Storage_Lite 1.04 Pod::Escapes 3.05 Pod::Simple 1.09 POSIX 1.21 Scalar::Util 1.78 Socket 2.16 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.86 Test::Simple 1.9717 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.39_01 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.814 DB_File 1.25 DBD::SQLite 1.607 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country missing Mail::ClamAV 3.003001 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.33 Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From Denis.Beauchemin at USherbrooke.ca Thu Jul 29 19:07:21 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jul 29 19:07:55 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51C0D2.7090902@USherbrooke.ca> References: <4C51C0D2.7090902@USherbrooke.ca> Message-ID: <4C51C359.6000206@USherbrooke.ca> Oops, I switched those 2: > SA scoring with HTML-only email: (not cached, score=12.639, requis > 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, > DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, > KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) > > SA scoring with HTML+TXT email: (not cached, score=7.181, requis 4.5, > DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, > MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) > SA scoring with HTML+TXT email: (not cached, score=12.639, requis 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) SA scoring with HTML-only email: (not cached, score=7.181, requis 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From ms-list at alexb.ch Thu Jul 29 19:57:38 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 29 19:57:46 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51C359.6000206@USherbrooke.ca> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> Message-ID: <4C51CF22.7030001@alexb.ch> On 2010-07-29 20:07, Denis Beauchemin wrote: > Oops, I switched those 2: > >> SA scoring with HTML-only email: (not cached, score=12.639, requis >> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >> >> SA scoring with HTML+TXT email: (not cached, score=7.181, requis 4.5, >> DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >> > > SA scoring with HTML+TXT email: (not cached, score=12.639, requis 4.5, > autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, > DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, > KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) > > SA scoring with HTML-only email: (not cached, score=7.181, requis 4.5, > DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, > MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) > you are not feeding it consistent content. where is the problem? get a real spam wich was tagged as spam and dumped in your quaratine. feed that to spamassassin (without MS), is the result consistent? if not, its usually due to MS's msg chunk settings From Denis.Beauchemin at USherbrooke.ca Thu Jul 29 20:04:37 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jul 29 20:05:05 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51CF22.7030001@alexb.ch> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> Message-ID: <4C51D0C5.3060501@USherbrooke.ca> Le 2010-07-29 14:57, Alex Broens a ?crit : > On 2010-07-29 20:07, Denis Beauchemin wrote: >> Oops, I switched those 2: >> >>> SA scoring with HTML-only email: (not cached, score=12.639, requis >>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>> >>> SA scoring with HTML+TXT email: (not cached, score=7.181, requis >>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>> >> >> SA scoring with HTML+TXT email: (not cached, score=12.639, requis >> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >> >> SA scoring with HTML-only email: (not cached, score=7.181, requis >> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >> > > you are not feeding it consistent content. > where is the problem? > > get a real spam wich was tagged as spam and dumped in your quaratine. > feed that to spamassassin (without MS), is the result consistent? > > if not, its usually due to MS's msg chunk settings > > Alex, When I feed the emails to SA they get scored much higher than through MS. My point is that an HTML-only email with quite common spam words are not being scored, while an HTML+TXT email with the same spam words get scored. This looks quite suspicious to me. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From johnnyb at marlboro.edu Thu Jul 29 20:33:37 2010 From: johnnyb at marlboro.edu (John Baker) Date: Thu Jul 29 20:34:08 2010 Subject: Scam Nailer failures Message-ID: <4C51D791.10602@marlboro.edu> Hi, I realized today that I'd never updated from the old Spear Phishing to Scamnailer so I downloaded and ran it. It seems to be ok except for a bunch of failures like this: "Failed to retrieve http://www.mailscanner.tv/emails.2010-304.26 at ./ScamNailer-2.09 line 276." Basically emails.2010-304.26 - emails.2010-304.48 failed while the first 25 worked ok. Is something wrong on on http://www.mailscanner.tv/ or am I missing something? Thanks, John -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 Cell: 451-6748 From maxsec at gmail.com Thu Jul 29 20:51:16 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Jul 29 20:51:25 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51D0C5.3060501@USherbrooke.ca> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> <4C51D0C5.3060501@USherbrooke.ca> Message-ID: Denis make sure MS "Run as User" can see all the rules etc. I presume you're testing the SA scores with the same user as MS is running as. Martin 2010/7/29 Denis Beauchemin > > > Le 2010-07-29 14:57, Alex Broens a ?crit : > > On 2010-07-29 20:07, Denis Beauchemin wrote: >> >>> Oops, I switched those 2: >>> >>> SA scoring with HTML-only email: (not cached, score=12.639, requis 4.5, >>>> autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, KAM_VIAGRA1 >>>> 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>> >>>> SA scoring with HTML+TXT email: (not cached, score=7.181, requis 4.5, >>>> DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>> >>>> >>> SA scoring with HTML+TXT email: (not cached, score=12.639, requis 4.5, >>> autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, KAM_VIAGRA1 >>> 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>> >>> SA scoring with HTML-only email: (not cached, score=7.181, requis 4.5, >>> DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>> >>> >> you are not feeding it consistent content. >> where is the problem? >> >> get a real spam wich was tagged as spam and dumped in your quaratine. >> feed that to spamassassin (without MS), is the result consistent? >> >> if not, its usually due to MS's msg chunk settings >> >> >> > Alex, > > When I feed the emails to SA they get scored much higher than through MS. > > My point is that an HTML-only email with quite common spam words are not > being scored, while an HTML+TXT email with the same spam words get scored. > This looks quite suspicious to me. > > > Denis > > -- > Denis Beauchemin, analyste > Universit? de Sherbrooke, S.T.I. > T: 819.821.8000x62252 F: 819.821.8045 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100729/ab2f0ab9/attachment.html From jplorier at montecarlotv.com.uy Thu Jul 29 20:52:47 2010 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Jul 29 20:53:49 2010 Subject: I need help, I'm been blacklisted In-Reply-To: <201007291102.o6TB0RkH009755@safir.blacknight.ie> References: <201007291102.o6TB0RkH009755@safir.blacknight.ie> Message-ID: <1280433167.7184.2990.camel@localhost> Dear Glen & Steven, Thanks for your help. I'll use that for future problems. I've already managed to figure out what was my problem thanks to the help of the Mailscanner community. I had my PTR records pointing to the ISP addresses instead of my own. I had that fixed as it was suggested and the few servers that blocked us started to let us through. Thanks again to all of you, you all make us rookies to get things rolling. Regrads. Juan Pablo Lorier -- Toda la información contenida en este correo electrónico es confidencial y para conocimiento exclusivo de su destinatario. Agradeceremos que Ud. nos comunique inmediatamente si ha recibido este correo por error. En tal caso, evite hacer uso del mismo en forma alguna y elimínelo inmediatamente de su sistema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100729/4ee07d2a/attachment.html From Denis.Beauchemin at USherbrooke.ca Thu Jul 29 20:56:30 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Jul 29 20:56:49 2010 Subject: Bug with HTML messages? In-Reply-To: References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> <4C51D0C5.3060501@USherbrooke.ca> Message-ID: <4C51DCEE.2050703@USherbrooke.ca> Le 2010-07-29 15:51, Martin Hepworth a ?crit : > Denis > > make sure MS "Run as User" can see all the rules etc. > > I presume you're testing the SA scores with the same user as MS is > running as. > > Martin Hi Martin, Yes, run as user = root and I am also testing as root. Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From spamlists at coders.co.uk Thu Jul 29 21:16:27 2010 From: spamlists at coders.co.uk (Matt) Date: Thu Jul 29 21:16:37 2010 Subject: Scam Nailer failures In-Reply-To: <4C51D791.10602@marlboro.edu> References: <4C51D791.10602@marlboro.edu> Message-ID: <4C51E19B.7020502@coders.co.uk> On 29/07/2010 20:33, John Baker wrote: > Hi, > > I realized today that I'd never updated from the old Spear Phishing to > Scamnailer so I downloaded and ran it. It seems to be ok except for a > bunch of failures like this: "Failed to retrieve > http://www.mailscanner.tv/emails.2010-304.26 at ./ScamNailer-2.09 line > 276." Basically emails.2010-304.26 - emails.2010-304.48 failed while > the first 25 worked ok. Is something wrong on on > http://www.mailscanner.tv/ or am I missing something? > > Thanks, > > John > Can you try again? matt From chris at techquility.net Thu Jul 29 21:36:18 2010 From: chris at techquility.net (Chris Barber) Date: Thu Jul 29 21:36:34 2010 Subject: Scam Nailer failures In-Reply-To: <4C51E19B.7020502@coders.co.uk> References: <4C51D791.10602@marlboro.edu> <4C51E19B.7020502@coders.co.uk> Message-ID: <43F62CA225017044BC84CFAF92B4333B118F25@sbsserver.Techquility.net> > On 29/07/2010 20:33, John Baker wrote: >> Hi, >> >> I realized today that I'd never updated from the old Spear Phishing to >> Scamnailer so I downloaded and ran it. It seems to be ok except for a >> bunch of failures like this: "Failed to retrieve >> http://www.mailscanner.tv/emails.2010-304.26 at ./ScamNailer-2.09 line >> 276." Basically emails.2010-304.26 - emails.2010-304.48 failed while >> the first 25 worked ok. Is something wrong on on >> http://www.mailscanner.tv/ or am I missing something? >> >> Thanks, >> >> John >> >Can you try again? > >matt I am having the same issues with the Spear.Phishing.Rules file. Errors saying: Failed to retrieve http://www.mailscanner.tv/emails.2010-304.42 at /ninjacustom/scripts/Spear.Phishing.Rules.v2.03 line 323. John: What do you mean by upgrading to Scamnailer? Should I not be using the Spear.Phishing.Rules file anymore? Thanks, Chris From spamlists at coders.co.uk Thu Jul 29 21:43:51 2010 From: spamlists at coders.co.uk (Matt) Date: Thu Jul 29 21:44:02 2010 Subject: Scam Nailer failures In-Reply-To: <43F62CA225017044BC84CFAF92B4333B118F25@sbsserver.Techquility.net> References: <4C51D791.10602@marlboro.edu> <4C51E19B.7020502@coders.co.uk> <43F62CA225017044BC84CFAF92B4333B118F25@sbsserver.Techquility.net> Message-ID: <4C51E807.2080003@coders.co.uk> On 29/07/2010 21:36, Chris Barber wrote: > > I am having the same issues with the Spear.Phishing.Rules file. > Errors saying: > Failed to retrieve http://www.mailscanner.tv/emails.2010-304.42 at > /ninjacustom/scripts/Spear.Phishing.Rules.v2.03 line 323. > OK - I have found the issue - it will take a while for the DNS to update with the new update files. matt From johnnyb at marlboro.edu Thu Jul 29 21:56:15 2010 From: johnnyb at marlboro.edu (John Baker) Date: Thu Jul 29 21:56:44 2010 Subject: Scam Nailer failures In-Reply-To: <43F62CA225017044BC84CFAF92B4333B118F25@sbsserver.Techquility.net> References: <4C51D791.10602@marlboro.edu> <4C51E19B.7020502@coders.co.uk> <43F62CA225017044BC84CFAF92B4333B118F25@sbsserver.Techquility.net> Message-ID: <4C51EAEF.6030905@marlboro.edu> Chris Barber wrote: >> On 29/07/2010 20:33, John Baker wrote: >> >>> Hi, >>> >>> I realized today that I'd never updated from the old Spear Phishing >>> > to > >>> Scamnailer so I downloaded and ran it. It seems to be ok except for a >>> bunch of failures like this: "Failed to retrieve >>> http://www.mailscanner.tv/emails.2010-304.26 at ./ScamNailer-2.09 >>> > line > >>> 276." Basically emails.2010-304.26 - emails.2010-304.48 failed while >>> the first 25 worked ok. Is something wrong on on >>> http://www.mailscanner.tv/ or am I missing something? >>> >>> Thanks, >>> >>> John >>> >>> >> Can you try again? >> >> matt >> > > I am having the same issues with the Spear.Phishing.Rules file. > Errors saying: > Failed to retrieve http://www.mailscanner.tv/emails.2010-304.42 at > /ninjacustom/scripts/Spear.Phishing.Rules.v2.03 line 323. > > John: What do you mean by upgrading to Scamnailer? Should I not be using > the Spear.Phishing.Rules file anymore? > > Thanks, > Chris > Hi, I just realized that my spear phishing file I had in cron.daily was pretty old so I went looking to see if there was a new one and found that Jules blog where it was linked to said it was now hosted at ScamNailer which appeared to be a newer version of the same thing. So I assume it's a replacement and that Spear Phishing can go. -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 Cell: 451-6748 From ms-list at alexb.ch Thu Jul 29 22:09:04 2010 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 29 22:09:11 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51D0C5.3060501@USherbrooke.ca> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> <4C51D0C5.3060501@USherbrooke.ca> Message-ID: <4C51EDF0.3040207@alexb.ch> On 2010-07-29 21:04, Denis Beauchemin wrote: > > > Le 2010-07-29 14:57, Alex Broens a ?crit : >> On 2010-07-29 20:07, Denis Beauchemin wrote: >>> Oops, I switched those 2: >>> >>>> SA scoring with HTML-only email: (not cached, score=12.639, requis >>>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>> >>>> SA scoring with HTML+TXT email: (not cached, score=7.181, requis >>>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>> >>> >>> SA scoring with HTML+TXT email: (not cached, score=12.639, requis >>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>> >>> SA scoring with HTML-only email: (not cached, score=7.181, requis >>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>> >> >> you are not feeding it consistent content. >> where is the problem? >> >> get a real spam wich was tagged as spam and dumped in your quaratine. >> feed that to spamassassin (without MS), is the result consistent? >> >> if not, its usually due to MS's msg chunk settings >> >> > > Alex, > > When I feed the emails to SA they get scored much higher than through MS. > > My point is that an HTML-only email with quite common spam words are not > being scored, while an HTML+TXT email with the same spam words get > scored. This looks quite suspicious to me. > > Denis > what are your MS "chunk" settings? are you sure MS is sending the full message to SA? pls post the sample message you're using in pastebin so ppl can try to reproduce. Alex From Denis.Beauchemin at USherbrooke.ca Fri Jul 30 02:14:14 2010 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jul 30 02:14:33 2010 Subject: Bug with HTML messages? In-Reply-To: <4C51EDF0.3040207@alexb.ch> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> <4C51D0C5.3060501@USherbrooke.ca> <4C51EDF0.3040207@alexb.ch> Message-ID: <4C522766.8010700@USherbrooke.ca> Le 2010-07-29 17:09, Alex Broens a ?crit : > On 2010-07-29 21:04, Denis Beauchemin wrote: >> >> >> Le 2010-07-29 14:57, Alex Broens a ?crit : >>> On 2010-07-29 20:07, Denis Beauchemin wrote: >>>> Oops, I switched those 2: >>>> >>>>> SA scoring with HTML-only email: (not cached, score=12.639, requis >>>>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>>>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>>> >>>>> SA scoring with HTML+TXT email: (not cached, score=7.181, requis >>>>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD >>>>> 1.33, MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>>> >>>> >>>> SA scoring with HTML+TXT email: (not cached, score=12.639, requis >>>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>> >>>> SA scoring with HTML-only email: (not cached, score=7.181, requis >>>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>> >>> >>> you are not feeding it consistent content. >>> where is the problem? >>> >>> get a real spam wich was tagged as spam and dumped in your quaratine. >>> feed that to spamassassin (without MS), is the result consistent? >>> >>> if not, its usually due to MS's msg chunk settings >>> >>> >> >> Alex, >> >> When I feed the emails to SA they get scored much higher than through >> MS. >> >> My point is that an HTML-only email with quite common spam words are >> not being scored, while an HTML+TXT email with the same spam words >> get scored. This looks quite suspicious to me. >> >> Denis >> > > what are your MS "chunk" settings? > are you sure MS is sending the full message to SA? > > pls post the sample message you're using in pastebin so ppl can try to > reproduce. > > Alex > Alex, I don't think my chunk settings really matter since the email is really short: http://pastebin.com/sMf7rW6s for the HTML-only version and http://pastebin.com/eiTTWuer for the HTML+TXT version. Some MS settings that were changed from the default values: Max Spam Check Size = 500000 Max SpamAssassin Size = 200k trackback Thanks! Denis -- Denis Beauchemin, analyste Universit? de Sherbrooke, S.T.I. T: 819.821.8000x62252 F: 819.821.8045 From ms-list at alexb.ch Fri Jul 30 08:09:45 2010 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 30 08:09:54 2010 Subject: Bug with HTML messages? In-Reply-To: <4C522766.8010700@USherbrooke.ca> References: <4C51C0D2.7090902@USherbrooke.ca> <4C51C359.6000206@USherbrooke.ca> <4C51CF22.7030001@alexb.ch> <4C51D0C5.3060501@USherbrooke.ca> <4C51EDF0.3040207@alexb.ch> <4C522766.8010700@USherbrooke.ca> Message-ID: <4C527AB9.2010400@alexb.ch> On 2010-07-30 3:14, Denis Beauchemin wrote: > Le 2010-07-29 17:09, Alex Broens a ?crit : >> On 2010-07-29 21:04, Denis Beauchemin wrote: >>> >>> >>> Le 2010-07-29 14:57, Alex Broens a ?crit : >>>> On 2010-07-29 20:07, Denis Beauchemin wrote: >>>>> Oops, I switched those 2: >>>>> >>>>>> SA scoring with HTML-only email: (not cached, score=12.639, requis >>>>>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>>>>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>>>> >>>>>> SA scoring with HTML+TXT email: (not cached, score=7.181, requis >>>>>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD >>>>>> 1.33, MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>>>> >>>>> >>>>> SA scoring with HTML+TXT email: (not cached, score=12.639, requis >>>>> 4.5, autolearn=spam, DEAR_SOMETHING 1.60, DRUGS_ERECTILE 0.28, >>>>> DRUGS_ERECTILE_OBFU 1.23, DRUG_ED_CAPS 0.32, HTML_MESSAGE 0.00, >>>>> KAM_VIAGRA1 3.00, KAM_VIAGRA5 3.10, KAM_VIAGRA6 3.10) >>>>> >>>>> SA scoring with HTML-only email: (not cached, score=7.181, requis >>>>> 4.5, DCC_CHECK 2.17, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_HEAD 1.33, >>>>> MIME_HTML_ONLY 1.46, TVD_SPACE_RATIO 2.22) >>>>> >>>> >>>> you are not feeding it consistent content. >>>> where is the problem? >>>> >>>> get a real spam wich was tagged as spam and dumped in your quaratine. >>>> feed that to spamassassin (without MS), is the result consistent? >>>> >>>> if not, its usually due to MS's msg chunk settings >>>> >>>> >>> >>> Alex, >>> >>> When I feed the emails to SA they get scored much higher than through >>> MS. >>> >>> My point is that an HTML-only email with quite common spam words are >>> not being scored, while an HTML+TXT email with the same spam words >>> get scored. This looks quite suspicious to me. >>> >>> Denis >>> >> >> what are your MS "chunk" settings? >> are you sure MS is sending the full message to SA? >> >> pls post the sample message you're using in pastebin so ppl can try to >> reproduce. >> >> Alex >> > > Alex, > > I don't think my chunk settings really matter since the email is really > short: http://pastebin.com/sMf7rW6s for the HTML-only version and > http://pastebin.com/eiTTWuer for the HTML+TXT version. > > Some MS settings that were changed from the default values: > Max Spam Check Size = 500000 > Max SpamAssassin Size = 200k trackback for SA these are two VERY different messages and scores them accordingly. Nothing wrong in that. Alex From lists at macscr.com Fri Jul 30 22:22:31 2010 From: lists at macscr.com (Mark Chaney) Date: Fri Jul 30 22:25:12 2010 Subject: using RBL's Message-ID: <4C534297.8040100@macscr.com> I currently have mailscanner 4.79.11-1 and SpamAssassin 3.3.1-3, plus Mailwatch 1.05 installed. Im a bit confused on how we add rbl's to mailscanner. Basically I have a list of RBL's that i want to use that will not only help identify spam, but also reduce the amount of "analyzing" that MS and SA have to do. Is there anyway get spamassassin or mailscanner to just add the score to the email, but do no further analyzing to save a bit of resources? I know i could just block them at the MTA, but im preferring to just tag or quarantine at this point. I hate to throw another topic in here, but what is the whole Spam Score Headers from mailscanner? Example: X-MailScanner-SpamScore: sssss I am not really sure how those S's are helpful and why I would want to have a SA score and a MS score that I would have to create filters/rules for. Is there a way to combine the scores or turn the 's' characters into something a bit more useful? Thanks, Mark From alex at nanogherkin.com Sat Jul 31 15:46:20 2010 From: alex at nanogherkin.com (Alex Crow) Date: Sat Jul 31 15:46:28 2010 Subject: Pyzor issue - error from Mailscanner but not from SA or Pyzor run directly Message-ID: <4C54373C.5040602@nanogherkin.com> Hi all, I'm having this issue in MailScanner - when Pyzor check are run from within ms, I get an error in the logs: 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: pyzor is available: /usr/bin/pyzor 15:37:52 Jul 31 15:37:52.686 [13270] dbg: dns: entering helper-app run mode 15:37:52 Jul 31 15:37:52.686 [13270] dbg: pyzor: opening pipe: /usr/bin/pyzor -d check < /tmp/.spamassassin13270K6yw83tmp 15:37:52 Jul 31 15:37:52.690 [13272] dbg: util: setuid: ruid=89 euid=89 15:37:52 Jul 31 15:37:52.693 [13270] info: pyzor: [13272] error: exit 6 15:37:52 Jul 31 15:37:52.693 [13270] dbg: dns: leaving helper-app run mode 15:37:52 Jul 31 15:37:52.694 [13270] dbg: pyzor: check failed: no response However, if I run as the postfix user (the one configured in MailScanner.conf) spamassassin -D < /tmp/.spamassassin9936b1QieYtmp I get pyzor working: Jul 31 15:45:05.186 [13308] dbg: pyzor: pyzor is available: /usr/bin/pyzor Jul 31 15:45:05.186 [13308] dbg: dns: entering helper-app run mode Jul 31 15:45:05.187 [13308] dbg: pyzor: opening pipe: /usr/bin/pyzor -d check < /tmp/.spamassassin13308yrAHtDtmp Jul 31 15:45:05.189 [13311] dbg: util: setuid: ruid=89 euid=89 Jul 31 15:45:05.242 [13308] dbg: pyzor: [13311] finished successfully Jul 31 15:45:05.242 [13308] dbg: pyzor: got response: sending: 'User: anonymous\nTime: 1280587505\nSig: 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: 2.0\n\n'\nreceived: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: 200\nDiag: OK\nPV: 2.0\n\n'\npublic.pyzor.org:24441 (200, 'OK') 5301 0 Jul 31 15:45:05.243 [13308] dbg: dns: leaving helper-app run mode Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response "sending: 'User: anonymous\nTime: 1280587505\nSig: 47f0553e50650e0309d871f46cdc5dde598c3b1d\n\nOp: check\nOp-Digest: 2108c5b03e2f3f526b3158395a05899745cde179\nThread: 9258\nPV: 2.0\n\n'" Jul 31 15:45:05.243 [13308] dbg: pyzor: failure to parse response "received: 'Thread: 9258\nCount: 5301\nWL-Count: 0\nCode: 200\nDiag: OK\nPV: 2.0\n\n'" Jul 31 15:45:05.243 [13308] dbg: pyzor: listed: COUNT=5301/5 WHITELIST=0 Jul 31 15:45:05.244 [13308] dbg: rules: ran eval rule PYZOR_CHECK ======> got hit (1) I am running Centos 5.5 x64 with the latest ClamAV/SA easy-install package from the MailScanner site installed. Any help gratefully received. Thanks Alex From MailScanner at ecs.soton.ac.uk Sat Jul 31 17:33:23 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Jul 31 17:33:36 2010 Subject: possible bug in Empty() method of MessageBatch.pm In-Reply-To: References: <4C545053.8050004@ecs.soton.ac.uk> Message-ID: I'm afraid I disagree with you. The "each" iterator will get reset each time this function is called. As soon as it finds one which is not deleted, it returns 0. Only if it finds that all the messages are deleted will it ever reach the "return 1" statement. Your version will achieve the same end result but be slower as you insist on going through every message in the batch before returning anything. My version bails out as soon as it knows the result is false (i.e. as soon as it found one message which is not deleted). On 20/07/2010 05:54, Timofey Kutergin wrote: > Hi all, > here is possible bug in Empty() method: > > # Return true if all the messages in the batch are deleted! > # Return false otherwise. > sub Empty { > my $this = shift; > > my($id, $message); > while(($id,$message) = each %{$this->{messages}}) { > return 0 unless $message->{deleted}; > } > return 1; > } > > Problem is that if this function does return 0, it does not reset > "each" iterator so next loop around $this->{messages} will continue > with the same position. > This may manifest itself in phishing not always detected since loop in > ScanBatch() in SweepContent.pm exits due to not resetting iterator. > > From my point of view, more proper code would be: > > # Return true if all the messages in the batch are deleted! > # Return false otherwise. > sub Empty { > my $this = shift; > my $res = 1; > > my($id, $message); > while(($id,$message) = each %{$this->{messages}}) { > $res = 0 unless $message->{deleted}; > } > return $res; > } > So iterator resets itself after completing cycle > > Am I terribly wrong? > > Regards > Timofey Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jul 31 17:50:26 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Jul 31 17:50:43 2010 Subject: using RBL's In-Reply-To: <4C534297.8040100@macscr.com> References: <4C534297.8040100@macscr.com> <4C545452.9050808@ecs.soton.ac.uk> Message-ID: Mark, On 30/07/2010 22:22, Mark Chaney wrote: > I currently have mailscanner 4.79.11-1 and SpamAssassin 3.3.1-3, plus > Mailwatch 1.05 installed. > > Im a bit confused on how we add rbl's to mailscanner. Basically I have > a list of RBL's that i want to use that will not only help identify > spam, but also reduce the amount of "analyzing" that MS and SA have to > do. Is there anyway get spamassassin or mailscanner to just add the > score to the email, but do no further analyzing to save a bit of > resources? I know i could just block them at the MTA, but im > preferring to just tag or quarantine at this point. You can add them to the "Spam List" setting in MailScanner.conf. Make sure they are defined in spam.lists.conf first though, so the MailScanner.conf "nicknames" for each RBL have definitions in spam.lists.conf. Most of the popular ones are already there. If you have "Check SpamAssassin If On Spam List = no" then once it has decided it's spam due to the "Spam List" and "Spam Lists To Be Spam" settings, it won't run SpamAssassin on it at all, which will save you *loads* of time and CPU power. > > I hate to throw another topic in here, but what is the whole Spam > Score Headers from mailscanner? > > Example: X-MailScanner-SpamScore: sssss > > I am not really sure how those S's are helpful and why I would want to > have a SA score and a MS score that I would have to create > filters/rules for. Is there a way to combine the scores or turn the > 's' characters into something a bit more useful? The whole point is that you can easily filter in your mail client using this. Most decent email apps allow you to do things like "If this header contains this string then do this action". So to detect a spam score of 6 or more you just look for the substring "ssssss", rather than trying to parse the header value into an integer or float and then do comparison on that (which most email apps can't do). So the "s" characters are actually very useful to an awful lot of people :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jul 31 17:52:48 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Jul 31 17:53:02 2010 Subject: Any objections to a new stable release? References: <4C5454E0.60205@ecs.soton.ac.uk> Message-ID: Anyone got any strong objections to me putting out a new stable release of MailScanner (4.81)? There are very few changes from 4.80 but the code rarely changes at all now and I feel a new release now should keep you going for quite a while. Thanks! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.