From paul at tartan.co.za Wed Sep 1 11:34:38 2010 From: paul at tartan.co.za (Paul Malherbe) Date: Wed Sep 1 11:34:50 2010 Subject: Mail not being scanned Message-ID: <4C7E2C3E.1090200@tartan.co.za> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2b1ff89d/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: graphics1 Type: image/jpeg Size: 1329 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2b1ff89d/graphics1.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: graphics2 Type: image/jpeg Size: 1511 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2b1ff89d/graphics2.jpe From hvdkooij at vanderkooij.org Wed Sep 1 13:26:23 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 1 13:31:21 2010 Subject: Mail not being scanned In-Reply-To: <4C7E2C3E.1090200@tartan.co.za> References: <4C7E2C3E.1090200@tartan.co.za> Message-ID: <7c4dd0db42062c59ad7b2484d9349515@127.0.0.1> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: graphics1 Type: image/jpeg Size: 1329 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/7aa6b924/graphics1.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: graphics2 Type: image/jpeg Size: 1511 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/7aa6b924/graphics2.jpe From paul at tartan.co.za Wed Sep 1 14:11:40 2010 From: paul at tartan.co.za (Paul Malherbe) Date: Wed Sep 1 14:11:57 2010 Subject: Mail not being scanned In-Reply-To: <7c4dd0db42062c59ad7b2484d9349515@127.0.0.1> References: <4C7E2C3E.1090200@tartan.co.za> <7c4dd0db42062c59ad7b2484d9349515@127.0.0.1> Message-ID: <4C7E510C.9050508@tartan.co.za> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2419714c/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: graphics1 Type: image/jpeg Size: 1329 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2419714c/graphics1.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: graphics2 Type: image/jpeg Size: 1511 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100901/2419714c/graphics2.jpe From glenn.steen at gmail.com Wed Sep 1 15:21:21 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 1 15:21:44 2010 Subject: Mail not being scanned In-Reply-To: <4C7E510C.9050508@tartan.co.za> References: <4C7E2C3E.1090200@tartan.co.za> <7c4dd0db42062c59ad7b2484d9349515@127.0.0.1> <4C7E510C.9050508@tartan.co.za> Message-ID: On 1 September 2010 15:11, Paul Malherbe wrote: > > Hi > > I Enabled a header check hook in /etc/postfix/main.cf > > ??? header_checks = regexp:/etc/postfix/header_checks > > Then in file /etc/postfix/header_checks I put > > ??? /^Received:/ HOLD > > Then in MailScanner.conf > > ??? Incoming Queue Dir = /var/spool/postfix/hold > ??? Outgoing Queue Dir = /var/spool/postfix/incoming > In that case, all mail coming in would be passed over to MailScanner, so the relevant config would be in MailScanner, not in Postfix. IOW Hugo was spot on;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From stratos.td at gmail.com Wed Sep 1 15:38:01 2010 From: stratos.td at gmail.com (Steve) Date: Wed Sep 1 15:38:10 2010 Subject: Virus attachments not replaced with warning text In-Reply-To: References: <4C5BEB05.5050408@ecs.soton.ac.uk> Message-ID: On 26 August 2010 15:24, Steve wrote: > > On 6 August 2010 11:59, Julian Field wrote: >> >> I cannot reproduce your problem. >> Please can you try the latest beta and see if it works there? > > A classic case of PEBKAC error ... > > I found that one of the spool directories did not have correct permissions set - it all seems to work fine now. Maybe not... The Eicar test ZIP file gets replaced with warning message just fine, but I've just received a spam with a ZIP that was flagged with {Virus?} but attachment was included. I tested by sending myself 2 emails, one with Eicar test ZIP and one with the ZIP from the spam - again first message has attachment replaced, second one does not. Looking at the headers they are slightly different: Eicar test file: --- Subject: {Virus?} Test Content-Type: multipart/mixed; boundary="------------040802060109070101060608" X-Scruffy-MailScanner-ID: 1Oqnw6-0007Mq-F5 X-Scruffy-MailScanner: Found to be infected X-Scruffy-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.691, required 6, ALL_TRUSTED -1.80, BAYES_05 -1.11, TVD_SPACE_RATIO 2.22) X-Scruffy-MailScanner-From: xxx@xxx.com X-Scruffy-MailScanner-Watermark: 1283954731.23856@ppFAGVQJ7im9oTW9bM+Pug X-Spam-Status: No --- Message with spam ZIP file (note that SpamCheck is blank): --- Subject: {Virus?} Test Content-Type: multipart/mixed; boundary="------------080203010100020401050702" X-Scruffy-MailScanner-ID: 1Oqnv1-0007Lz-LX X-Scruffy-MailScanner: Found to be infected X-Scruffy-MailScanner-SpamCheck: X-Scruffy-MailScanner-From: xxx@xxx.com X-Scruffy-MailScanner-Watermark: 1283954665.75581@F6qXL9D+LoY4rSmJxh/J+w --- Looking at the syslog output it is also slightly different: Eicar file: --- Sep 1 15:05:31 scruffy MailScanner[27290]: New Batch: Scanning 1 messages, 1909 bytes Sep 1 15:05:31 scruffy MailScanner[27290]: Virus and Content Scanning: Starting Sep 1 15:05:36 scruffy MailScanner[27290]: ./1Oqnw6-0007Mq-F5/eicarcom2.zip: Eicar-Test-Signature FOUND Sep 1 15:05:36 scruffy MailScanner[27290]: Virus Scanning: ClamAV found 1 infections Sep 1 15:05:36 scruffy MailScanner[27290]: Infected message 1Oqnw6-0007Mq-F5 came from 1.2.3.4 Sep 1 15:05:36 scruffy MailScanner[27290]: Virus Scanning: Found 1 viruses Sep 1 15:05:36 scruffy MailScanner[27290]: Saved infected "eicarcom2.zip" to /var/spool/MailScanner/quarantine/20100901/1Oqnw6-0007Mq-F5 Sep 1 15:05:39 scruffy MailScanner[27290]: Cleaned: Delivered 1 cleaned messages Message with spam ZIP file --- Sep 1 15:04:26 scruffy MailScanner[26910]: Virus and Content Scanning: Starting Sep 1 15:04:30 scruffy MailScanner[26910]: ./1Oqnv1-0007Lz-LX/Postal_Label_NR2147b.zip: Suspect.Bredozip-zippwd-6 FOUND Sep 1 15:04:31 scruffy MailScanner[26910]: Virus Scanning: ClamAV found 1 infections Sep 1 15:04:31 scruffy MailScanner[26910]: Infected message 1Oqnv1-0007Lz-LX came from 1.2.3.4 Sep 1 15:04:31 scruffy MailScanner[26910]: Virus Scanning: Found 1 viruses Sep 1 15:04:31 scruffy MailScanner[26910]: Silent: Delivered 1 messages containing silent viruses --- So it looks like the attachment is not being removed because it is treated as a silent virus? My silent virus settings are: Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = yes Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Zip-Password I guess "eicar" is matched (not sure if "Non-Forging Viruses" is case-sensitive, or not) but the comments in the config file explicitly say (for "Still Deliver Silent Viruses"): "Still deliver (after cleaning) messages that contained viruses listed # in the above option ("Silent Viruses") to the recipient?". But for whatever reason the cleaning step is not done here. I still haven't tested this with the latest beta (it's a production box, so not easy to do...). Are there any known issues with 4.79.11 that would cause this? Thanks, Steve. From mrebsamen at unimatrix0.ch Wed Sep 1 16:54:53 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Wed Sep 1 18:28:22 2010 Subject: AW: Mailsystem Migration References: <4A09477D575C2C4B86497161427DD94C15B0D1873A@city-exchange07> <4A09477D575C2C4B86497161427DD94C15B0D1873F@city-exchange07> Message-ID: Well, If I had read the configfile precisely i would have know that :-P Next time I will copy the /etc/MailScanner directory first. It makes things a lot easier.... Thanks for your help -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Kevin Miller Gesendet: Dienstag, 17. August 2010 19:08 An: 'MailScanner discussion' Betreff: RE: Mailsystem Migration Marco Rebsamen wrote: > Hi Kevin > > So you say everything I need is in /etc/mail/spamassassin ? Also the > things I teached it with sa-learn ? Mostly. Since you're using MailScanner, I presume you also have a bayes database where the spamassassin data is stored. Per recommended practice, I keep mine in /etc/MailScanner/bayes/ so, as I mentioned below, if you copy over your entire /etc/MailScanner directory before installing (in addition to the /etc/mail/spamassassin directory) the bayes data will come with it. If your bayes data is located in another location, such as /var/spool/bayes or somewhere like that you'll need to copy that over. Look in your existing mailscanner.cf file (aka spam.assassin.prefs.conf) and search for bayes_path. That will tell you where you're storing your bayes (spamassassin data) database. Be sure to copy it over as well. Note that I'm using sendmail, hence the /etc/mail directory. SUSE now defaults to Postfix, so I'm not sure what the directory structure looks like for that. I'd expect however that the spamassassin directory will be located under whatever it uses in the /etc/ directory. Perhaps a Postfix user could chime in here if it is much different. > Greets Marco > > -----Urspr?ngliche Nachricht----- > Von: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von > Kevin Miller > Gesendet: Montag, 16. August 2010 20:39 > An: 'MailScanner discussion' > Betreff: RE: Mailsystem Migration > > Hi Marco, > > You shouldn't have to move anything, unless you've created your own > rules, or are using 3rd party rules such as the KAM ruleset. Your > local spamassassin files normally live in /etc/mail/spamassassin. > Check there - anything that isn't part of the stock installation will > (should) be there and can be copied over. > > When I'm building a new MailScanner gateway I generally copy the > existing /etc/MailScanner and /etc/mail/spamassassin directory over > to the new machine. Then I install Jules' ClamAV & Spamassassin > combo package. That makes upgrading easier as he's more consistant > to release an install package when a newer version comes out than > openSUSE is. If you don't have any home rolled rules in the > spamassasin directory you probably don't need to copy it. > > Next I install the latest MailScanner package for SUSE. The > advantage of copying the files over first before the install is the > install routine will see the old .conf files, and use them. If there > are changes you'll get the .rpmnew files created. Makes editing the > .conf files much easier. The install routine will create the > appropriate hooks to spamassassin > > Spamassassin itself will be installed in > /var/lib/spamassassin/X.00Y00Z where XYZ is the version numbers. You > shouldn't need to do anything with that. > > Be sure to run sa-update after you install spamassassin so that it > pulls down the rules. They aren't installed by default IIRC. > ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Sep 6 12:21:22 2010 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Mon Sep 6 12:21:36 2010 Subject: MailScanner ANNOUNCE: 4.81 released References: <4C84CEB2.9090200@ecs.soton.ac.uk> Message-ID: Morning all, long time no speak! Life seems to get ever busier somehow, good thing I don't have a personal life to speak of, I don't know what I would do then... :-) I have just released a new stable release of MailScanner, version 4.81. Download as usual from www.mailscanner.info. The ChangeLog for this version is as follows: * New Features and Improvements * 1 Slight improvement to check_mailscanner script to send some output to /dev/null for Greg Kuhnert. 2 "Scan Messages = virus" will *only* scan mail for viruses and nothing else at all. This makes simple setups where you only want virus scanning a whole lot easier to set up. 3 Changed non-RPM installer to use /bin/bash instead of /bin/sh to avoid issues on Solaris 10 systems. Sorry non-bash people :-( 3 Added new "_HOUR_" token to path available in quarantine and Archive Mail directory locations in MailScanner.conf. Represents the number of the hour in which MailScanner received the message, padded with a leading zero if necessary. * Fixes * 1 Deny File MIME Types was ignored if new filetype rules used MIME checks. 2 Slightly improvement to phishing trap to handle links with " in them. 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! 2-2 Fixed syntax error. 2-3 Fixed syntax issue and printing bug with "--lint". 4 Fixed docx file permissions problem (thanks to Andrew White!). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Amelein at dantumadiel.eu Mon Sep 6 13:15:15 2010 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon Sep 6 13:15:29 2010 Subject: Disable RBL check for certain ip(ranges) Message-ID: <4C84F7730200008E000158C6@10.1.0.206> Hi all, As Microsoft seems to have managed to get hotmail / live.com listed on multiple RBL's -again- I was looking at the possibility of excluding these ip's from the RBL checks. I cant just white list it as people do send spam through hotmail. Any ideas on if/how this can be done ? - Arjan From lists at macscr.com Mon Sep 6 13:17:44 2010 From: lists at macscr.com (Mark Chaney) Date: Mon Sep 6 13:18:09 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: References: <4C84CEB2.9090200@ecs.soton.ac.uk> Message-ID: <4C84DBE8.9070502@macscr.com> Looks great! Cant wait to update. Who actually maintains the *.deb for mailscanner? Any idea what the typical turnaround time for the newest stable to be available in those formats? The link to it on the website doesnt work anymore. Thanks, Mark On 09/06/2010 06:21 AM, Jules Field wrote: > Morning all, long time no speak! > > Life seems to get ever busier somehow, good thing I don't have a > personal life to speak of, I don't know what I would do then... :-) > > I have just released a new stable release of MailScanner, version 4.81. > > Download as usual from www.mailscanner.info. > > The ChangeLog for this version is as follows: > > * New Features and Improvements * > 1 Slight improvement to check_mailscanner script to send some output to > /dev/null for Greg Kuhnert. > 2 "Scan Messages = virus" will *only* scan mail for viruses and nothing > else at all. This makes simple setups where you only want virus > scanning > a whole lot easier to set up. > 3 Changed non-RPM installer to use /bin/bash instead of /bin/sh to avoid > issues on Solaris 10 systems. Sorry non-bash people :-( > 3 Added new "_HOUR_" token to path available in quarantine and Archive > Mail > directory locations in MailScanner.conf. Represents the number of > the hour > in which MailScanner received the message, padded with a leading > zero if > necessary. > > * Fixes * > 1 Deny File MIME Types was ignored if new filetype rules used MIME > checks. > 2 Slightly improvement to phishing trap to handle links with " in them. > 2 Worked around nasty behaviour of Perl's "each()". Thanks Timofey! > 2-2 Fixed syntax error. > 2-3 Fixed syntax issue and printing bug with "--lint". > 4 Fixed docx file permissions problem (thanks to Andrew White!). > > Jules > From ms-list at alexb.ch Mon Sep 6 13:22:39 2010 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 6 13:22:51 2010 Subject: Disable RBL check for certain ip(ranges) In-Reply-To: <4C84F7730200008E000158C6@10.1.0.206> References: <4C84F7730200008E000158C6@10.1.0.206> Message-ID: <4C84DD0F.40305@alexb.ch> On 2010-09-06 14:15, Arjan Melein wrote: > Hi all, > > As Microsoft seems to have managed to get hotmail / live.com listed > on multiple RBL's -again- I was looking at the possibility of > excluding these ip's from the RBL checks. I cant just white list it > as people do send spam through hotmail. Any ideas on if/how this can > be done ? > > - Arjan > What IPs? what blacklists? you could add them to your Sendmail/Postfix, etc access file as "OK" From alex at rtpty.com Mon Sep 6 13:25:28 2010 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 6 13:29:22 2010 Subject: Disable RBL check for certain ip(ranges) Message-ID: <1038472422-1283776148-cardhu_decombobulator_blackberry.rim.net-356491960-@bda957.bisx.prod.on.blackberry> Depends on your mta or how you're implementing them in MS or SA. ------Original Message------ From: Arjan Melein Sender: mailscanner-bounces@lists.mailscanner.info To: MailScanner Mailing list ReplyTo: MailScanner discussion Subject: Disable RBL check for certain ip(ranges) Sent: Sep 6, 2010 7:15 AM Hi all, As Microsoft seems to have managed to get hotmail / live.com listed on multiple RBL's -again- I was looking at the possibility of excluding these ip's from the RBL checks. I cant just white list it as people do send spam through hotmail. Any ideas on if/how this can be done ? - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com From alex at rtpty.com Mon Sep 6 13:26:17 2010 From: alex at rtpty.com (Alex Neuman) Date: Mon Sep 6 13:30:10 2010 Subject: Disable RBL check for certain ip(ranges) Message-ID: <1436646931-1283776197-cardhu_decombobulator_blackberry.rim.net-1194004884-@bda957.bisx.prod.on.blackberry> He hasn't mentioned if the rbl's are kicking in inside MS or SA. ------Original Message------ From: Alex Broens Sender: mailscanner-bounces@lists.mailscanner.info To: mailscanner@lists.mailscanner.info ReplyTo: MailScanner discussion Subject: Re: Disable RBL check for certain ip(ranges) Sent: Sep 6, 2010 7:22 AM On 2010-09-06 14:15, Arjan Melein wrote: > Hi all, > > As Microsoft seems to have managed to get hotmail / live.com listed > on multiple RBL's -again- I was looking at the possibility of > excluding these ip's from the RBL checks. I cant just white list it > as people do send spam through hotmail. Any ideas on if/how this can > be done ? > > - Arjan > What IPs? what blacklists? you could add them to your Sendmail/Postfix, etc access file as "OK" -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com From stratos.td at gmail.com Mon Sep 6 13:38:41 2010 From: stratos.td at gmail.com (Steve) Date: Mon Sep 6 13:38:50 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: <4C84DBE8.9070502@macscr.com> References: <4C84CEB2.9090200@ecs.soton.ac.uk> <4C84DBE8.9070502@macscr.com> Message-ID: On 6 September 2010 13:17, Mark Chaney wrote: > ?Looks great! Cant wait to update. Who actually maintains the *.deb for > mailscanner? Any idea what the typical turnaround time for the newest stable > to be available in those formats? The link to it on the website doesnt work > anymore. The last .deb was done (for lenny-backports) by Jan Wagner (waja _ at _ cyconet _ dot _ org). Once again, this release just missed the latest Debian Testing freeze, which means we'll most likely not get it in Squeeze proper. :-( > On 09/06/2010 06:21 AM, Jules Field wrote: >> Life seems to get ever busier somehow, good thing I don't have a personal >> life to speak of, I don't know what I would do then... :-) Good for us! :-) >> I have just released a new stable release of MailScanner, version 4.81. :-D Thanks for all the hard work! Steve. From raymond at prolocation.net Mon Sep 6 13:47:52 2010 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 6 13:48:01 2010 Subject: Disable RBL check for certain ip(ranges) In-Reply-To: <4C84F7730200008E000158C6@10.1.0.206> References: <4C84F7730200008E000158C6@10.1.0.206> Message-ID: Hi! > As Microsoft seems to have managed to get hotmail / live.com listed on > multiple RBL's -again- I was looking at the possibility of excluding > these ip's from the RBL checks. I cant just white list it as people do > send spam through hotmail. Any ideas on if/how this can be done ? You might want to startt using DNS Whitelists also. Where those relay servers are marked as 'ok' ... Bye, Raymond. From Amelein at dantumadiel.eu Mon Sep 6 14:01:25 2010 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon Sep 6 14:01:40 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: References: <4C84F7730200008E000158C6@10.1.0.206> Message-ID: <4C8502450200008E000158D1@10.1.0.206> >>> Op 6-9-2010 om 14:47 is door Raymond Dijkxhoorn geschreven: > Hi! > >> As Microsoft seems to have managed to get hotmail / live.com listed on >> multiple RBL's -again- I was looking at the possibility of excluding >> these ip's from the RBL checks. I cant just white list it as people do >> send spam through hotmail. Any ideas on if/how this can be done ? > > You might want to startt using DNS Whitelists also. Where those relay > servers are marked as 'ok' ... > > Bye, > Raymond. I was thinking DNS WL too, but that will require a bit of fiddling as well. As for everyone else's questions, which I could have thought of before hand if it wasn't Monday ;) I'm running MS on a Fedora system with postfix as MTA. Spamassassin does the RBL checks. Right now this is version 3.2.5 but once I have the MS Jules just released working in a test i'll upgrade that to 3.3.1. >From what I can tell hotmail is listed on backscatter and SORBS - Arjan From raymond at prolocation.net Mon Sep 6 14:05:08 2010 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 6 14:05:17 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: <4C8502450200008E000158D1@10.1.0.206> References: <4C84F7730200008E000158C6@10.1.0.206> <4C8502450200008E000158D1@10.1.0.206> Message-ID: Hi! > I was thinking DNS WL too, but that will require a bit of fiddling as > well. > > As for everyone else's questions, which I could have thought of before > hand if it wasn't Monday ;) > > I'm running MS on a Fedora system with postfix as MTA. > Spamassassin does the RBL checks. Right now this is version 3.2.5 but > once I have the MS Jules just released working in a test i'll upgrade > that to 3.3.1. > >> From what I can tell hotmail is listed on backscatter and SORBS If SA does the RBL checks its pretty simple. Just apply a negative score when its listed inside DNSWL. http://www.dnswl.org/tech#spamassassin header __RCVD_IN_DNSWL eval:check_rbl('dnswl-firsttrusted', 'list.dnswl.org.') header RCVD_IN_DNSWL_LOW eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.1') describe RCVD_IN_DNSWL_LOW Sender listed at http://www.dnswl.org/, low trust tflags RCVD_IN_DNSWL_LOW nice net header RCVD_IN_DNSWL_MED eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.2') describe RCVD_IN_DNSWL_MED Sender listed at http://www.dnswl.org/, medium trust tflags RCVD_IN_DNSWL_MED nice net header RCVD_IN_DNSWL_HI eval:check_rbl_sub('dnswl-firsttrusted', '127.0.\d+.3') describe RCVD_IN_DNSWL_HI Sender listed at http://www.dnswl.org/, high trust tflags RCVD_IN_DNSWL_HI nice net score RCVD_IN_DNSWL_LOW -1 score RCVD_IN_DNSWL_MED -10 score RCVD_IN_DNSWL_HI -100 Like that. Bye, Raymond. From ms-list at alexb.ch Mon Sep 6 14:19:28 2010 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 6 14:19:40 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: <4C8502450200008E000158D1@10.1.0.206> References: <4C84F7730200008E000158C6@10.1.0.206> <4C8502450200008E000158D1@10.1.0.206> Message-ID: <4C84EA60.9000602@alexb.ch> On 2010-09-06 15:01, Arjan Melein wrote: >>>> Op 6-9-2010 om 14:47 is door Raymond Dijkxhoorn > geschreven: >> Hi! >> >>> As Microsoft seems to have managed to get hotmail / live.com listed on >>> multiple RBL's -again- I was looking at the possibility of excluding >>> these ip's from the RBL checks. I cant just white list it as people do >>> send spam through hotmail. Any ideas on if/how this can be done ? >> You might want to startt using DNS Whitelists also. Where those relay >> servers are marked as 'ok' ... >> >> Bye, >> Raymond. > > > I was thinking DNS WL too, but that will require a bit of fiddling as well. > > As for everyone else's questions, which I could have thought of before hand if it wasn't Monday ;) > > I'm running MS on a Fedora system with postfix as MTA. > Spamassassin does the RBL checks. Right now this is version 3.2.5 but once I have the MS Jules just released working in a test i'll upgrade that to 3.3.1. > >>From what I can tell hotmail is listed on backscatter and SORBS Before using a WL which opens a whole new can of worms, I'd lower the score on SORBS and ditch backscaterrer which can hardly be considered as a trustworthy BL. From raymond at prolocation.net Mon Sep 6 14:25:57 2010 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 6 14:26:08 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: <4C84EA60.9000602@alexb.ch> References: <4C84F7730200008E000158C6@10.1.0.206> <4C8502450200008E000158D1@10.1.0.206> <4C84EA60.9000602@alexb.ch> Message-ID: Hi! >> As for everyone else's questions, which I could have thought of before hand >> if it wasn't Monday ;) >> >> I'm running MS on a Fedora system with postfix as MTA. >> Spamassassin does the RBL checks. Right now this is version 3.2.5 but once >> I have the MS Jules just released working in a test i'll upgrade that to >> 3.3.1. >> >>> From what I can tell hotmail is listed on backscatter and SORBS > Before using a WL which opens a whole new can of worms, I'd lower the score > on SORBS and ditch backscaterrer which can hardly be considered as a > trustworthy BL. Agreed. But using a WL solution might also be handy for people who reject on MTA. But indeed lowering SORBS scoring is a good start. Bye, Raymond. From ngoc5593 at yahoo.com Mon Sep 6 15:07:30 2010 From: ngoc5593 at yahoo.com (le minh ngoc) Date: Mon Sep 6 15:07:39 2010 Subject: i do not want receive your mail Message-ID: <289007.87493.qm@web53105.mail.re2.yahoo.com> i do not want receive mails form your forumplease, help me. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100906/50ebd9a6/attachment.html From Amelein at dantumadiel.eu Mon Sep 6 15:08:25 2010 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon Sep 6 15:08:40 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: References: <4C84F7730200008E000158C6@10.1.0.206> <4C8502450200008E000158D1@10.1.0.206> <4C84EA60.9000602@alexb.ch> Message-ID: <4C8511F90200008E000158E6@10.1.0.206> >>> Op 6-9-2010 om 15:25 is door Raymond Dijkxhoorn geschreven: > Hi! > >>> As for everyone else's questions, which I could have thought of before hand >>> if it wasn't Monday ;) >>> >>> I'm running MS on a Fedora system with postfix as MTA. >>> Spamassassin does the RBL checks. Right now this is version 3.2.5 but once >>> I have the MS Jules just released working in a test i'll upgrade that to >>> 3.3.1. >>> >>>> From what I can tell hotmail is listed on backscatter and SORBS > >> Before using a WL which opens a whole new can of worms, I'd lower the score >> on SORBS and ditch backscaterrer which can hardly be considered as a >> trustworthy BL. > > Agreed. But using a WL solution might also be handy for people who reject > on MTA. But indeed lowering SORBS scoring is a good start. > > Bye, > Raymond. I would not have a problem with negative score whitelist if every legitimate hotmail / gmail server was only sending out legitimate e-mails, but unfortunately some people manage to send spam through the actual hotmail / gmail servers. Backscatter is indeed getting annoying but im having trouble finding where this is configured. Other then that I have very few false positives, not enough for me to warrant messing with the sorbs score. Only real issue i'm having is hotmail getting blocked. - Arjan From raymond at prolocation.net Mon Sep 6 15:17:34 2010 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Sep 6 15:17:44 2010 Subject: Betr.: Re: Disable RBL check for certain ip(ranges) In-Reply-To: <4C8511F90200008E000158E6@10.1.0.206> References: <4C84F7730200008E000158C6@10.1.0.206> <4C8502450200008E000158D1@10.1.0.206> <4C84EA60.9000602@alexb.ch> <4C8511F90200008E000158E6@10.1.0.206> Message-ID: Hi! > I would not have a problem with negative score whitelist if every > legitimate hotmail / gmail server was only sending out legitimate > e-mails, but unfortunately some people manage to send spam through the > actual hotmail / gmail servers. > Backscatter is indeed getting annoying but im having trouble finding > where this is configured. > Other then that I have very few false positives, not enough for me to > warrant messing with the sorbs score. Only real issue i'm having is > hotmail getting blocked. Ok well, thats your pick. I would personally score it 0.3 or remove it. Bye, Raymond. From supunr at lankacom.net Mon Sep 6 15:30:04 2010 From: supunr at lankacom.net (Supun Rathnayake) Date: Mon Sep 6 15:30:30 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: References: <4C84CEB2.9090200@ecs.soton.ac.uk> <4C84DBE8.9070502@macscr.com> Message-ID: <4C84FAEC.5050209@lankacom.net> On 09/06/2010 06:08 PM, Steve wrote: > On 6 September 2010 13:17, Mark Chaney wrote: >> Looks great! Cant wait to update. Who actually maintains the *.deb for >> mailscanner? Any idea what the typical turnaround time for the newest stable >> to be available in those formats? The link to it on the website doesnt work >> anymore. > The last .deb was done (for lenny-backports) by Jan Wagner (waja _ at > _ cyconet _ dot _ org). Once again, this release just missed the > latest Debian Testing freeze, which means we'll most likely not get it > in Squeeze proper. :-( > > We too are eagerly waiting for the latest .deb package to be used in Ubuntu servers, it would be great if at least someone could have it available under the Personal Package archives of Ubuntu https://launchpad.net/ubuntu/+ppas As in debian, the one available in repos are too old. >> On 09/06/2010 06:21 AM, Jules Field wrote: >>> Life seems to get ever busier somehow, good thing I don't have a personal >>> life to speak of, I don't know what I would do then... :-) > Good for us! :-) > >>> I have just released a new stable release of MailScanner, version 4.81. Thanks a lot for all the hard work ! > :-D > > > Thanks for all the hard work! > > Steve. Thanks, Supun. From Amelein at dantumadiel.eu Mon Sep 6 15:32:36 2010 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Mon Sep 6 15:32:55 2010 Subject: Betr.: i do not want receive your mail In-Reply-To: <289007.87493.qm@web53105.mail.re2.yahoo.com> References: <289007.87493.qm@web53105.mail.re2.yahoo.com> Message-ID: <4C8517A40200008E000158EC@10.1.0.206> >>> Op 6-9-2010 om 16:07 is door le minh ngoc geschreven: > i do not want receive mails form your forumplease, help me. > > > > go to: http://lists.mailscanner.info/mailman/listinfo/mailscanner and unsubscribe. From bonivart at opencsw.org Mon Sep 6 15:47:07 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Mon Sep 6 15:47:40 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: References: <4C84CEB2.9090200@ecs.soton.ac.uk> Message-ID: On Mon, Sep 6, 2010 at 1:21 PM, Jules Field wrote: > ?Morning all, long time no speak! > > Life seems to get ever busier somehow, good thing I don't have a personal > life to speak of, I don't know what I would do then... :-) > > I have just released a new stable release of MailScanner, version 4.81. The OpenCSW package for Solaris has been submitted for approval (~1d). Until then you can get it from: http://mirror.opencsw.org/experimental.html#bonivart Direct link: http://mirror.opencsw.org/experimental/bonivart/mailscanner-4.81.4.1,REV=2010.09.06-SunOS5.9-all-CSW.pkg.gz -- /peter From hvdkooij at vanderkooij.org Mon Sep 6 15:46:37 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 6 15:51:41 2010 Subject: Betr.: i do not want receive your mail In-Reply-To: <4C8517A40200008E000158EC@10.1.0.206> References: <289007.87493.qm@web53105.mail.re2.yahoo.com> <4C8517A40200008E000158EC@10.1.0.206> Message-ID: On Mon, 06 Sep 2010 16:32:36 +0200, "Arjan Melein" wrote: >>>> Op 6-9-2010 om 16:07 is door le minh ngoc >>>> geschreven: >> i do not want receive mails form your forumplease, help me. > go to: http://lists.mailscanner.info/mailman/listinfo/mailscanner > and unsubscribe. I guess your RBL is not selective enough to detect this sort of spam. ;-) -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From kkobb at skylinecorp.com Mon Sep 6 18:28:52 2010 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Mon Sep 6 18:29:15 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: References: <4C84CEB2.9090200@ecs.soton.ac.uk> Message-ID: <1a6cdb29f8f332b7cbb91cd3ec2acb0b@localhost> On Mon, 06 Sep 2010 12:21:22 +0100, Jules Field wrote: > Morning all, long time no speak! > > Life seems to get ever busier somehow, good thing I don't have a > personal life to speak of, I don't know what I would do then... :-) > > I have just released a new stable release of MailScanner, version 4.81. > For FreeBSD users, I have submitted a PR to get this into the ports tree. Please take a look at: http://www.freebsd.org/cgi/query-pr.cgi?pr=150331 From mikael at syska.dk Mon Sep 6 19:46:07 2010 From: mikael at syska.dk (Mikael Syska) Date: Mon Sep 6 19:46:19 2010 Subject: i do not want receive your mail In-Reply-To: <289007.87493.qm@web53105.mail.re2.yahoo.com> References: <289007.87493.qm@web53105.mail.re2.yahoo.com> Message-ID: Hi, Read here: http://lists.mailscanner.info/mailman/listinfo/mailscanner On Mon, Sep 6, 2010 at 4:07 PM, le minh ngoc wrote: > i do not want receive mails form your forum > please, help me. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100906/2171912e/attachment.html From neil at dcdata.co.za Tue Sep 7 07:03:14 2010 From: neil at dcdata.co.za (Neil Wilson) Date: Tue Sep 7 07:03:41 2010 Subject: .js and hidden filename blocked Message-ID: <4C85D5A2.9000301@dcdata.co.za> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100907/b3c6a948/attachment.html From Jeff.Mills at sydneytech.com.au Tue Sep 7 07:23:19 2010 From: Jeff.Mills at sydneytech.com.au (Jeff Mills) Date: Tue Sep 7 07:23:32 2010 Subject: .js and hidden filename blocked In-Reply-To: <4C85D5A2.9000301@dcdata.co.za> References: <4C85D5A2.9000301@dcdata.co.za> Message-ID: <5CC818E72EFF6C4CB0D4DFEF1C4E6CD50F00E2FE29@SERVER01.sts.local> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Neil Wilson Sent: Tuesday, 7 September 2010 4:03 PM To: MailScanner discussion Subject: .js and hidden filename blocked No matter what, .js files are blocked as well as double extensions, and I've double checked that all whitespaces are tabs, although they won't show here. If anyone has any ideas I'd be mist grateful for any assistance. Thank you. Regards. Neil. Neil, My config suggests that the jscript rule looks like this: deny \.jse?$ Possible Microsoft JScript attack JScript Scripts are dangerous in email Does that rule still exist in your filename rules? With the double filename hiding, I commented out the rule rather than using "allow", and that seems to work for me. Jeff -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100907/aa39cf5d/attachment.html From waytotheweb at googlemail.com Tue Sep 7 08:01:40 2010 From: waytotheweb at googlemail.com (Sarah Michaelson) Date: Tue Sep 7 08:01:49 2010 Subject: .js and hidden filename blocked In-Reply-To: <4C85D5A2.9000301@dcdata.co.za> References: <4C85D5A2.9000301@dcdata.co.za> Message-ID: On 7 September 2010 07:03, Neil Wilson wrote: > Hi guys, > > I've got an issue with a filename that I just can't seem to allow. > > > The file is a zipped backup that automatically gets emailed to the > recipient. > > No matter what, .js files are blocked as well as double extensions, and > I've double checked that all whitespaces are tabs, although they won't show > here. > > Have you checked your settings for the Archives: attachment checking settings, i.e. Archives: Allow Filenames, Archives: Filename Rules, etc? -- Regards, Sarah Michaelson Way to the Web Ltd Server Management Services: http://www.configserver.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100907/1c4cb9a3/attachment.html From lyndonl at mexcom.co.za Tue Sep 7 14:06:45 2010 From: lyndonl at mexcom.co.za (Lyndon Labuschagne) Date: Tue Sep 7 14:09:08 2010 Subject: Filetype - Filename - Executable Message-ID: <42AF5C22-BB83-4B28-9EC2-EF526AC630AD@mexcom.co.za> Hello I seem to have a situation where mail to a client is being blocked the file is a .dat file here is an extract Sender: user@domain.com IP Address: xx.xx.xx.xx Recipient: user@clientdomain.com Subject: Message released from quarantine MessageID: 637FA4F1160.00000 Quarantine: /var/spool/MailScanner/quarantine/20100907/637FA4F1160.00000 Report: No programs allowed (0000.dat) Report: No programs allowed (0001.dat) Report: No programs allowed (0001.dat) Report: No programs allowed (0000.dat) Report: No programs allowed (0000.dat) No programs allowed (0001.dat) I have added the following to my config in the hopes of getting the file through Allow Filetypes = %etc-dir%/file-names.allow Allow Filenames = %etc-dir%/file-names.allow contents of files FromOrTo: @clientdomain.com yes Allow Filenames = \.dat$ FromOrTo: @clientdomain.com yes Allow Filenames = executables FromOrTo: @clientdomain.com yes Allow Filetypes = Windows/DOS Executable I am making a few assumptions, and maybe thats where the problem is, I am assuming that the above rule takes preference over the normal filename.rules.conf and filetype.rules.conf any suggestions will be most helpful From mark at msapiro.net Tue Sep 7 17:06:01 2010 From: mark at msapiro.net (Mark Sapiro) Date: Tue Sep 7 17:06:12 2010 Subject: MailScanner ANNOUNCE: 4.81 released In-Reply-To: Message-ID: Jules Field wrote: > >I have just released a new stable release of MailScanner, version 4.81. > >Download as usual from www.mailscanner.info. The signatures appear to be missing - The requested URL /files/4/rpm/MailScanner-4.81.4-1.rpm.tar.gz.sig was not found on this server. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Milind.Patil at newswire18.com Wed Sep 8 12:11:42 2010 From: Milind.Patil at newswire18.com (Milind Patil) Date: Wed Sep 8 12:11:52 2010 Subject: Getting Spam mails via MailScanner Message-ID: Hi I have installed MailScanner with Sendmail and ClamAV, the setup is working fine, but occasionally some spam passes through the MailScanner/Spamassassin. For e.g. please find the below mail received by one of the user and the spamassassin score report, I have kept number 6 as the cut-off for spam. My question is there is a word Viagra in the mail (Subject) then why spamassassin is not marking it as spam. Please help. Regards Milind Patil ==== -----Original Message----- From: Leatha [mailto:cahua9618@arcor-ip.net] Sent: Wednesday, September 08, 2010 1:48 PM To: Debjit Chakraborty Subject: Better-than-ever prices on Viagra ==== And this is the Spamassassin score ==== SpamAssassin Score:5.27 Spam Report: Score Matching Rule 2.22 DRUGS_ERECTILE 1.27 RDNS_NONE 0.00 SPF_HELO_FAIL 0.00 TVD_SPACE_RATIO 1.77 URIBL_BLACK ===== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100908/6d61eb77/attachment.html From raymond at prolocation.net Wed Sep 8 12:18:17 2010 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Sep 8 12:18:26 2010 Subject: Getting Spam mails via MailScanner In-Reply-To: References: Message-ID: Hi! > I have installed MailScanner with Sendmail and ClamAV, the setup is > working fine, but occasionally some spam passes through the > MailScanner/Spamassassin. For e.g. please find > the below mail received by one of the user and the spamassassin score > report, I have kept number 6 as the cut-off for spam. My question is > there is a word Viagra in the mail (Subject) then why > spamassassin is not marking it as spam. Please dont send spam to the list. The word Viagra isnt a alias for 100% spam. There is perfectly legitimate use for Viagra. If you feel all mail with Viagra in the subject is spam, define a spamassassin rule to score that. I dont think its wise however. Spamassassin isnt a guarantuee no spam will go in anyway, and you are welcome on the SA mailinglist to discuss SA behaviour there. Bye, Raymond. From hvdkooij at vanderkooij.org Wed Sep 8 12:19:46 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Sep 8 12:24:54 2010 Subject: Getting Spam mails via MailScanner In-Reply-To: References: Message-ID: <482d1ba1d0b34caf79e50594700c33d2@127.0.0.1> On Wed, 8 Sep 2010 16:41:42 +0530, "Milind Patil" wrote: I have installed MailScanner with Sendmail and ClamAV, the setup is working fine, but occasionally some spam passes through the MailScanner/Spamassassin. For e.g. please find the below mail received by one of the user and the spamassassin score report, I have kept number 6 as the cut-off for spam. My question is there is a word Viagra in the mail (Subject) then why spamassassin is not marking it as spam. The mere presence of a word is not a reason for spamassassin to generate a big score. In fact you get over 2 points for that in this example. If you want to change that then write up your own rule(s). There should be plenty of examples in the archives of this mailinglist. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100908/34386cee/attachment.html From maxsec at gmail.com Wed Sep 8 12:27:19 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 8 12:27:30 2010 Subject: Getting Spam mails via MailScanner In-Reply-To: References: Message-ID: Better you get the occasional spam through then get real email blocked IMHO. have a look on the wiki about tuning SA Also I see no mention of any bayes score here so it's worth checking that's working. Martin Hepworth Oxford, UK On 8 September 2010 12:11, Milind Patil wrote: > Hi > > > > I have installed MailScanner with Sendmail and ClamAV, the > setup is working fine, but occasionally some spam passes through the > MailScanner/Spamassassin. For e.g. please find the below mail received by > one of the user and the spamassassin score report, I have kept number 6 as > the cut-off for spam. My question is there is a word Viagra in the mail > (Subject) then why spamassassin is not marking it as spam. > > > > Please help. > > > > Regards > > Milind Patil > > > > ==== > > -----Original Message----- > > From: Leatha [mailto:cahua9618@arcor-ip.net] > > Sent: Wednesday, September 08, 2010 1:48 PM > > To: Debjit Chakraborty > > Subject: Better-than-ever prices on Viagra > > > > ==== > > > > And this is the Spamassassin score > > > > ==== > > SpamAssassin Score:5.27 Spam Report: > > *Score* > > *Matching Rule* > > 2.22 > > DRUGS_ERECTILE > > > > 1.27 > > RDNS_NONE > > > > 0.00 > > SPF_HELO_FAIL > > > > 0.00 > > TVD_SPACE_RATIO > > > > 1.77 > > URIBL_BLACK > > ===== > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100908/83705e0b/attachment.html From lyndonl at mexcom.co.za Wed Sep 8 12:33:20 2010 From: lyndonl at mexcom.co.za (Lyndon Labuschagne) Date: Wed Sep 8 12:34:07 2010 Subject: Getting Spam mails via MailScanner In-Reply-To: References: Message-ID: > ==== > > And this is the Spamassassin score > > ==== > SpamAssassin Score:5.27 Spam Report: > Score > Matching Rule > 2.22 > DRUGS_ERECTILE > > 1.27 > RDNS_NONE > > 0.00 > SPF_HELO_FAIL > > 0.00 > TVD_SPACE_RATIO > > 1.77 > URIBL_BLACK > ===== > > Your spam will never completely go away but that being said if your spam score in MailScanner.conf is set to below the scored amount of 5.27 then there maybe a configuration issue, however if your spam score is set to 4 and you can set the configuration to quarantine that message and it doesnt then you may have a problem. if your spam score setting in the conf file is 6 and you only scored 5.27 then its working as expected -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100908/3c6f8a89/attachment.html From raubvogel at gmail.com Wed Sep 8 13:17:09 2010 From: raubvogel at gmail.com (Mauricio Tavares) Date: Wed Sep 8 13:17:18 2010 Subject: Getting Spam mails via MailScanner In-Reply-To: References: Message-ID: On Wed, Sep 8, 2010 at 7:33 AM, Lyndon Labuschagne wrote: > > ==== > > And this is the Spamassassin score > > ==== > SpamAssassin Score:5.27 Spam Report: > *Score* > *Matching Rule* > 2.22 > DRUGS_ERECTILE > > 1.27 > RDNS_NONE > > 0.00 > SPF_HELO_FAIL > > 0.00 > TVD_SPACE_RATIO > > 1.77 > URIBL_BLACK > ===== > > > > Your spam will never completely go away but that being said if your spam > score in MailScanner.conf is set to below the scored amount of 5.27 then > there maybe a configuration issue, however if your spam score is set to 4 > and you can set the configuration to quarantine that message and it doesnt > then you may have a problem. if your spam score setting in the conf file is > 6 and you only scored 5.27 then its working as expected > > To add my 2 cents to this discussion, we set our spam threshold to 4.7 and have been doing well. Ok, a few new spams are getting through without ever triggering bayes and I do not know what to do, but overall that setting has been quite effective. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100908/102776e0/attachment.html From sonidhaval at gmail.com Wed Sep 8 20:45:02 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 20:45:12 2010 Subject: Spam from same email ID. Message-ID: Dear All, Do we have any techniques to stop spam emails generated from the same ID? Please find below example for the same. * **From * *: * *shahnisarg.shah@123l.com* *To : shahnisarg.shah@123l.com* *Subject : shahnisarg.shah@123l.com_V|AGRA ? Official 02% 0FF!* *1.6Kb* * * *Clean* *Headers* are as below for above mail. Return-Path: Received: from 177-37-94-178.pool.ukrtel.net (177-37-94-178.pool.ukrtel.net[178.94.37.177]) by hi.com (8.13.8/8.13.8) with SMTP id o88JcJCe018330 for ; Wed, 8 Sep 2010 14:38:30 -0500 Date: Wed, 8 Sep 2010 14:38:19 -0500 Message-Id: <201009081938.o88JcJCe018330@hi.com> From: shahnisarg.shah@123l.com To: shahnisarg.shah@123l.com Subject: shahnisarg.shah@123l.com_V|AGRA ? Official 02% 0FF! MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Thank you, -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/6e736e95/attachment.html From alex at rtpty.com Wed Sep 8 21:25:56 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 21:30:23 2010 Subject: Spam from same email ID. In-Reply-To: References: Message-ID: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> Please don't paste spam on the list. Use pastebin. You can write an SA rule or - depending on MTA - do it at the MTA level. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Dhaval Soni Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 9 Sep 2010 01:15:02 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Spam from same email ID. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sonidhaval at gmail.com Wed Sep 8 22:00:18 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 22:00:28 2010 Subject: Spam from same email ID. In-Reply-To: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> Message-ID: Dear Ales, On Thu, Sep 9, 2010 at 1:55 AM, Alex Neuman wrote: > Please don't paste spam on the list. Use pastebin. > Sorry for that. > > You can write an SA rule or - depending on MTA - do it at the MTA level. > How can we write at MTA level? Thank you, > > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Dhaval Soni > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 9 Sep 2010 01:15:02 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Spam from same email ID. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/5be077f3/attachment.html From alex at rtpty.com Wed Sep 8 22:18:38 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 22:22:30 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> Message-ID: <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> By modifying its configuration. Depends on your MTA. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Dhaval Soni Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 9 Sep 2010 02:30:18 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Spam from same email ID. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sonidhaval at gmail.com Wed Sep 8 22:26:33 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 22:26:44 2010 Subject: Spam from same email ID. In-Reply-To: <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: Dear Alex, On Thu, Sep 9, 2010 at 2:48 AM, Alex Neuman wrote: > By modifying its configuration. Depends on your MTA. > I am using sendmail 8.13 ( latest one ). Will you please give example? I do not have any idea about it. Thank you, > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Dhaval Soni > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 9 Sep 2010 02:30:18 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Spam from same email ID. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/33f4e03d/attachment.html From phaleintx at gmail.com Wed Sep 8 22:30:09 2010 From: phaleintx at gmail.com (Phil Hale) Date: Wed Sep 8 22:30:20 2010 Subject: Spam from same email ID. In-Reply-To: <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: <4C880061.3040609@gmail.com> At the MTA level use SPF, SenderID, Domainkeys or DKIM. Available to varying degrees for the different MTA used by MailScanner. Phil Hale Systems Programmer II - Linux Systems Administrator Texas A&M University-Corpus Christi On 09/08/2010 04:18 PM, Alex Neuman wrote: > By modifying its configuration. Depends on your MTA. > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Dhaval Soni > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 9 Sep 2010 02:30:18 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Spam from same email ID. > From alex at rtpty.com Wed Sep 8 22:30:58 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 22:31:08 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: You'd have to ask in the sendmail list, and it probably involves a milter. On Wed, Sep 8, 2010 at 4:26 PM, Dhaval Soni wrote: > Dear Alex, > > On Thu, Sep 9, 2010 at 2:48 AM, Alex Neuman wrote: >> >> By modifying its configuration. Depends on your MTA. > > I am using sendmail 8.13 ( latest one ). Will you please give example? I do > not have any idea about it. > > Thank you, > >> >> -- >> >> Alex Neuman >> BBM 20EA17C5 >> +507 6781-9505 >> Skype:alex@rtpty.com >> >> -----Original Message----- >> From: Dhaval Soni >> Sender: mailscanner-bounces@lists.mailscanner.info >> Date: Thu, 9 Sep 2010 02:30:18 >> To: MailScanner discussion >> Reply-To: MailScanner discussion >> Subject: Re: Spam from same email ID. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > -- > Kind regards, > Dhaval Soni > Red Hat Certified Architect > ID: 804 007 900 325 939 > > M: +91-9662029620 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 BB Pin: 20EA17C5 alex@rtpty.com Skype: alexneuman From alex at rtpty.com Wed Sep 8 22:31:47 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 22:31:55 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: You could also set up a rule like: From:blabla@blabla.com and To:blabla@blabla.com yes in your %rules-dir%/spam.blacklist.rules to do something like that within MailScanner. On Wed, Sep 8, 2010 at 4:30 PM, Alex Neuman wrote: > You'd have to ask in the sendmail list, and it probably involves a milter. > > On Wed, Sep 8, 2010 at 4:26 PM, Dhaval Soni wrote: >> Dear Alex, >> >> On Thu, Sep 9, 2010 at 2:48 AM, Alex Neuman wrote: >>> >>> By modifying its configuration. Depends on your MTA. >> >> I am using sendmail 8.13 ( latest one ). Will you please give example? I do >> not have any idea about it. >> >> Thank you, >> >>> >>> -- >>> >>> Alex Neuman >>> BBM 20EA17C5 >>> +507 6781-9505 >>> Skype:alex@rtpty.com >>> >>> -----Original Message----- >>> From: Dhaval Soni >>> Sender: mailscanner-bounces@lists.mailscanner.info >>> Date: Thu, 9 Sep 2010 02:30:18 >>> To: MailScanner discussion >>> Reply-To: MailScanner discussion >>> Subject: Re: Spam from same email ID. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> >> -- >> Kind regards, >> Dhaval Soni >> Red Hat Certified Architect >> ID: 804 007 900 325 939 >> >> M: +91-9662029620 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > > -- > -- > > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > BB Pin: 20EA17C5 > alex@rtpty.com > Skype: alexneuman > -- -- Alex Neuman van der Hans Reliant Technologies +507 6781-9505 +507 202-1525 BB Pin: 20EA17C5 alex@rtpty.com Skype: alexneuman From sonidhaval at gmail.com Wed Sep 8 22:42:15 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 22:42:24 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: Dear Alex, On Thu, Sep 9, 2010 at 3:00 AM, Alex Neuman wrote: > You'd have to ask in the sendmail list, and it probably involves a milter. > I have used smf-sav milter with Sendmail. Which helped a lot but still facing problem. > > On Wed, Sep 8, 2010 at 4:26 PM, Dhaval Soni wrote: > > Dear Alex, > > > > On Thu, Sep 9, 2010 at 2:48 AM, Alex Neuman wrote: > >> > >> By modifying its configuration. Depends on your MTA. > > > > I am using sendmail 8.13 ( latest one ). Will you please give example? I > do > > not have any idea about it. > > > > Thank you, > > > >> > >> -- > >> > >> Alex Neuman > >> BBM 20EA17C5 > >> +507 6781-9505 > >> Skype:alex@rtpty.com > >> > >> -----Original Message----- > >> From: Dhaval Soni > >> Sender: mailscanner-bounces@lists.mailscanner.info > >> Date: Thu, 9 Sep 2010 02:30:18 > >> To: MailScanner discussion > >> Reply-To: MailScanner discussion > >> Subject: Re: Spam from same email ID. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > > > > -- > > Kind regards, > > Dhaval Soni > > Red Hat Certified Architect > > ID: 804 007 900 325 939 > > > > M: +91-9662029620 > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > -- > -- > > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > BB Pin: 20EA17C5 > alex@rtpty.com > Skype: alexneuman > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/0132501e/attachment-0001.html From sonidhaval at gmail.com Wed Sep 8 22:43:53 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 22:44:03 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: On Thu, Sep 9, 2010 at 3:01 AM, Alex Neuman wrote: > You could also set up a rule like: > > From:blabla@blabla.com and To:blabla@blabla.comyes > Yes, we can do it, but so many emails are coming. It requires a lot time and continues monitoring to stop it. Thank you, > > in your %rules-dir%/spam.blacklist.rules to do something like that > within MailScanner. > > On Wed, Sep 8, 2010 at 4:30 PM, Alex Neuman wrote: > > You'd have to ask in the sendmail list, and it probably involves a > milter. > > > > On Wed, Sep 8, 2010 at 4:26 PM, Dhaval Soni > wrote: > >> Dear Alex, > >> > >> On Thu, Sep 9, 2010 at 2:48 AM, Alex Neuman wrote: > >>> > >>> By modifying its configuration. Depends on your MTA. > >> > >> I am using sendmail 8.13 ( latest one ). Will you please give example? I > do > >> not have any idea about it. > >> > >> Thank you, > >> > >>> > >>> -- > >>> > >>> Alex Neuman > >>> BBM 20EA17C5 > >>> +507 6781-9505 > >>> Skype:alex@rtpty.com > >>> > >>> -----Original Message----- > >>> From: Dhaval Soni > >>> Sender: mailscanner-bounces@lists.mailscanner.info > >>> Date: Thu, 9 Sep 2010 02:30:18 > >>> To: MailScanner discussion > >>> Reply-To: MailScanner discussion > >>> Subject: Re: Spam from same email ID. > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> Before posting, read http://wiki.mailscanner.info/posting > >>> > >>> Support MailScanner development - buy the book off the website! > >> > >> > >> > >> -- > >> Kind regards, > >> Dhaval Soni > >> Red Hat Certified Architect > >> ID: 804 007 900 325 939 > >> > >> M: +91-9662029620 > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > > > > > -- > > -- > > > > Alex Neuman van der Hans > > Reliant Technologies > > +507 6781-9505 > > +507 202-1525 > > BB Pin: 20EA17C5 > > alex@rtpty.com > > Skype: alexneuman > > > > > > -- > -- > > Alex Neuman van der Hans > Reliant Technologies > +507 6781-9505 > +507 202-1525 > BB Pin: 20EA17C5 > alex@rtpty.com > Skype: alexneuman > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/e0a46e90/attachment.html From alex at rtpty.com Wed Sep 8 22:45:29 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 22:49:20 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry><471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> Message-ID: <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> The other message involving dkim and spf works well, too. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Dhaval Soni Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 9 Sep 2010 03:12:15 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Spam from same email ID. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sonidhaval at gmail.com Wed Sep 8 23:11:05 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Wed Sep 8 23:11:14 2010 Subject: Spam from same email ID. In-Reply-To: <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> Message-ID: On Thu, Sep 9, 2010 at 3:15 AM, Alex Neuman wrote: > The other message involving dkim and spf works well, too. > I already have DKIM and spf with spamassassin. But is it preferable to use smf-spf at MTA level? Thank you, > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Dhaval Soni > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 9 Sep 2010 03:12:15 > To: MailScanner discussion > Reply-To: MailScanner discussion > Subject: Re: Spam from same email ID. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/6b4311bb/attachment.html From alex at rtpty.com Wed Sep 8 23:28:20 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 8 23:32:13 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry><471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry><1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> Message-ID: <737286785-1283985119-cardhu_decombobulator_blackberry.rim.net-632206568-@bda957.bisx.prod.on.blackberry> Probably. Depends on your situation. I use it myself at the mta level with smf-spf. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Dhaval Soni Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 9 Sep 2010 03:41:05 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Spam from same email ID. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard at fastnet.co.uk Thu Sep 9 09:08:00 2010 From: richard at fastnet.co.uk (Richard Mealing) Date: Thu Sep 9 09:07:35 2010 Subject: Spam from same email ID. In-Reply-To: <737286785-1283985119-cardhu_decombobulator_blackberry.rim.net-632206568-@bda957.bisx.prod.on.blackberry> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry><471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry><1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> <737286785-1283985119-cardhu_decombobulator_blackberry.rim.net-632206568-@bda957.bisx.prod.on.blackberry> Message-ID: I also use smf-spf and it's amazing. You can create spf records with a hard fail, ie ( -all) and it will reject them with a good bounce. It's very configurable too. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: 08 September 2010 23:28 To: MailScanner discussion Subject: Re: Spam from same email ID. Probably. Depends on your situation. I use it myself at the mta level with smf-spf. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Dhaval Soni Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 9 Sep 2010 03:41:05 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Spam from same email ID. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Thu Sep 9 09:18:25 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Sep 9 09:18:36 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> Message-ID: <4C889851.4000806@fsl.com> On 08/09/10 23:11, Dhaval Soni wrote: > > > On Thu, Sep 9, 2010 at 3:15 AM, Alex Neuman > wrote: > > The other message involving dkim and spf works well, too. > > > I already have DKIM and spf with spamassassin. But is it preferable to > use smf-spf at MTA level? > You might have DKIM and SPF in SpamAssassin; but these are totally useless unless the domain you are having this problem with (e.g. 123l.com) actually publishes or uses them... smf@smf-laptop:~$ host -t TXT 123l.com 123l.com has no TXT record Same with smf-spf or milter-spiff; they'll only fix this problem if a policy is published for the domain in question (ideally a '-all' hard fail). Regards, Steve. From glenn.steen at gmail.com Thu Sep 9 10:24:34 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 9 10:24:45 2010 Subject: Spam from same email ID. In-Reply-To: <4C889851.4000806@fsl.com> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> <4C889851.4000806@fsl.com> Message-ID: On 9 September 2010 10:18, Steve Freegard wrote: > On 08/09/10 23:11, Dhaval Soni wrote: >> >> >> On Thu, Sep 9, 2010 at 3:15 AM, Alex Neuman > > wrote: >> >> ? ?The other message involving dkim and spf works well, too. >> >> >> I already have DKIM and spf with spamassassin. But is it preferable to >> use smf-spf at MTA level? >> > > You might have DKIM and SPF in SpamAssassin; but these are totally useless > unless the domain you are having this problem with (e.g. 123l.com) actually > publishes or uses them... > > smf@smf-laptop:~$ host -t TXT 123l.com > 123l.com has no TXT record > > Same with smf-spf or milter-spiff; they'll only fix this problem if a policy > is published for the domain in question (ideally a '-all' hard fail). > > Regards, > Steve. I'm a bit rusty on the rendmaul...Oops, sendmail ... side of things, but couldn't one do pretty much the same as I do in PF? That is, use an access-like map to disallow ones own (or customers) domain(s) as (envelope) senders? The loss for any typical smaller business would be greeting card stes etc, so shouldn't matter much. Sure, SPF with correct DNS record(s) would perhaps be easier, but ... sometimes it is easier to futz with ones MTA than with a (possibly externally managed) DNS:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Thu Sep 9 16:10:27 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Sep 9 16:10:37 2010 Subject: Spam from same email ID. In-Reply-To: References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> <4C889851.4000806@fsl.com> Message-ID: <4C88F8E3.3000407@fsl.com> On 09/09/10 10:24, Glenn Steen wrote: >> >> You might have DKIM and SPF in SpamAssassin; but these are totally useless >> unless the domain you are having this problem with (e.g. 123l.com) actually >> publishes or uses them... >> >> smf@smf-laptop:~$ host -t TXT 123l.com >> 123l.com has no TXT record >> >> Same with smf-spf or milter-spiff; they'll only fix this problem if a policy >> is published for the domain in question (ideally a '-all' hard fail). >> >> Regards, >> Steve. > I'm a bit rusty on the rendmaul...Oops, sendmail ... side of things, > but couldn't one do pretty much the same as I do in PF? That is, use > an access-like map to disallow ones own (or customers) domain(s) as > (envelope) senders? The loss for any typical smaller business would be > greeting card stes etc, so shouldn't matter much. > Sure, SPF with correct DNS record(s) would perhaps be easier, but ... > sometimes it is easier to futz with ones MTA than with a (possibly > externally managed) DNS:-). No reason why you couldn't add something like: from:mydomain.com REJECT But there be dragons here if you use the box for anything other than inbound mail e.g. SMTP AUTH, smart host or if you have a secondary MX. I've never tried it - but I suspect that you can mitigate some of that using 'connect:ip.ip.ip.ip OK'. Cheers, Steve. From sonidhaval at gmail.com Thu Sep 9 17:20:28 2010 From: sonidhaval at gmail.com (Dhaval Soni) Date: Thu Sep 9 17:20:39 2010 Subject: Spam from same email ID. In-Reply-To: <4C88F8E3.3000407@fsl.com> References: <223208596-1283977773-cardhu_decombobulator_blackberry.rim.net-521756168-@bda957.bisx.prod.on.blackberry> <471030026-1283980936-cardhu_decombobulator_blackberry.rim.net-1216185599-@bda957.bisx.prod.on.blackberry> <1835012596-1283982547-cardhu_decombobulator_blackberry.rim.net-1303161993-@bda957.bisx.prod.on.blackberry> <4C889851.4000806@fsl.com> <4C88F8E3.3000407@fsl.com> Message-ID: Dear All, As per Alex, let me try smf-spf. Thank you, On Thu, Sep 9, 2010 at 8:40 PM, Steve Freegard wrote: > On 09/09/10 10:24, Glenn Steen wrote: > >> >>> You might have DKIM and SPF in SpamAssassin; but these are totally >>> useless >>> unless the domain you are having this problem with (e.g. 123l.com) >>> actually >>> publishes or uses them... >>> >>> smf@smf-laptop:~$ host -t TXT 123l.com >>> 123l.com has no TXT record >>> >>> Same with smf-spf or milter-spiff; they'll only fix this problem if a >>> policy >>> is published for the domain in question (ideally a '-all' hard fail). >>> >>> Regards, >>> Steve. >>> >> I'm a bit rusty on the rendmaul...Oops, sendmail ... side of things, >> but couldn't one do pretty much the same as I do in PF? That is, use >> an access-like map to disallow ones own (or customers) domain(s) as >> (envelope) senders? The loss for any typical smaller business would be >> greeting card stes etc, so shouldn't matter much. >> Sure, SPF with correct DNS record(s) would perhaps be easier, but ... >> sometimes it is easier to futz with ones MTA than with a (possibly >> externally managed) DNS:-). >> > > No reason why you couldn't add something like: > > from:mydomain.com REJECT > > > But there be dragons here if you use the box for anything other than > inbound mail e.g. SMTP AUTH, smart host or if you have a secondary MX. I've > never tried it - but I suspect that you can mitigate some of that using > 'connect:ip.ip.ip.ip OK'. > > Cheers, > Steve. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Kind regards, Dhaval Soni Red Hat Certified Architect ID: 804 007 900 325 939 M: +91-9662029620 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100909/6c9fd59e/attachment.html From mogens at fumlersoft.dk Fri Sep 10 09:31:08 2010 From: mogens at fumlersoft.dk (Mogens Melander) Date: Fri Sep 10 09:31:22 2010 Subject: Spam from same email ID. In-Reply-To: References: Message-ID: I have, in my /etc/mail/access, the folowing 2 lines: 178.95 ERROR:"550 Reject : 178.95.x.x ukrtel.net - Spam Source" ukrtel.net ERROR:"550 Reject : ukrtel.net - Spam source" That will do it ;^) On Wed, September 8, 2010 21:45, Dhaval Soni wrote: > Dear All, > > Do we have any techniques to stop spam emails generated from the same ID? > Please find below example for the same. > * > **From > * *: > * *shahnisarg.shah@123l.com* *To : shahnisarg.shah@123l.com* *Subject : > shahnisarg.shah@123l.com_V|AGRA ? Official 02% 0FF!* *1.6Kb* * > * *Clean* > *Headers* are as below for above mail. > > Return-Path: > Received: from 177-37-94-178.pool.ukrtel.net > (177-37-94-178.pool.ukrtel.net[178.94.37.177]) > by hi.com (8.13.8/8.13.8) with SMTP id o88JcJCe018330 > for ; Wed, 8 Sep 2010 14:38:30 -0500 > Date: Wed, 8 Sep 2010 14:38:19 -0500 > Message-Id: <201009081938.o88JcJCe018330@hi.com> > From: shahnisarg.shah@123l.com > To: shahnisarg.shah@123l.com > Subject: shahnisarg.shah@123l.com_V|AGRA ? Official 02% 0FF! > MIME-Version: 1.0 > Content-Type: text/html; charset="ISO-8859-1" > Content-Transfer-Encoding: 7bit > > > Thank you, > > > -- > Kind regards, > Dhaval Soni > Red Hat Certified Architect > ID: 804 007 900 325 939 > > M: +91-9662029620 > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Later Mogens Melander -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Sep 10 09:42:31 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Sep 10 09:47:42 2010 Subject: Spam from same email ID. In-Reply-To: References: Message-ID: On Thu, 9 Sep 2010 01:15:02 +0530, Dhaval Soni wrote: From : TO : SUBJECT : SHAHNISARG.SHAH@123L.COM_V|AGRA ? OFFICIAL 02% 0FF! 1.6KB CLEAN My first question is why you are accepting fake senders like this. You should be able to solve that issue by setting up SPF in your DNS and use it to kill fake senders in your MTA. In fact many organisations should be able to tackle up to 25% of all spam just by using SPF in their MTA. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100910/adfae33a/attachment.html From mrebsamen at unimatrix0.ch Fri Sep 10 20:34:28 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Fri Sep 10 20:34:42 2010 Subject: Unpack certain zip files Message-ID: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> Hello Would it be possible to configure mailscanner that way that when a specific messages with an attached zip-file arrives the zip-file would be unpacked? Thanks From alex at rtpty.com Fri Sep 10 20:44:41 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Sep 10 20:44:44 2010 Subject: Unpack certain zip files In-Reply-To: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> Message-ID: <1031851904-1284147871-cardhu_decombobulator_blackberry.rim.net-515313764-@bda957.bisx.prod.on.blackberry> That's not something it's designed to do. That being said, it's likely that there's already a milter out there that can do it, or you could write a procmail recipe to accomplish that goal. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "Marco Rebsamen" Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 10 Sep 2010 21:34:28 To: Reply-To: MailScanner discussion Subject: Unpack certain zip files Hello Would it be possible to configure mailscanner that way that when a specific messages with an attached zip-file arrives the zip-file would be unpacked? Thanks-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stratos.td at gmail.com Fri Sep 10 23:45:21 2010 From: stratos.td at gmail.com (Steve) Date: Fri Sep 10 23:45:30 2010 Subject: Unpack certain zip files In-Reply-To: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> Message-ID: On 10 September 2010 20:34, Marco Rebsamen wrote: > > Would it be possible to configure mailscanner that way that when a specific messages > with an attached zip-file arrives the zip-file would be unpacked? You can set the following options (or point them at a ruleset): Unzip Maximum Files Per Archive Unzip Maximum File Size Unzip Filenames Unzip MimeType HTH, Steve. From alex at rtpty.com Fri Sep 10 23:52:53 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Sep 10 23:53:01 2010 Subject: Unpack certain zip files In-Reply-To: References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> Message-ID: <79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> He means "delivered unpacked to the end user", doesn't he? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 10 Sep 2010 23:45:21 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Unpack certain zip files On 10 September 2010 20:34, Marco Rebsamen wrote: > > Would it be possible to configure mailscanner that way that when a specific messages > with an attached zip-file arrives the zip-file would be unpacked? You can set the following options (or point them at a ruleset): Unzip Maximum Files Per Archive Unzip Maximum File Size Unzip Filenames Unzip MimeType HTH, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mrebsamen at unimatrix0.ch Sat Sep 11 00:09:20 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Sat Sep 11 00:09:31 2010 Subject: AW: Unpack certain zip files References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> <79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> Message-ID: I do yes. -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Alex Neuman Gesendet: Samstag, 11. September 2010 00:53 An: MailScanner discussion Betreff: Re: Unpack certain zip files He means "delivered unpacked to the end user", doesn't he? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 10 Sep 2010 23:45:21 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Unpack certain zip files On 10 September 2010 20:34, Marco Rebsamen wrote: > > Would it be possible to configure mailscanner that way that when a > specific messages with an attached zip-file arrives the zip-file would be unpacked? You can set the following options (or point them at a ruleset): Unzip Maximum Files Per Archive Unzip Maximum File Size Unzip Filenames Unzip MimeType HTH, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stratos.td at gmail.com Sat Sep 11 00:09:35 2010 From: stratos.td at gmail.com (Steve) Date: Sat Sep 11 00:09:44 2010 Subject: Unpack certain zip files In-Reply-To: <79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> <79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> Message-ID: On 10 September 2010 23:52, Alex Neuman wrote: > He means "delivered unpacked to the end user", doesn't he? This seems to suggest that these options will do that: --- - MailScanner can now *unzip* small zip files and other archives. We have systems that mail us zipped files automatically, and we wanted to save the step of unzipping each attachment to get the small log file inside. This feature is supported by some new configuration settings: Unzip Maximum Files Per Archive = 4 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain --- http://lists.mailscanner.info/pipermail/mailscanner-announce/2009-June/000046.html Steve. From alex at rtpty.com Sat Sep 11 00:13:28 2010 From: alex at rtpty.com (Alex Neuman) Date: Sat Sep 11 00:13:35 2010 Subject: AW: Unpack certain zip files In-Reply-To: References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch><79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> Message-ID: <1942200671-1284160398-cardhu_decombobulator_blackberry.rim.net-487491973-@bda957.bisx.prod.on.blackberry> Then my answer still stands. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: "Marco Rebsamen" Sender: mailscanner-bounces@lists.mailscanner.info Date: Sat, 11 Sep 2010 01:09:20 To: MailScanner discussion Reply-To: MailScanner discussion Subject: AW: Unpack certain zip files I do yes. -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Alex Neuman Gesendet: Samstag, 11. September 2010 00:53 An: MailScanner discussion Betreff: Re: Unpack certain zip files He means "delivered unpacked to the end user", doesn't he? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Sender: mailscanner-bounces@lists.mailscanner.info Date: Fri, 10 Sep 2010 23:45:21 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Unpack certain zip files On 10 September 2010 20:34, Marco Rebsamen wrote: > > Would it be possible to configure mailscanner that way that when a > specific messages with an attached zip-file arrives the zip-file would be unpacked? You can set the following options (or point them at a ruleset): Unzip Maximum Files Per Archive Unzip Maximum File Size Unzip Filenames Unzip MimeType HTH, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at rtpty.com Sat Sep 11 00:17:44 2010 From: alex at rtpty.com (Alex Neuman) Date: Sat Sep 11 00:17:47 2010 Subject: Unpack certain zip files In-Reply-To: References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch><79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> Message-ID: <1944483110-1284160654-cardhu_decombobulator_blackberry.rim.net-1579415513-@bda957.bisx.prod.on.blackberry> Will have to update and read the docs then. Jules is a magician *and* a mind reader! :-) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Sender: mailscanner-bounces@lists.mailscanner.info Date: Sat, 11 Sep 2010 00:09:35 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Unpack certain zip files On 10 September 2010 23:52, Alex Neuman wrote: > He means "delivered unpacked to the end user", doesn't he? This seems to suggest that these options will do that: --- - MailScanner can now *unzip* small zip files and other archives. We have systems that mail us zipped files automatically, and we wanted to save the step of unzipping each attachment to get the small log file inside. This feature is supported by some new configuration settings: Unzip Maximum Files Per Archive = 4 Unzip Maximum File Size = 50k Unzip Filenames = *.txt *.ini *.log *.csv Unzip MimeType = text/plain --- http://lists.mailscanner.info/pipermail/mailscanner-announce/2009-June/000046.html Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stratos.td at gmail.com Sat Sep 11 10:12:43 2010 From: stratos.td at gmail.com (Steve) Date: Sat Sep 11 10:12:51 2010 Subject: Unpack certain zip files In-Reply-To: <1944483110-1284160654-cardhu_decombobulator_blackberry.rim.net-1579415513-@bda957.bisx.prod.on.blackberry> References: <50E511ED-A148-483A-8DF3-4B1BDF55B127@unimatrix0.ch> <79187177-1284159163-cardhu_decombobulator_blackberry.rim.net-604119924-@bda957.bisx.prod.on.blackberry> <1944483110-1284160654-cardhu_decombobulator_blackberry.rim.net-1579415513-@bda957.bisx.prod.on.blackberry> Message-ID: On 11 September 2010 00:17, Alex Neuman wrote: > Jules is a magician *and* a mind reader! :-) Agreed :-) Steve. From james at gray.net.au Mon Sep 13 10:14:04 2010 From: james at gray.net.au (James Gray) Date: Mon Sep 13 10:14:32 2010 Subject: Black list on header value? Message-ID: Hi All, I've done a bit of digging through the archives and didn't find anything, so I'll ask anyway - but first some background. I have an upstream provider who uses SpamAssassin and I can't enable/disable it on a per-user or domain basis - it's all or nothing. Given this limitation, is there any way I can use a black list rule to prevent MailScanner rescanning messages already flagged as spam by the upstream?? Specifically, I want to blacklist on the "X-Spam-Flag: YES" header. Failing that, can I use a regex to match against the message subject in the spam black list rules?? Here's an example of the double-scanning: Subject: {Spam?} ** SPAM? [8.1/5.0] ** Re: update your contact details Left-to-right, the {...} is MailScanner, and the "** SPAM? [...] **" is the upstream. Any ideas??? Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100913/29feb798/smime.bin From hvdkooij at vanderkooij.org Mon Sep 13 11:52:59 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 13 11:58:22 2010 Subject: Black list on header value? In-Reply-To: References: Message-ID: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> On Mon, 13 Sep 2010 19:14:04 +1000, James Gray wrote: > Hi All, > > I've done a bit of digging through the archives and didn't find anything, > so I'll ask anyway - but first some background. I have an upstream > provider who uses SpamAssassin and I can't enable/disable it on a per-user > or domain basis - it's all or nothing. Given this limitation, is there any > way I can use a black list rule to prevent MailScanner rescanning messages > already flagged as spam by the upstream?? Specifically, I want to > blacklist on the "X-Spam-Flag: YES" header. I know you can use checks like this in postfix. But my normal blacklisting entries use a REJECT policy there and you definity don't want to REJECT them as it will result in a a spam bouncer. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From james at gray.net.au Mon Sep 13 12:40:51 2010 From: james at gray.net.au (James Gray) Date: Mon Sep 13 12:41:22 2010 Subject: Black list on header value? In-Reply-To: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: <3A6870A1-483D-477D-8994-AB5D7F32EC6C@gray.net.au> On 13/09/2010, at 8:52 PM, Hugo van der Kooij wrote: > > On Mon, 13 Sep 2010 19:14:04 +1000, James Gray wrote: >> Hi All, >> >> I've done a bit of digging through the archives and didn't find > anything, >> so I'll ask anyway - but first some background. I have an upstream >> provider who uses SpamAssassin and I can't enable/disable it on a > per-user >> or domain basis - it's all or nothing. Given this limitation, is there > any >> way I can use a black list rule to prevent MailScanner rescanning > messages >> already flagged as spam by the upstream?? Specifically, I want to >> blacklist on the "X-Spam-Flag: YES" header. > > I know you can use checks like this in postfix. But my normal blacklisting > entries use a REJECT policy there and you definity don't want to REJECT > them as it will result in a a spam bouncer. Thanks Hugo. As you allude to, I want to avoid an MTA-level reject for exactly the reason you specify. I can see a custom function in my future. If I wrote it, would anyone else be interested?? Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100913/39f8fa78/smime.bin From glenn.steen at gmail.com Mon Sep 13 12:41:17 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Sep 13 12:41:26 2010 Subject: Black list on header value? In-Reply-To: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: On 13 September 2010 12:52, Hugo van der Kooij wrote: > > On Mon, 13 Sep 2010 19:14:04 +1000, James Gray wrote: >> Hi All, >> >> I've done a bit of digging through the archives and didn't find > anything, >> so I'll ask anyway - but first some background. ?I have an upstream >> provider who uses SpamAssassin and I can't enable/disable it on a > per-user >> or domain basis - it's all or nothing. ?Given this limitation, is there > any >> way I can use a black list rule to prevent MailScanner rescanning > messages >> already flagged as spam by the upstream?? ?Specifically, I want to >> blacklist on the "X-Spam-Flag: YES" header. > > I know you can use checks like this in postfix. But my normal blacklisting > entries use a REJECT policy there and you definity don't want to REJECT > them as it will result in a a spam bouncer. > > Hugo. > So why not DISCARD instead? Should be safe enough:-). Unless there is a margin for error, and then you need accept/handle them, in which case things start to look a bit... hairy...:/ Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From james at gray.net.au Tue Sep 14 05:19:49 2010 From: james at gray.net.au (James Gray) Date: Tue Sep 14 05:20:13 2010 Subject: Black list on header value? In-Reply-To: References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: On 13/09/2010, at 9:41 PM, Glenn Steen wrote: > On 13 September 2010 12:52, Hugo van der Kooij wrote: >> >> On Mon, 13 Sep 2010 19:14:04 +1000, James Gray wrote: >>> Hi All, >>> >>> I've done a bit of digging through the archives and didn't find >> anything, >>> so I'll ask anyway - but first some background. I have an upstream >>> provider who uses SpamAssassin and I can't enable/disable it on a >> per-user >>> or domain basis - it's all or nothing. Given this limitation, is there >> any >>> way I can use a black list rule to prevent MailScanner rescanning >> messages >>> already flagged as spam by the upstream?? Specifically, I want to >>> blacklist on the "X-Spam-Flag: YES" header. >> >> I know you can use checks like this in postfix. But my normal blacklisting >> entries use a REJECT policy there and you definity don't want to REJECT >> them as it will result in a a spam bouncer. >> >> Hugo. >> > So why not DISCARD instead? Should be safe enough:-). Unless there is > a margin for error, and then you need accept/handle them, in which > case things start to look a bit... hairy...:/ Hi Glenn, Yeh, I don't trust the upstream as much as I do my own setup. There are enough false-positives to make me wary of discarding them at the MTA level. A MailScanner blacklist on header/subject+regex would be ideal because I can then tell MailScanner to simply not scan them and pass them over to the MTA for final delivery. Hrm - custom function it is then :( Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100914/fd9f9aad/smime.bin From glenn.steen at gmail.com Tue Sep 14 08:35:07 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 14 08:35:16 2010 Subject: Black list on header value? In-Reply-To: References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: On 14 September 2010 06:19, James Gray wrote: > > On 13/09/2010, at 9:41 PM, Glenn Steen wrote: > >> On 13 September 2010 12:52, Hugo van der Kooij wrote: >>> >>> On Mon, 13 Sep 2010 19:14:04 +1000, James Gray wrote: >>>> Hi All, >>>> >>>> I've done a bit of digging through the archives and didn't find >>> anything, >>>> so I'll ask anyway - but first some background. ?I have an upstream >>>> provider who uses SpamAssassin and I can't enable/disable it on a >>> per-user >>>> or domain basis - it's all or nothing. ?Given this limitation, is there >>> any >>>> way I can use a black list rule to prevent MailScanner rescanning >>> messages >>>> already flagged as spam by the upstream?? ?Specifically, I want to >>>> blacklist on the "X-Spam-Flag: YES" header. >>> >>> I know you can use checks like this in postfix. But my normal blacklisting >>> entries use a REJECT policy there and you definity don't want to REJECT >>> them as it will result in a a spam bouncer. >>> >>> Hugo. >>> >> So why not DISCARD instead? Should be safe enough:-). Unless there is >> a margin for error, and then you need accept/handle them, in which >> case things start to look a bit... hairy...:/ > > Hi Glenn, > > Yeh, I don't trust the upstream as much as I do my own setup. ?There are enough false-positives to make me wary of discarding them at the MTA level. ?A MailScanner blacklist on header/subject+regex would be ideal because I can then tell MailScanner to simply not scan them and pass them over to the MTA for final delivery. ?Hrm - custom function it is then :( > > Cheers, > > James IIRC you do use Postfix, and then the Received -> HOLD thing puts a limit on what you can do... Hugo posted a nice alternative to it, rather longish while back, but unfortunately I don't think you can utilize that to the effect needed... So it looks like you need do something clever in MS. I'm just into my second cup of java, so ... Bright ideas will follow the third or fourth:-):-) Or Hugo will jump in and tell us that you can use his alternative method;-)... Or Jules will write it for you:D Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Tue Sep 14 10:47:16 2010 From: housey at sme-ecom.co.uk (Paul) Date: Tue Sep 14 10:50:30 2010 Subject: clamd and tnef error? Message-ID: <4C8F44A4.5040807@sme-ecom.co.uk> Hi I am using MailScanner 4.78.17 and Clamd 0.96 Have noticed I get quite a few errors like this Sep 14 10:25:38 srv1 MailScanner[14589]: Expanding TNEF archive at /var/spool/MailScanner/incoming/14589/o8E9PaAC032175/winmail.dat Sep 14 10:25:38 srv1 MailScanner[14589]: Clamd::ERROR:: lstat() failed: Permission denied. ERROR :: ./o8E9PaAC032175/tnef.14589 The error seems to always happen on winmail.dat files. In Mailscanner.conf I have Incoming Work User = Incoming Work Group = clamav Incoming Work Permissions = 0640 TNEF Expander = /usr/bin/tnef --maxsize=100000000 Clamd is running as clamav [root@srv1 incoming]# ps aux | grep clamd clamav 1267 2.0 3.0 172900 127788 ? Ssl Sep09 144:17 clamd and the permissions on the working directory seem correct [root@srv1 incoming]# pwd /var/spool/MailScanner/incoming [root@srv1 incoming]# ls -l total 120484 drwxr-x--- 3 root clamav 60 Dec 12 2009 13156 drwxr-x--- 10 root clamav 500 Sep 14 10:46 28493 drwxr-x--- 7 root clamav 320 Sep 14 10:46 28531 drwxr-x--- 14 root clamav 740 Sep 14 10:46 28578 drwxr-x--- 9 root clamav 440 Sep 14 10:45 28629 drwxr-x--- 10 root clamav 500 Sep 14 10:46 28665 drwxr-x--- 2 root root 560 Sep 14 05:04 Locks -rw------- 1 root root 35840 Sep 14 10:46 Processing.db -rw------- 1 root root 123211776 Sep 14 10:46 SpamAssassin.cache.db drwx------ 2 root root 13160 Sep 14 10:46 SpamAssassin-Temp From maxsec at gmail.com Tue Sep 14 12:09:18 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 14 12:09:28 2010 Subject: clamd and tnef error? In-Reply-To: <4C8F44A4.5040807@sme-ecom.co.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk> Message-ID: Paul 1)make sure the clamav user can see all the way down to /var/spool/MailScanner/incoming. 2) see if using the intneral tnef expander works any better. Also worth upgrading MS to latest. Don't see anything in the changelog for 4.80 or 4.81 specific to clamav handling but (grumble windmail.dat is bad, all outleek users should be sending html formatted emails not rft /grumble) -- Martin Hepworth Oxford, UK On 14 September 2010 10:47, Paul wrote: > Hi > > I am using MailScanner 4.78.17 and Clamd 0.96 > > Have noticed I get quite a few errors like this > > Sep 14 10:25:38 srv1 MailScanner[14589]: Expanding TNEF archive at > /var/spool/MailScanner/incoming/14589/o8E9PaAC032175/winmail.dat > Sep 14 10:25:38 srv1 MailScanner[14589]: Clamd::ERROR:: lstat() failed: > Permission denied. ERROR :: ./o8E9PaAC032175/tnef.14589 > > The error seems to always happen on winmail.dat files. > > In Mailscanner.conf I have > > Incoming Work User = > Incoming Work Group = clamav > Incoming Work Permissions = 0640 > > TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > Clamd is running as clamav > > [root@srv1 incoming]# ps aux | grep clamd > clamav 1267 2.0 3.0 172900 127788 ? Ssl Sep09 144:17 clamd > > and the permissions on the working directory seem correct > > [root@srv1 incoming]# pwd > /var/spool/MailScanner/incoming > [root@srv1 incoming]# ls -l > total 120484 > drwxr-x--- 3 root clamav 60 Dec 12 2009 13156 > drwxr-x--- 10 root clamav 500 Sep 14 10:46 28493 > drwxr-x--- 7 root clamav 320 Sep 14 10:46 28531 > drwxr-x--- 14 root clamav 740 Sep 14 10:46 28578 > drwxr-x--- 9 root clamav 440 Sep 14 10:45 28629 > drwxr-x--- 10 root clamav 500 Sep 14 10:46 28665 > drwxr-x--- 2 root root 560 Sep 14 05:04 Locks > -rw------- 1 root root 35840 Sep 14 10:46 Processing.db > -rw------- 1 root root 123211776 Sep 14 10:46 SpamAssassin.cache.db > drwx------ 2 root root 13160 Sep 14 10:46 SpamAssassin-Temp > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100914/808d6114/attachment.html From prandal at herefordshire.gov.uk Tue Sep 14 12:24:31 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 14 12:24:47 2010 Subject: clamd and tnef error? In-Reply-To: <4C8F44A4.5040807@sme-ecom.co.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45013736BE@HC-MBX01.herefordshire.gov.uk> Same issue here. Workaround is to run clamd as root. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Sent: 14 September 2010 10:47 To: MailScanner discussion Subject: clamd and tnef error? Hi I am using MailScanner 4.78.17 and Clamd 0.96 Have noticed I get quite a few errors like this Sep 14 10:25:38 srv1 MailScanner[14589]: Expanding TNEF archive at /var/spool/MailScanner/incoming/14589/o8E9PaAC032175/winmail.dat Sep 14 10:25:38 srv1 MailScanner[14589]: Clamd::ERROR:: lstat() failed: Permission denied. ERROR :: ./o8E9PaAC032175/tnef.14589 The error seems to always happen on winmail.dat files. In Mailscanner.conf I have Incoming Work User = Incoming Work Group = clamav Incoming Work Permissions = 0640 TNEF Expander = /usr/bin/tnef --maxsize=100000000 Clamd is running as clamav [root@srv1 incoming]# ps aux | grep clamd clamav 1267 2.0 3.0 172900 127788 ? Ssl Sep09 144:17 clamd and the permissions on the working directory seem correct [root@srv1 incoming]# pwd /var/spool/MailScanner/incoming [root@srv1 incoming]# ls -l total 120484 drwxr-x--- 3 root clamav 60 Dec 12 2009 13156 drwxr-x--- 10 root clamav 500 Sep 14 10:46 28493 drwxr-x--- 7 root clamav 320 Sep 14 10:46 28531 drwxr-x--- 14 root clamav 740 Sep 14 10:46 28578 drwxr-x--- 9 root clamav 440 Sep 14 10:45 28629 drwxr-x--- 10 root clamav 500 Sep 14 10:46 28665 drwxr-x--- 2 root root 560 Sep 14 05:04 Locks -rw------- 1 root root 35840 Sep 14 10:46 Processing.db -rw------- 1 root root 123211776 Sep 14 10:46 SpamAssassin.cache.db drwx------ 2 root root 13160 Sep 14 10:46 SpamAssassin-Temp -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From hvdkooij at vanderkooij.org Tue Sep 14 12:30:33 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 14 12:35:52 2010 Subject: Black list on header value? In-Reply-To: References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: <7b80b3f5c917f29600afde8da546e78e@127.0.0.1> On Tue, 14 Sep 2010 09:35:07 +0200, Glenn Steen wrote: > IIRC you do use Postfix, and then the Received -> HOLD thing puts a > limit on what you can do... Hugo posted a nice alternative to it, > rather longish while back, but unfortunately I don't think you can > utilize that to the effect needed... So it looks like you need do > something clever in MS. I'm just into my second cup of java, so ... > Bright ideas will follow the third or fourth:-):-) > Or Hugo will jump in and tell us that you can use his alternative > method;-)... Or Jules will write it for you:D If you can use a procmail filter to detect the messages and filter them then you could bypass MailScanner altogether by using the opposite of the HOLD trick I did describe on http://hugo.vanderkooij.org/email/mailscanner.htm?lang=en#HOLD and use OK instead of HOLD on such a header rule in postfix. But it will bypass MailScanner completely and that might be undesirable. Obviously if there is an all or nothing option in regard to SpamAsassin filtering I would opt for nothing and do content scanning myself. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From hvdkooij at vanderkooij.org Tue Sep 14 12:42:34 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 14 12:47:52 2010 Subject: Black list on header value? In-Reply-To: References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> Message-ID: <9be9c5afacfd7625478728f6664e09d7@127.0.0.1> On Tue, 14 Sep 2010 09:35:07 +0200, Glenn Steen wrote: > IIRC you do use Postfix, and then the Received -> HOLD thing puts a > limit on what you can do... Hugo posted a nice alternative to it, > rather longish while back, but unfortunately I don't think you can > utilize that to the effect needed... So it looks like you need do > something clever in MS. I'm just into my second cup of java, so ... > Bright ideas will follow the third or fourth:-):-) > Or Hugo will jump in and tell us that you can use his alternative > method;-)... Or Jules will write it for you:D If you just want to make sure they end up in the quarantine area and are never passed on just give them a big bonus. In "spam.assassin.prefs.conf" you could add: header BUUSSPAM X-Spam-Flag =~ /YES/ describe BUUSSPAM Detected Big Ugly Upstream Scanner SPAM score BUUSSPAM 100.0 Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From steve.freegard at fsl.com Tue Sep 14 13:01:43 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 14 13:01:55 2010 Subject: Black list on header value? In-Reply-To: <9be9c5afacfd7625478728f6664e09d7@127.0.0.1> References: <763f65a06398c3ec8176c9638341eefd@127.0.0.1> <9be9c5afacfd7625478728f6664e09d7@127.0.0.1> Message-ID: <4C8F6427.5070702@fsl.com> On 14/09/10 12:42, Hugo van der Kooij wrote: > > On Tue, 14 Sep 2010 09:35:07 +0200, Glenn Steen > wrote: >> IIRC you do use Postfix, and then the Received -> HOLD thing puts a >> limit on what you can do... Hugo posted a nice alternative to it, >> rather longish while back, but unfortunately I don't think you can >> utilize that to the effect needed... So it looks like you need do >> something clever in MS. I'm just into my second cup of java, so ... >> Bright ideas will follow the third or fourth:-):-) >> Or Hugo will jump in and tell us that you can use his alternative >> method;-)... Or Jules will write it for you:D > > If you just want to make sure they end up in the quarantine area and are > never passed on just give them a big bonus. > > In "spam.assassin.prefs.conf" you could add: > > header BUUSSPAM X-Spam-Flag =~ /YES/ > describe BUUSSPAM Detected Big Ugly Upstream Scanner SPAM > score BUUSSPAM 100.0 > That won't work as SpamAssassin removes X-Spam-* headers in PerMsgStatus.pm: $self->{msg}->delete_header('X-Spam-.*'); The only way to do this is via a CustomFunction if you want MailScanner involved. Regards, Steve. From bonivart at opencsw.org Tue Sep 14 13:34:11 2010 From: bonivart at opencsw.org (Peter Bonivart) Date: Tue Sep 14 13:34:43 2010 Subject: clamd and tnef error? In-Reply-To: References: <4C8F44A4.5040807@sme-ecom.co.uk> Message-ID: On Tue, Sep 14, 2010 at 1:09 PM, Martin Hepworth wrote: > Paul > > 1)make sure the clamav user can see all the way down to > /var/spool/MailScanner/incoming. > > 2) see if using the intneral tnef expander works any better. I tried the internal one and that stopped the error messages. I could have opened up the permissions more but that felt...wrong. :-) Something weird also happened with TNEF replacing that I have used for a long time. Meetings and other mail containing formatting like tables were received without formatting which caused some grief among my users so I had to switch off the replacing. We're looking into removing the RTF-option in Outlook now. -- /peter From housey at sme-ecom.co.uk Tue Sep 14 14:13:23 2010 From: housey at sme-ecom.co.uk (Paul) Date: Tue Sep 14 14:16:37 2010 Subject: clamd and tnef error? In-Reply-To: References: <4C8F44A4.5040807@sme-ecom.co.uk> Message-ID: <4C8F74F3.3060205@sme-ecom.co.uk> On 14/09/2010 13:34, Peter Bonivart wrote: > On Tue, Sep 14, 2010 at 1:09 PM, Martin Hepworth wrote: > >> Paul >> >> 1)make sure the clamav user can see all the way down to >> /var/spool/MailScanner/incoming. >> >> 2) see if using the intneral tnef expander works any better. >> > I tried the internal one and that stopped the error messages. I could > have opened up the permissions more but that felt...wrong. :-) > > Something weird also happened with TNEF replacing that I have used for > a long time. Meetings and other mail containing formatting like tables > were received without formatting which caused some grief among my > users so I had to switch off the replacing. We're looking into > removing the RTF-option in Outlook now. > > I've switched to the internal tnef expander and there are no errors. My guess would be the external tnef expander creates its temp files without the permissions for clamav to read them? I had a look at the source but couldn't figure it out. Cheers Paul From steve.freegard at fsl.com Tue Sep 14 14:45:34 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 14 14:45:46 2010 Subject: clamd and tnef error? In-Reply-To: <4C8F74F3.3060205@sme-ecom.co.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk> <4C8F74F3.3060205@sme-ecom.co.uk> Message-ID: <4C8F7C7E.4010900@fsl.com> On 14/09/10 14:13, Paul wrote: > I've switched to the internal tnef expander and there are no errors. Small word of warning on the internal expander; Convert-TNEF hasn't been updated in a very long time and I recently had a number of issues on multiple sites where it was causing MailScanner to segfault on messages generated by recent versions of Exchange. This was causing MailScanner to quarantine loads of messages as 'attempted to kill MailScanner' and required a bit of cleanup to correct. That said - I also had issues with the external expander a long time ago which is why I switched to the internal as the preferred method. But the external expander is much more up-to-date and I doubt if these problems are still present. These days 'Expand TNEF = no' is my preferred method and get the Exchange server to send messages in MIME format instead of working around bad defaults on the Exchange side. Regards, Steve. From maxsec at gmail.com Tue Sep 14 15:32:06 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 14 15:32:19 2010 Subject: clamd and tnef error? In-Reply-To: <4C8F7C7E.4010900@fsl.com> References: <4C8F44A4.5040807@sme-ecom.co.uk> <4C8F74F3.3060205@sme-ecom.co.uk> <4C8F7C7E.4010900@fsl.com> Message-ID: yeah some sites need internal and others external expander, seems totally random. But as Steve says MIME/html email is the way to go then we get rid of the silly winmail.dat anyway ;-) -- Martin Hepworth Oxford, UK On 14 September 2010 14:45, Steve Freegard wrote: > On 14/09/10 14:13, Paul wrote: > > I've switched to the internal tnef expander and there are no errors. >> > > Small word of warning on the internal expander; Convert-TNEF hasn't been > updated in a very long time and I recently had a number of issues on > multiple sites where it was causing MailScanner to segfault on messages > generated by recent versions of Exchange. This was causing MailScanner to > quarantine loads of messages as 'attempted to kill MailScanner' and required > a bit of cleanup to correct. > > That said - I also had issues with the external expander a long time ago > which is why I switched to the internal as the preferred method. But the > external expander is much more up-to-date and I doubt if these problems are > still present. > > These days 'Expand TNEF = no' is my preferred method and get the Exchange > server to send messages in MIME format instead of working around bad > defaults on the Exchange side. > > Regards, > Steve. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100914/4cfbab58/attachment.html From prandal at herefordshire.gov.uk Tue Sep 14 16:10:09 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 14 16:10:28 2010 Subject: clamd and tnef error? In-Reply-To: References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk> <4C8F7C7E.4010900@fsl.com> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4501373711@HC-MBX01.herefordshire.gov.uk> Unfortunately, we're not in control of the outside world, as much as we'd like to be. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 14 September 2010 15:32 To: MailScanner discussion Subject: Re: clamd and tnef error? yeah some sites need internal and others external expander, seems totally random. But as Steve says MIME/html email is the way to go then we get rid of the silly winmail.dat anyway ;-) -- Martin Hepworth Oxford, UK On 14 September 2010 14:45, Steve Freegard wrote: On 14/09/10 14:13, Paul wrote: I've switched to the internal tnef expander and there are no errors. Small word of warning on the internal expander; Convert-TNEF hasn't been updated in a very long time and I recently had a number of issues on multiple sites where it was causing MailScanner to segfault on messages generated by recent versions of Exchange. This was causing MailScanner to quarantine loads of messages as 'attempted to kill MailScanner' and required a bit of cleanup to correct. That said - I also had issues with the external expander a long time ago which is why I switched to the internal as the preferred method. But the external expander is much more up-to-date and I doubt if these problems are still present. These days 'Expand TNEF = no' is my preferred method and get the Exchange server to send messages in MIME format instead of working around bad defaults on the Exchange side. Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100914/e3fea84d/attachment.html From rafael.vallejo at kypus.com Tue Sep 14 21:56:26 2010 From: rafael.vallejo at kypus.com (Rafael Vallejo) Date: Tue Sep 14 21:58:32 2010 Subject: Mailscanner configuration compatibility Message-ID: <1284497786.2943.42.camel@pv-rvallejo> Hello list, I would like to know if my configuration files for MailScanner 4.54.6 are compatible with the latest 4.81 stable or if I have to make modifications on it. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100914/44173160/attachment.html From maxsec at gmail.com Wed Sep 15 08:34:38 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 15 08:34:48 2010 Subject: Mailscanner configuration compatibility In-Reply-To: <1284497786.2943.42.camel@pv-rvallejo> References: <1284497786.2943.42.camel@pv-rvallejo> Message-ID: Hi there's a script that will merge you're existing settings with the new ones from 4.81 - see the wiki on upgrading. Now this is is HUGE jump so it's worth haing a look at the options as many many things have changed in the four years since 4.54 came out. I'd also suggest you look at upgrading spamassassin as well as you may well be very out of date here. In fact I'd treat this almost as a new install so go with a plan in mind. -- Martin Hepworth Oxford, UK On 14 September 2010 21:56, Rafael Vallejo wrote: > Hello list, > > I would like to know if my configuration files for MailScanner 4.54.6 are > compatible with the latest 4.81 stable or if I have to make modifications on > it. > > Regards > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100915/76bb6a18/attachment.html From glenn.steen at gmail.com Wed Sep 15 11:26:47 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 15 11:26:57 2010 Subject: clamd and tnef error? In-Reply-To: <4C8F7C7E.4010900@fsl.com> References: <4C8F44A4.5040807@sme-ecom.co.uk> <4C8F74F3.3060205@sme-ecom.co.uk> <4C8F7C7E.4010900@fsl.com> Message-ID: On 14 September 2010 15:45, Steve Freegard wrote: > On 14/09/10 14:13, Paul wrote: > >> I've switched to the internal tnef expander and there are no errors. > > Small word of warning on the internal expander; Convert-TNEF hasn't been > updated in a very long time and I recently had a number of issues on > multiple sites where it was causing MailScanner to segfault on messages > generated by recent versions of Exchange. ?This was causing MailScanner to > quarantine loads of messages as 'attempted to kill MailScanner' and required > a bit of cleanup to correct. > > That said - I also had issues with the external expander a long time ago > which is why I switched to the internal as the preferred method. ?But the > external expander is much more up-to-date and I doubt if these problems are > still present. > > These days 'Expand TNEF = no' is my preferred method and get the Exchange > server to send messages in MIME format instead of working around bad > defaults on the Exchange side. > In a world where all winmail.dat files were generated internally, I would agree with you.... But since that is not the case, I would have to beg to differ... I've been happy with the internal TNEF expander for years, but ... some (business-critical, of course) emails couldn't be expanded -> couldn't be scanned -> ended up in the quarantine. Sigh. So I went for the external one, with good success. AFAICT the problem is that the clamav group permission is 4, not 6. I fail to see the risk of allowing the group to be able to write as well as read. I have my Incoming settings like: Incoming Work User = postfix Incoming Work Group = clamav Incoming Work Permissions = 0660 ,,, which work perfectly. > Regards, > Steve. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From davejones70 at gmail.com Wed Sep 15 13:39:51 2010 From: davejones70 at gmail.com (Dave Jones) Date: Wed Sep 15 13:40:02 2010 Subject: clamd and tnef error? Message-ID: >On Tue, Sep 14, 2010 at 1:09 PM, Martin Hepworth wrote: >> Paul >> >> 1)make sure the clamav user can see all the way down to >> /var/spool/MailScanner/incoming. >> >> 2) see if using the intneral tnef expander works any better. >I tried the internal one and that stopped the error messages. I could >have opened up the permissions more but that felt...wrong. :-) >Something weird also happened with TNEF replacing that I have used for >a long time. Meetings and other mail containing formatting like tables >were received without formatting which caused some grief among my >users so I had to switch off the replacing. We're looking into >removing the RTF-option in Outlook now. I have had to disable TNEF checking completely since it was causing contact lists being emails around to break for Outlook 2007 clients with either the internal or the external expander. It would be nice to be able to use it to replace the winmail.dat but I can't. We have tens of thousands of clients of all types so there's no way to stop using winmail.dat any time in the near future. -- /peter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100915/52c374cf/attachment.html From prandal at herefordshire.gov.uk Wed Sep 15 14:03:29 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 15 14:03:47 2010 Subject: clamd and tnef error? In-Reply-To: References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk> <4C8F7C7E.4010900@fsl.com> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk> Setting Incoming Work Permissions = 0660 Does indeed fix it. Jules, should this change in the default MailScanner.conf? Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 15 September 2010 11:27 To: MailScanner discussion Subject: Re: clamd and tnef error? On 14 September 2010 15:45, Steve Freegard wrote: > On 14/09/10 14:13, Paul wrote: > >> I've switched to the internal tnef expander and there are no errors. > > Small word of warning on the internal expander; Convert-TNEF hasn't > been updated in a very long time and I recently had a number of issues > on multiple sites where it was causing MailScanner to segfault on > messages generated by recent versions of Exchange. ?This was causing > MailScanner to quarantine loads of messages as 'attempted to kill > MailScanner' and required a bit of cleanup to correct. > > That said - I also had issues with the external expander a long time > ago which is why I switched to the internal as the preferred method. ? > But the external expander is much more up-to-date and I doubt if these > problems are still present. > > These days 'Expand TNEF = no' is my preferred method and get the > Exchange server to send messages in MIME format instead of working > around bad defaults on the Exchange side. > In a world where all winmail.dat files were generated internally, I would agree with you.... But since that is not the case, I would have to beg to differ... I've been happy with the internal TNEF expander for years, but ... some (business-critical, of course) emails couldn't be expanded -> couldn't be scanned -> ended up in the quarantine. Sigh. So I went for the external one, with good success. AFAICT the problem is that the clamav group permission is 4, not 6. I fail to see the risk of allowing the group to be able to write as well as read. I have my Incoming settings like: Incoming Work User = postfix Incoming Work Group = clamav Incoming Work Permissions = 0660 ,,, which work perfectly. > Regards, > Steve. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From prandal at herefordshire.gov.uk Wed Sep 15 14:10:52 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 15 14:11:28 2010 Subject: clamd and tnef error? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> I spoke too soon, the 0660 permissions didn't help here. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: 15 September 2010 14:03 To: MailScanner discussion Subject: RE: clamd and tnef error? Setting Incoming Work Permissions = 0660 Does indeed fix it. Jules, should this change in the default MailScanner.conf? Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 15 September 2010 11:27 To: MailScanner discussion Subject: Re: clamd and tnef error? On 14 September 2010 15:45, Steve Freegard wrote: > On 14/09/10 14:13, Paul wrote: > >> I've switched to the internal tnef expander and there are no errors. > > Small word of warning on the internal expander; Convert-TNEF hasn't > been updated in a very long time and I recently had a number of issues > on multiple sites where it was causing MailScanner to segfault on > messages generated by recent versions of Exchange. ?This was causing > MailScanner to quarantine loads of messages as 'attempted to kill > MailScanner' and required a bit of cleanup to correct. > > That said - I also had issues with the external expander a long time > ago which is why I switched to the internal as the preferred method. > But the external expander is much more up-to-date and I doubt if these > problems are still present. > > These days 'Expand TNEF = no' is my preferred method and get the > Exchange server to send messages in MIME format instead of working > around bad defaults on the Exchange side. > In a world where all winmail.dat files were generated internally, I would agree with you.... But since that is not the case, I would have to beg to differ... I've been happy with the internal TNEF expander for years, but ... some (business-critical, of course) emails couldn't be expanded -> couldn't be scanned -> ended up in the quarantine. Sigh. So I went for the external one, with good success. AFAICT the problem is that the clamav group permission is 4, not 6. I fail to see the risk of allowing the group to be able to write as well as read. I have my Incoming settings like: Incoming Work User = postfix Incoming Work Group = clamav Incoming Work Permissions = 0660 ,,, which work perfectly. > Regards, > Steve. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From steve.freegard at fsl.com Wed Sep 15 14:51:39 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 15 14:51:52 2010 Subject: clamd and tnef error? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> Message-ID: <4C90CF6B.1050503@fsl.com> On 15/09/10 14:10, Randal, Phil wrote: > I spoke too soon, the 0660 permissions didn't help here. What is your 'Run As Group' ?? and Do you have 'AllowSupplimentalGroups Yes' in /etc/clamd.conf? Regards, Steve. From prandal at herefordshire.gov.uk Wed Sep 15 15:48:03 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 15 15:48:27 2010 Subject: clamd and tnef error? In-Reply-To: <4C90CF6B.1050503@fsl.com> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk><76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> <4C90CF6B.1050503@fsl.com> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> Run As group = (not normally used for sendmail, says MailScanner.conf) AllowSupplementaryGroups Yes Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 15 September 2010 14:52 To: MailScanner discussion Subject: Re: clamd and tnef error? On 15/09/10 14:10, Randal, Phil wrote: > I spoke too soon, the 0660 permissions didn't help here. What is your 'Run As Group' ?? and Do you have 'AllowSupplimentalGroups Yes' in /etc/clamd.conf? Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From steve.freegard at fsl.com Wed Sep 15 16:36:05 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 15 16:36:19 2010 Subject: clamd and tnef error? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk><76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> <4C90CF6B.1050503@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> Message-ID: <4C90E7E5.5000303@fsl.com> On 15/09/10 15:48, Randal, Phil wrote: > Run As group = > > (not normally used for sendmail, says MailScanner.conf) > > AllowSupplementaryGroups Yes > Then the 'fix' for this would appear to be to set: Run As Group = clamav (or whatever user/group clamav runs as) *and* Incoming Work Permissions = 0660 Regards, Steve. From prandal at herefordshire.gov.uk Wed Sep 15 17:05:57 2010 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Sep 15 17:06:21 2010 Subject: clamd and tnef error? In-Reply-To: <4C90E7E5.5000303@fsl.com> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk><76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> <4C90CF6B.1050503@fsl.com><76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> <4C90E7E5.5000303@fsl.com> Message-ID: <76415AED4CCF214F80FD9B0DA9A9EE4501373832@HC-MBX01.herefordshire.gov.uk> That doesn't work either, still get the lstat errors. If I get the time, I'll look a bit deeper into this. Phil -- Phil Randal | Networks Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: prandal@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 15 September 2010 16:36 To: MailScanner discussion Subject: Re: clamd and tnef error? On 15/09/10 15:48, Randal, Phil wrote: > Run As group = > > (not normally used for sendmail, says MailScanner.conf) > > AllowSupplementaryGroups Yes > Then the 'fix' for this would appear to be to set: Run As Group = clamav (or whatever user/group clamav runs as) *and* Incoming Work Permissions = 0660 Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ?Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council or Herefordshire Primary Care Trust. You should be aware that Herefordshire Council & Herefordshire Primary Care Trust monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Please consider the environment before printing this e-mail.? Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From glenn.steen at gmail.com Thu Sep 16 09:20:57 2010 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 16 09:21:07 2010 Subject: clamd and tnef error? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE4501373832@HC-MBX01.herefordshire.gov.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk> <4C8F74F3.3060205@sme-ecom.co.uk> <4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk> <76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> <4C90CF6B.1050503@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> <4C90E7E5.5000303@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE4501373832@HC-MBX01.herefordshire.gov.uk> Message-ID: On 15 September 2010 18:05, Randal, Phil wrote: > That ?doesn't work either, still get the lstat errors. > > If I get the time, I'll look a bit deeper into this. > > Phil > Might be something higher up, or some dir lacking the execute bit... or some other ACL thingy coming in the way (selinux or whatnot). Testing is fairly simple: su - clamav -s /bin/bash cd /var/spool/MailScanner/incoming/ mkdir aaa rmdir aaa exit ... provided "clamav" is the user clamd runs as... Any error from the abonve mkdir would indicate some problem with the setting, or a permission problem "higher up" in the directory tree... Any problem to even "cd" into the directory probably indicate a problem "higher up", and should be easily pinpointable. Oh, and when you had done the change, you did remember to reload (or restart) MS, right? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From carlitos.hllh at gmail.com Thu Sep 16 23:50:17 2010 From: carlitos.hllh at gmail.com (Carlos Humberto Llumiquinga Hidalgo) Date: Thu Sep 16 23:50:30 2010 Subject: Master spam blacklist Message-ID: Hi guys... Does anyone know a kind of master spam blacklist..?? to put into spamassassin conf.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100916/252283d0/attachment.html From alex at rtpty.com Thu Sep 16 23:56:29 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Sep 16 23:57:22 2010 Subject: Master spam blacklist In-Reply-To: References: Message-ID: <676008484-1284677830-cardhu_decombobulator_blackberry.rim.net-1578112655-@bda957.bisx.prod.on.blackberry> Define it. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Carlos Humberto Llumiquinga Hidalgo Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 16 Sep 2010 17:50:17 To: Reply-To: MailScanner discussion Subject: Master spam blacklist -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rafael.vallejo at kypus.com Fri Sep 17 01:30:33 2010 From: rafael.vallejo at kypus.com (Rafael Vallejo) Date: Fri Sep 17 01:31:16 2010 Subject: Master spam blacklist In-Reply-To: <676008484-1284677830-cardhu_decombobulator_blackberry.rim.net-1578112655-@bda957.bisx.prod.on.blackberry> References: <676008484-1284677830-cardhu_decombobulator_blackberry.rim.net-1578112655-@bda957.bisx.prod.on.blackberry> Message-ID: <1284683433.1999.5.camel@pv-rvallejo> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: face-wink.png Type: image/png Size: 876 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100916/5c5c19bd/face-wink.png From alex at rtpty.com Fri Sep 17 01:35:57 2010 From: alex at rtpty.com (Alex Neuman) Date: Fri Sep 17 01:36:51 2010 Subject: Master spam blacklist In-Reply-To: <1284683433.1999.5.camel@pv-rvallejo> References: <676008484-1284677830-cardhu_decombobulator_blackberry.rim.net-1578112655-@bda957.bisx.prod.on.blackberry><1284683433.1999.5.camel@pv-rvallejo> Message-ID: <1862826680-1284683798-cardhu_decombobulator_blackberry.rim.net-812518919-@bda957.bisx.prod.on.blackberry> Closest to that would be zen.spamhaus.org right? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Rafael Vallejo Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 16 Sep 2010 19:30:33 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Master spam blacklist -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Fri Sep 17 14:53:33 2010 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 17 14:53:49 2010 Subject: Master spam blacklist In-Reply-To: <1284683433.1999.5.camel@pv-rvallejo> References: <676008484-1284677830-cardhu_decombobulator_blackberry.rim.net-1578112655-@bda957.bisx.prod.on.blackberry> <1284683433.1999.5.camel@pv-rvallejo> Message-ID: <4C9372DD.1080805@alexb.ch> On 2010-09-17 2:30, Rafael Vallejo wrote: > I guess he wants to know if there is a rbl that queries others as well, > some sort of rbl proxy. > > I think is nice idea, just one rbl defined in the local mailscanner at > your mailserver that query the "master" he mentioned, that "master" > checks in several rbl so just one work for the local mailscanner and the > proxy deals with all rbls as well. > > Is there one? ;) there's Sendmail milters and Postfix filters which offer such functioanlity. I assume Exim ACLs can do something like it as well. imo, MailScanner isn't the right place to do such a check. > -----Mensaje original----- > De: Alex Neuman > Reply-to: MailScanner discussion > Para: MailScanner discussion > Asunto: Re: Master spam blacklist > Fecha: Thu, 16 Sep 2010 22:56:29 +0000 > > > Define it. > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Carlos Humberto Llumiquinga Hidalgo > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Thu, 16 Sep 2010 17:50:17 > To: > Reply-To: MailScanner discussion > Subject: Master spam blacklist > > From m.anderlini at database.it Mon Sep 20 09:45:36 2010 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Sep 20 09:46:00 2010 Subject: [OT] How to understand what cause Load Machine increase Message-ID: Hello guys, I've a weird problem with my system. Some time, and I still not know why,my load machine average increase rapidly I normal use the load machine average is between 10 and 15. but sometime the load increase and reach 35 or 36. when this appen all the system became slow and also server pop3 (dovecot) had timeout. I'm using an old version of mailscanner (mailscanner-4.58.9-1.) on a CentOS release 4.8 Could you please suggest me where to start to look for found the cause of the problem ? Thanks for all and sorry for my worst English. Bye Dr. Marcello Anderlini m.anderlini@database.it --------------------------------------------- Database Informatica S.r.l. Microsoft Certified Partner Tel. +39059775070 Fax. +39059779545 http://www.database.it --------------------------------------------- -- Messaggio verificato dal servizio antivirus di Database Informatica From hvdkooij at vanderkooij.org Mon Sep 20 09:52:32 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 20 09:58:02 2010 Subject: [OT] How to understand what cause Load Machine increase In-Reply-To: References: Message-ID: On Mon, 20 Sep 2010 10:45:36 +0200, "Marcello Anderlini" wrote: > Hello guys, > I've a weird problem with my system. Some time, and I still not know why,my > load machine average increase rapidly > I normal use the load machine average is between 10 and 15. but sometime > the > load increase and reach 35 or 36. when this appen all the system became > slow > and also server pop3 (dovecot) had timeout. Well the obvious tool I would use is top so see what processes are running and taking up resources. My guess is that the machine lacks sufficient RAM so when you need a bit more memory you must swap a lot. I think you also must considere to split your server into a scanner machine and a server holding the mail storage that will handle the clients (POP3 I assume from your message if the load is increased. On the other hand is might just be a storm of POP3 clients and not be a MailScanner issue at all. The load factor in itself is a very poor way of telling wether your system is too busy. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From ms-list at alexb.ch Mon Sep 20 10:02:59 2010 From: ms-list at alexb.ch (Alex Broens) Date: Mon Sep 20 10:03:10 2010 Subject: [OT] How to understand what cause Load Machine increase In-Reply-To: References: Message-ID: <4C972343.6070807@alexb.ch> On 2010-09-20 10:45, Marcello Anderlini wrote: > Hello guys, > I've a weird problem with my system. Some time, and I still not know why,my > load machine average increase rapidly > I normal use the load machine average is between 10 and 15. but sometime the > load increase and reach 35 or 36. when this appen all the system became slow > and also server pop3 (dovecot) had timeout. > > I'm using an old version of mailscanner (mailscanner-4.58.9-1.) on a CentOS > release 4.8 > > Could you please suggest me where to start to look for found the cause of > the problem ? > > Thanks for all and sorry for my worst English. just basing on your load I'd suggest you start off by adding lottsa RAM to your box. Obviously you need to find out what is trashing your system, but Ram is usually cheaper than manpower :-) From maxsec at gmail.com Mon Sep 20 11:32:31 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Sep 20 11:32:42 2010 Subject: [OT] How to understand what cause Load Machine increase In-Reply-To: References: Message-ID: Have look on the wiki in the performance and optimisation sections. http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:performance http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips -- Martin Hepworth Oxford, UK On 20 September 2010 09:45, Marcello Anderlini wrote: > Hello guys, > I've a weird problem with my system. Some time, and I still not know why,my > load machine average increase rapidly > I normal use the load machine average is between 10 and 15. but sometime > the > load increase and reach 35 or 36. when this appen all the system became > slow > and also server pop3 (dovecot) had timeout. > > I'm using an old version of mailscanner (mailscanner-4.58.9-1.) on a CentOS > release 4.8 > > Could you please suggest me where to start to look for found the cause of > the problem ? > > Thanks for all and sorry for my worst English. > > Bye > > > Dr. Marcello Anderlini > m.anderlini@database.it > --------------------------------------------- > Database Informatica S.r.l. > Microsoft Certified Partner > Tel. +39059775070 > Fax. +39059779545 > http://www.database.it > --------------------------------------------- > > > -- > Messaggio verificato dal servizio antivirus di Database Informatica > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100920/a5d9ff76/attachment.html From Marc.Delisle at cegepsherbrooke.qc.ca Mon Sep 20 16:40:22 2010 From: Marc.Delisle at cegepsherbrooke.qc.ca (Marc Delisle) Date: Mon Sep 20 16:40:40 2010 Subject: HTML attachment containing JavaScript Message-ID: <4C978066.4070206@cegepsherbrooke.qc.ca> Hi, I am running MailScanner 4.81.4-1 and we are set up to deliver HTML attachments. I have a sample of an HTML attachment that was delivered to one of my users, containing just some JavaScript that redirects to a page which proposes a .exe malicious file to download. Is there something to do to remove JavaScript from HTML attachments? Regards, Marc Delisle From micoots at yahoo.com Tue Sep 21 08:24:21 2010 From: micoots at yahoo.com (Michael Mansour) Date: Tue Sep 21 08:24:32 2010 Subject: Spam-Virus scoring not working any more for me Message-ID: <600521.23329.qm@web33301.mail.mud.yahoo.com> Hi, I've just realised recently that 3rd party signatures from clam (SaneSecurity DB's) are no longer detected as "spam-virus" but blocked as viruses. I've checked and it's been like this for a couple of months, yet I know I had this working 100% many months ago. I'm running the latest MailScanner 4.81.4 I've checked my MailScanner.conf and my values are still correct for: Spam-Virus Header which lists the header and: Virus Names Which Are Spam where I list the signature DB's. None of that has changed. I then checked my mailscanner.cf file, and have the correct SA entries for: header describe score The only difference I see between the: Spam-Virus Header entry and the: header MS_FOUND_SPAMVIRUS entry is the ":" at the end of the "Spam-Virus Header" in MailScanner.conf But again, I know this worked fine for months, a couple of months ago. I've checked spamassassin and it does definately read the mailscanner.cf file. Any ideas how I can trouble-shoot this problem? Thanks. Michael. From hvdkooij at vanderkooij.org Tue Sep 21 19:09:50 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 21 19:10:01 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <600521.23329.qm@web33301.mail.mud.yahoo.com> References: <600521.23329.qm@web33301.mail.mud.yahoo.com> Message-ID: <4C98F4EE.5010905@vanderkooij.org> On 21/09/10 09:24, Michael Mansour wrote: > The only difference I see between the: > Spam-Virus Header > entry and the: > header MS_FOUND_SPAMVIRUS > entry is the ":" at the end of the "Spam-Virus Header" in MailScanner.conf > > But again, I know this worked fine for months, a couple of months ago. Please considere that the factthat it did work in the past was in effect a bug and the curent situation is the correct one. The first obvious step is to get rid of the : in your conf file. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From micoots at yahoo.com Wed Sep 22 03:28:27 2010 From: micoots at yahoo.com (Michael Mansour) Date: Wed Sep 22 03:28:38 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4C98F4EE.5010905@vanderkooij.org> Message-ID: <967031.68408.qm@web33304.mail.mud.yahoo.com> Hi Hugo, --- On Wed, 22/9/10, Hugo van der Kooij wrote: > From: Hugo van der Kooij > Subject: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Wednesday, 22 September, 2010, 4:09 AM > On 21/09/10 09:24, Michael Mansour > wrote: > > > The only difference I see between the: > > Spam-Virus Header > > entry and the: > > header MS_FOUND_SPAMVIRUS > > entry is the ":" at the end of the "Spam-Virus Header" > in MailScanner.conf > > > > But again, I know this worked fine for months, a > couple of months ago. > > Please considere that the factthat it did work in the past > was in effect > a bug and the curent situation is the correct one. > > The first obvious step is to get rid of the : in your conf > file. Admittedly I didn't consider that :) I have changed the setting to remove the ":" and will see how this goes. Thanks. Michael. > Hugo. From micoots at yahoo.com Wed Sep 22 06:24:43 2010 From: micoots at yahoo.com (Michael Mansour) Date: Wed Sep 22 06:24:54 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4C98F4EE.5010905@vanderkooij.org> Message-ID: <943946.78068.qm@web33302.mail.mud.yahoo.com> Hi Hugo, --- On Wed, 22/9/10, Hugo van der Kooij wrote: > From: Hugo van der Kooij > Subject: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Wednesday, 22 September, 2010, 4:09 AM > On 21/09/10 09:24, Michael Mansour > wrote: > > > The only difference I see between the: > > Spam-Virus Header > > entry and the: > > header MS_FOUND_SPAMVIRUS > > entry is the ":" at the end of the "Spam-Virus Header" > in MailScanner.conf > > > > But again, I know this worked fine for months, a > couple of months ago. > > Please considere that the factthat it did work in the past > was in effect > a bug and the curent situation is the correct one. > > The first obvious step is to get rid of the : in your conf > file. Having tested this now, I can say that the removal of the ":" did not affect it. These "infections": Clamd: message was infected: INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916) still get blocked when I want them scored. Anything else I can check/trouble-shoot? is there a debug in MailScanner I can run through to see why the spam-virus isn't scored and instead blocked? Thanks. Michael. > Hugo. > > -- > hvdkooij@vanderkooij.org? > ? ? ? ? ? ???http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From jwithrow at matech.net Wed Sep 22 14:34:50 2010 From: jwithrow at matech.net (Joshua F. Withrow) Date: Wed Sep 22 14:36:22 2010 Subject: Quarantine Folders Not Being Created Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 7337 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100922/0954c0c3/image001.jpg From GSilver at rampuptech.com Wed Sep 22 14:47:34 2010 From: GSilver at rampuptech.com (Gavin Silver) Date: Wed Sep 22 14:47:29 2010 Subject: Quarantine Folders Not Being Created In-Reply-To: References: Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 7337 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100922/615900b8/image001.jpg From mark at msapiro.net Wed Sep 22 15:05:01 2010 From: mark at msapiro.net (Mark Sapiro) Date: Wed Sep 22 15:05:10 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <943946.78068.qm@web33302.mail.mud.yahoo.com> References: <943946.78068.qm@web33302.mail.mud.yahoo.com> Message-ID: <4C9A0D0D.6020405@msapiro.net> On 11:59 AM, Michael Mansour wrote: > > Having tested this now, I can say that the removal of the ":" did not affect it. These "infections": The colon is correct. It should be there in Spam-Virus Header in MailScanner.conf as it defines the header and the colon is part of the header. The lack of a colon in 'header' in the spamassassin file is also correct as this just references the 'name' of the header which does not include the colon. Did you by chance change your org-name? I.e. I have Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: in MailScanner.conf and header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report in spamassassin. This only works if %org-name% = GPC in MailScanner.conf. > Clamd: message was infected: INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916) > > still get blocked when I want them scored. If the above does not solve the problem, please post exactly what you have in Mailscanner.conf for "Spam-Virus Header" and "Virus Names Which Are Spam". In particular, does your "Virus Names Which Are Spam" pattern(s) match the virus name? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Phil.Udel at SalemCorp.com Wed Sep 22 15:46:11 2010 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 22 15:46:11 2010 Subject: Problem with Iphones Message-ID: HI, I am a long time user of Sendmail and Mailscanner but I have hit a problem that I cant seem to find a solution for. Currently I am using the latest version of everything on a centos 5.1 sandbox. Problem Description: I have some Apple Iphones that the users want to Send/Replay Email directly with my mail server. I do not use Auth, but I am looking into using that to solve relay problem. The problem that I am not sure that Auth will fix is the high spam score Iphones get. Almost all the Iphone seem to hit most, if not all of the rules: RDNS_DYNAMIC RCVD_IN_PBL MIME_QP_LONG_LINE I don't want to lower the rule scores because they do a good job of stopping alot of Dynamic spam. I cant whitelist the IP or domain example (mobile-166-137-011-147.mycingular.net) because the IP is different every time, and whitlisting mycingular.net is a bad idea. If I set up Auth will Spamassasn still score it high? I believe it would. If I use Auth will that get a ALL_TRUSTED Value that I can use to Lower the score? As Always MY Life and job hang in the balance on this issue, since one of the Ipones belongs to the owner of the company. :P -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100922/83c7b64a/attachment.html From jvoorhees1 at gmail.com Wed Sep 22 15:52:28 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Sep 22 15:52:43 2010 Subject: Maximum Message Size, how do rules work? Message-ID: Hi people: I'm using MailScanner 4.79.11 on RHEL 5.4 x86_64 with a setting like this: Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 My max.message.size.rules look like this: From: user1@domain.com 1M From: user2@domain.com 2M From: user3@domain.com 4M From: *@domain.com 512K To: *@domain.com 2M FromOrTo: default 0 According to this I'm having some issues with rules not working as expected so I have some questions: 1. "Maximum Message Size" evals the size of a whole message including all its attachments, right?. 2. If I have "Maximum Mesage Size" and "Maximum Attachment Size" configured as shown above, what should be the behavior among those two directives? Is "Maximum Message Size" which dictates the control of size of messages? Or are those rules ignored because of the unlimited value (-1) of "Maximum Attachment Size"? Or maybe "Maximum Attachment Size" is just ignored? 3. Rules of max.message.size.rules are evaluated like Firewall rules or Squid ACLs? I mean, i want to know if MailScanner matches a message with a rule (From: user1@domain.com 1M) at line 3 then MS stop reading next lines? Does MS always read all lines and matches with the last rule found/matching? I'm asking this because I noted that MS isn't working properly: 1. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 1.8 MB and MS doesn't block it, it just let it pass. Didn't work as expected. 2. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 4.5 MB and MS doesn't block it, it just let it pass. Didn't work as expected. 3. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 1.9 MB and MS does block it and send a warning message as expected. I just found a person on Internet with a similar problem with MS 4.79.11 and according to him the solution was to downgrade to MS 4.72. The link of this report (sorry, is in spanish) is: http://www.ecualug.org/2010/06/02/forums/problema_con_mailscanner_en_parametro_maxmessagesizerules Is any bug related to this settings in MS 4.79.11? I checked the Changelog of MS 4.81 (beta and stable) but didn't find anything related to this. I hope someone can help me because I don't really know what's the problem with my MS installation. Thanks From rob at poeweb.com Wed Sep 22 15:58:33 2010 From: rob at poeweb.com (Rob Poe) Date: Wed Sep 22 15:58:48 2010 Subject: Problem with Iphones In-Reply-To: References: Message-ID: <4C9A1999.1020103@poeweb.com> I set up a weird/strange port to the internal SMTP server and let the iPhones auth against the internal email server instead of trying to maintain users on the MailScanner servers. On the iPhone you can set up a port, IIRC you append a colon and the port number (but you have to enter it fresh, not edit if you want to change the port to avoid issues). On 9/22/2010 9:46 AM, Phil Udel wrote: > HI, I am a long time user of Sendmail and Mailscanner but I have hit a > problem that I cant seem to find a solution for. Currently I am using > the latest version of everything on a centos 5.1 sandbox. > Problem Description: > I have some Apple Iphones that the users want to Send/Replay Email > directly with my mail server. I do not use Auth, but I am looking > into using that to solve relay problem. > The problem that I am not sure that Auth will fix is the high spam > score Iphones get. > Almost all the Iphone seem to hit most, if not all of the rules: > RDNS_DYNAMIC > RCVD_IN_PBL > MIME_QP_LONG_LINE > I don't want to lower the rule scores because they do a good job of > stopping alot of Dynamic spam. > I cant whitelist the IP or domain example > (mobile-166-137-011-147.mycingular.net) because the IP is different > every time, and whitlisting mycingular.net is a bad idea. > If I set up Auth will Spamassasn still score it high? I believe it would. > If I use Auth will that get a ALL_TRUSTED Value that I can use to > Lower the score? > As Always MY Life and job hang in the balance on this issue, since one > of the Ipones belongs to the owner of the company. :P -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100922/c82df511/attachment.html From alex at rtpty.com Wed Sep 22 16:02:53 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 16:03:10 2010 Subject: Problem with Iphones In-Reply-To: References: Message-ID: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> The problem is not with the iPhones. The problem lies with the fact that you're not using AUTH when nowadays it's absolutely necessary. You need to use AUTH, and SPF with hardfail as well. I also insert a custom header into authenticated users' e-mails so that SpamAssassin will score a -100 on them, and that helps a lot. On Sep 22, 2010, at 9:46 AM, Phil Udel wrote: > HI, I am a long time user of Sendmail and Mailscanner but I have hit a problem that I cant seem to find a solution for. Currently I am using the latest version of everything on a centos 5.1 sandbox. > > > Problem Description: > I have some Apple Iphones that the users want to Send/Replay Email directly with my mail server. I do not use Auth, but I am looking into using that to solve relay problem. > The problem that I am not sure that Auth will fix is the high spam score Iphones get. > Almost all the Iphone seem to hit most, if not all of the rules: > RDNS_DYNAMIC > RCVD_IN_PBL > MIME_QP_LONG_LINE > > I don?t want to lower the rule scores because they do a good job of stopping alot of Dynamic spam. > I cant whitelist the IP or domain example (mobile-166-137-011-147.mycingular.net) because the IP is different every time, and whitlisting mycingular.net is a bad idea. > > > If I set up Auth will Spamassasn still score it high? I believe it would. > If I use Auth will that get a ALL_TRUSTED Value that I can use to Lower the score? > > As Always MY Life and job hang in the balance on this issue, since one of the Ipones belongs to the owner of the company. :P > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alex at rtpty.com Wed Sep 22 16:03:47 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 16:04:09 2010 Subject: Problem with Iphones In-Reply-To: <4C9A1999.1020103@poeweb.com> References: <4C9A1999.1020103@poeweb.com> Message-ID: <2DA18835-2FD9-407D-8437-6E2564DF546E@rtpty.com> Security by obscurity is not security. Using SMTP AUTH - and checking/scoring for it at the SA level - would help a lot without compromising the security. On Sep 22, 2010, at 9:58 AM, Rob Poe wrote: > I set up a weird/strange port to the internal SMTP server and let the iPhones auth against the internal email server instead of trying to maintain users on the MailScanner servers. From alex at rtpty.com Wed Sep 22 16:08:57 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 16:14:23 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: References: Message-ID: <737186556-1285168450-cardhu_decombobulator_blackberry.rim.net-472317861-@bda957.bisx.prod.on.blackberry> Multiple recipients? -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Jason Voorhees Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 22 Sep 2010 09:52:28 To: Reply-To: MailScanner discussion Subject: Maximum Message Size, how do rules work? Hi people: I'm using MailScanner 4.79.11 on RHEL 5.4 x86_64 with a setting like this: Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 My max.message.size.rules look like this: From: user1@domain.com 1M From: user2@domain.com 2M From: user3@domain.com 4M From: *@domain.com 512K To: *@domain.com 2M FromOrTo: default 0 According to this I'm having some issues with rules not working as expected so I have some questions: 1. "Maximum Message Size" evals the size of a whole message including all its attachments, right?. 2. If I have "Maximum Mesage Size" and "Maximum Attachment Size" configured as shown above, what should be the behavior among those two directives? Is "Maximum Message Size" which dictates the control of size of messages? Or are those rules ignored because of the unlimited value (-1) of "Maximum Attachment Size"? Or maybe "Maximum Attachment Size" is just ignored? 3. Rules of max.message.size.rules are evaluated like Firewall rules or Squid ACLs? I mean, i want to know if MailScanner matches a message with a rule (From: user1@domain.com 1M) at line 3 then MS stop reading next lines? Does MS always read all lines and matches with the last rule found/matching? I'm asking this because I noted that MS isn't working properly: 1. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 1.8 MB and MS doesn't block it, it just let it pass. Didn't work as expected. 2. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 4.5 MB and MS doesn't block it, it just let it pass. Didn't work as expected. 3. user1@domain.com sends a message to user7@domain.com (not in rules file, so defaults to *@domain.com 2M) of 1.9 MB and MS does block it and send a warning message as expected. I just found a person on Internet with a similar problem with MS 4.79.11 and according to him the solution was to downgrade to MS 4.72. The link of this report (sorry, is in spanish) is: http://www.ecualug.org/2010/06/02/forums/problema_con_mailscanner_en_parametro_maxmessagesizerules Is any bug related to this settings in MS 4.79.11? I checked the Changelog of MS 4.81 (beta and stable) but didn't find anything related to this. I hope someone can help me because I don't really know what's the problem with my MS installation. Thanks -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Sep 22 16:25:29 2010 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 22 16:25:40 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: References: Message-ID: Does user1@domain.com sending internally to domain.com go via MS at all??? Are there any MS email headers in the message when recieved to show that MS has indeed scanned it? Have you got anything in the "Scan Messages" messages if its from and to domain.com and from an internal address that says don't scan the email? -- Martin Hepworth Oxford, UK On 22 September 2010 15:52, Jason Voorhees wrote: > Hi people: > > I'm using MailScanner 4.79.11 on RHEL 5.4 x86_64 with a setting like this: > > Maximum Message Size = %rules-dir%/max.message.size.rules > Maximum Attachment Size = -1 > > My max.message.size.rules look like this: > > From: user1@domain.com 1M > From: user2@domain.com 2M > From: user3@domain.com 4M > From: *@domain.com 512K > To: *@domain.com 2M > FromOrTo: default 0 > > According to this I'm having some issues with rules not working as > expected so I have some questions: > > 1. "Maximum Message Size" evals the size of a whole message including > all its attachments, right?. > > 2. If I have "Maximum Mesage Size" and "Maximum Attachment Size" > configured as shown above, what should be the behavior among those two > directives? Is "Maximum Message Size" which dictates the control of > size of messages? Or are those rules ignored because of the unlimited > value (-1) of "Maximum Attachment Size"? Or maybe "Maximum Attachment > Size" is just ignored? > > 3. Rules of max.message.size.rules are evaluated like Firewall rules > or Squid ACLs? I mean, i want to know if MailScanner matches a message > with a rule (From: user1@domain.com 1M) at line 3 then MS stop reading > next lines? Does MS always read all lines and matches with the last > rule found/matching? > > I'm asking this because I noted that MS isn't working properly: > > 1. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 1.8 MB and MS doesn't block > it, it just let it pass. Didn't work as expected. > 2. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 4.5 MB and MS doesn't block > it, it just let it pass. Didn't work as expected. > 3. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 1.9 MB and MS does block it > and send a warning message as expected. > > I just found a person on Internet with a similar problem with MS > 4.79.11 and according to him the solution was to downgrade to MS 4.72. > The link of this report (sorry, is in spanish) is: > > > http://www.ecualug.org/2010/06/02/forums/problema_con_mailscanner_en_parametro_maxmessagesizerules > > Is any bug related to this settings in MS 4.79.11? I checked the > Changelog of MS 4.81 (beta and stable) but didn't find anything > related to this. > > I hope someone can help me because I don't really know what's the > problem with my MS installation. > > Thanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100922/0041d776/attachment.html From Phil.Udel at SalemCorp.com Wed Sep 22 16:26:04 2010 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 22 16:26:19 2010 Subject: Problem with Iphones In-Reply-To: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> Message-ID: That would be great. I have think I have the Auth setup. How do I do the "custom header into authenticated users" ? Test of Auth 250-mail.salemcorp.com Hello localhost.localdomain [127.0.0.1], pleased to meetu 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Wednesday, September 22, 2010 11:03 AM To: MailScanner discussion Subject: Re: Problem with Iphones The problem is not with the iPhones. The problem lies with the fact that you're not using AUTH when nowadays it's absolutely necessary. You need to use AUTH, and SPF with hardfail as well. I also insert a custom header into authenticated users' e-mails so that SpamAssassin will score a -100 on them, and that helps a lot. On Sep 22, 2010, at 9:46 AM, Phil Udel wrote: > HI, I am a long time user of Sendmail and Mailscanner but I have hit a problem that I cant seem to find a solution for. Currently I am using the latest version of everything on a centos 5.1 sandbox. > > > Problem Description: > I have some Apple Iphones that the users want to Send/Replay Email directly with my mail server. I do not use Auth, but I am looking into using that to solve relay problem. > The problem that I am not sure that Auth will fix is the high spam score Iphones get. > Almost all the Iphone seem to hit most, if not all of the rules: > RDNS_DYNAMIC > RCVD_IN_PBL > MIME_QP_LONG_LINE > > I don't want to lower the rule scores because they do a good job of stopping alot of Dynamic spam. > I cant whitelist the IP or domain example (mobile-166-137-011-147.mycingular.net) because the IP is different every time, and whitlisting mycingular.net is a bad idea. > > > If I set up Auth will Spamassasn still score it high? I believe it would. > If I use Auth will that get a ALL_TRUSTED Value that I can use to Lower the score? > > As Always MY Life and job hang in the balance on this issue, since one > of the Ipones belongs to the owner of the company. :P > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jvoorhees1 at gmail.com Wed Sep 22 16:44:53 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Sep 22 16:45:19 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: <737186556-1285168450-cardhu_decombobulator_blackberry.rim.net-472317861-@bda957.bisx.prod.on.blackberry> References: <737186556-1285168450-cardhu_decombobulator_blackberry.rim.net-472317861-@bda957.bisx.prod.on.blackberry> Message-ID: No, just one recipient. On Wed, Sep 22, 2010 at 10:08 AM, Alex Neuman wrote: > Multiple recipients? > -- > > Alex Neuman > BBM 20EA17C5 > +507 6781-9505 > Skype:alex@rtpty.com > > -----Original Message----- > From: Jason Voorhees > Sender: mailscanner-bounces@lists.mailscanner.info > Date: Wed, 22 Sep 2010 09:52:28 > To: > Reply-To: MailScanner discussion > Subject: Maximum Message Size, how do rules work? > > Hi people: > > I'm using MailScanner 4.79.11 on RHEL 5.4 x86_64 with a setting like this: > > Maximum Message Size = %rules-dir%/max.message.size.rules > Maximum Attachment Size = -1 > > My max.message.size.rules look like this: > > From: user1@domain.com 1M > From: user2@domain.com 2M > From: user3@domain.com 4M > From: *@domain.com 512K > To: *@domain.com 2M > FromOrTo: default 0 > > According to this I'm having some issues with rules not working as > expected so I have some questions: > > 1. "Maximum Message Size" evals the size of a whole message including > all its attachments, right?. > > 2. If I have "Maximum Mesage Size" and "Maximum Attachment Size" > configured as shown above, what should be the behavior among those two > directives? Is "Maximum Message Size" which dictates the control of > size of messages? Or are those rules ignored because of the unlimited > value (-1) of "Maximum Attachment Size"? Or maybe "Maximum Attachment > Size" is just ignored? > > 3. Rules of max.message.size.rules are evaluated like Firewall rules > or Squid ACLs? I mean, i want to know if MailScanner matches a message > with a rule (From: user1@domain.com 1M) at line 3 then MS stop reading > next lines? Does MS always read all lines and matches with the last > rule found/matching? > > I'm asking this because I noted that MS isn't working properly: > > 1. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 1.8 MB and MS doesn't block > it, it just let it pass. Didn't work as expected. > 2. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 4.5 MB and MS doesn't block > it, it just let it pass. Didn't work as expected. > 3. user1@domain.com sends a message to user7@domain.com (not in rules > file, so defaults to *@domain.com 2M) of 1.9 MB and MS does block it > and send a warning message as expected. > > I just found a person on Internet with a similar problem with MS > 4.79.11 and according to him the solution was to downgrade to MS 4.72. > The link of this report (sorry, is in spanish) is: > > http://www.ecualug.org/2010/06/02/forums/problema_con_mailscanner_en_parametro_maxmessagesizerules > > Is any bug related to this settings in MS 4.79.11? I checked the > Changelog of MS 4.81 (beta and stable) but didn't find anything > related to this. > > I hope someone can help me because I don't really know what's the > problem with my MS installation. > > Thanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From jvoorhees1 at gmail.com Wed Sep 22 16:55:49 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Sep 22 16:55:58 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: References: Message-ID: Hi: On Wed, Sep 22, 2010 at 10:25 AM, Martin Hepworth wrote: > Does user1@domain.com sending internally to domain.com go via MS at all??? > > Are there any MS email headers in the message when recieved to show that MS > has indeed scanned it? > > Have you got anything in the "Scan Messages" messages if its from and to > domain.com and from an internal address that says don't scan the email? > > 1. "Scan Messages = Yes" in MailScanner.conf 2. According to logs I'm sure that all those messages were scanned by MailScanner. Take a look at: http://pastebin.com/upLxLKf5 This was a message of 1.9 MB (approx) that wasn't rejected by size. I forgot to mention this: MS is running integrated with Zimbra. But I believe this has nothing to do because it's just a typical postfix+header_checks configuration. Thanks From alex at rtpty.com Wed Sep 22 17:05:18 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 17:05:34 2010 Subject: Problem with Iphones In-Reply-To: References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> Message-ID: <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com> You're using sendmail. Find cfhead.m4 - should be in /usr/share/sendmail-cf/m4 if you're using CentOS. Look for the line (on or near line 274) that says: define(`confRECEIVED_HEADER', `_REC_HDR_ This is where the header is defined. The next line reads: _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) Change it to: _REC_FULL_AUTH_$?{auth_ssf} YOURTOKEN bits=${auth_ssf}$.) The REC_FULL_AUTH will give you a better idea of the username that authenticated - not just *the fact that the user did authenticate*. The YOURTOKEN would be something that's not obviously "your token" so it doesn't get picked up by spammers. This is what we'll look for using SA. Find your local.cf for spamassassin. This should be in /etc/mail/spamassassin. Go to the end and add: header YOURTOKEN ALL =~ /YOURTOKEN/ score YOURTOKEN -100 This is crude, but effective. Spoofable, since "YOURTOKEN" will obviously be something someone could insert into their own headers - but I doubt it's practical for most spammers. Let me know how that works out for you. Works for me, YMMV, if you break it you get to keep all the pieces. On Sep 22, 2010, at 10:26 AM, Phil Udel wrote: > That would be great. > I have think I have the Auth setup. How do I do the "custom header into > authenticated users" ? > > Test of Auth > 250-mail.salemcorp.com Hello localhost.localdomain [127.0.0.1], pleased to > meetu > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250-DSN > 250-AUTH DIGEST-MD5 CRAM-MD5 > 250-DELIVERBY > 250 HELP > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: Wednesday, September 22, 2010 11:03 AM > To: MailScanner discussion > Subject: Re: Problem with Iphones > > The problem is not with the iPhones. > > The problem lies with the fact that you're not using AUTH when nowadays it's > absolutely necessary. > > You need to use AUTH, and SPF with hardfail as well. I also insert a custom > header into authenticated users' e-mails so that SpamAssassin will score a > -100 on them, and that helps a lot. > > On Sep 22, 2010, at 9:46 AM, Phil Udel wrote: > >> HI, I am a long time user of Sendmail and Mailscanner but I have hit a > problem that I cant seem to find a solution for. Currently I am using the > latest version of everything on a centos 5.1 sandbox. >> >> >> Problem Description: >> I have some Apple Iphones that the users want to Send/Replay Email > directly with my mail server. I do not use Auth, but I am looking into > using that to solve relay problem. >> The problem that I am not sure that Auth will fix is the high spam score > Iphones get. >> Almost all the Iphone seem to hit most, if not all of the rules: >> RDNS_DYNAMIC >> RCVD_IN_PBL >> MIME_QP_LONG_LINE >> >> I don't want to lower the rule scores because they do a good job of > stopping alot of Dynamic spam. >> I cant whitelist the IP or domain example > (mobile-166-137-011-147.mycingular.net) because the IP is different every > time, and whitlisting mycingular.net is a bad idea. >> >> >> If I set up Auth will Spamassasn still score it high? I believe it would. >> If I use Auth will that get a ALL_TRUSTED Value that I can use to Lower > the score? >> >> As Always MY Life and job hang in the balance on this issue, since one >> of the Ipones belongs to the owner of the company. :P >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Phil.Udel at SalemCorp.com Wed Sep 22 17:20:16 2010 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 22 17:20:25 2010 Subject: Problem with Iphones In-Reply-To: <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com> Message-ID: <1124665BD6864B1DAD0A08E3EF1FD4BE@salemcorp.com> Nice. Thanks. I am still working on the Auth. I seem to have hit a bump. I keep getting: AUTH LOGIN dGVzdA== 504 5.3.3 AUTH mechanism LOGIN not available Mail Log Sep 22 08:03:34 mail sendmail[6652]: AUTH: available mech=CRAM-MD5 DIGEST-MD5 ANONYMOUS, allowed mech=EXTERNAL LOGIN PLAIN For some reason the LOGIN PLAIN is not available :( -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Wednesday, September 22, 2010 12:05 PM To: MailScanner discussion Subject: Re: Problem with Iphones You're using sendmail. Find cfhead.m4 - should be in /usr/share/sendmail-cf/m4 if you're using CentOS. Look for the line (on or near line 274) that says: define(`confRECEIVED_HEADER', `_REC_HDR_ This is where the header is defined. The next line reads: _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) Change it to: _REC_FULL_AUTH_$?{auth_ssf} YOURTOKEN bits=${auth_ssf}$.) The REC_FULL_AUTH will give you a better idea of the username that authenticated - not just *the fact that the user did authenticate*. The YOURTOKEN would be something that's not obviously "your token" so it doesn't get picked up by spammers. This is what we'll look for using SA. Find your local.cf for spamassassin. This should be in /etc/mail/spamassassin. Go to the end and add: header YOURTOKEN ALL =~ /YOURTOKEN/ score YOURTOKEN -100 This is crude, but effective. Spoofable, since "YOURTOKEN" will obviously be something someone could insert into their own headers - but I doubt it's practical for most spammers. Let me know how that works out for you. Works for me, YMMV, if you break it you get to keep all the pieces. On Sep 22, 2010, at 10:26 AM, Phil Udel wrote: > That would be great. > I have think I have the Auth setup. How do I do the "custom header > into authenticated users" ? > > Test of Auth > 250-mail.salemcorp.com Hello localhost.localdomain [127.0.0.1], > pleased to meetu 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME > 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex > Neuman > Sent: Wednesday, September 22, 2010 11:03 AM > To: MailScanner discussion > Subject: Re: Problem with Iphones > > The problem is not with the iPhones. > > The problem lies with the fact that you're not using AUTH when > nowadays it's absolutely necessary. > > You need to use AUTH, and SPF with hardfail as well. I also insert a > custom header into authenticated users' e-mails so that SpamAssassin > will score a -100 on them, and that helps a lot. > > On Sep 22, 2010, at 9:46 AM, Phil Udel wrote: > >> HI, I am a long time user of Sendmail and Mailscanner but I have hit >> a > problem that I cant seem to find a solution for. Currently I am using > the latest version of everything on a centos 5.1 sandbox. >> >> >> Problem Description: >> I have some Apple Iphones that the users want to Send/Replay Email > directly with my mail server. I do not use Auth, but I am looking > into using that to solve relay problem. >> The problem that I am not sure that Auth will fix is the high spam >> score > Iphones get. >> Almost all the Iphone seem to hit most, if not all of the rules: >> RDNS_DYNAMIC >> RCVD_IN_PBL >> MIME_QP_LONG_LINE >> >> I don't want to lower the rule scores because they do a good job of > stopping alot of Dynamic spam. >> I cant whitelist the IP or domain example > (mobile-166-137-011-147.mycingular.net) because the IP is different > every time, and whitlisting mycingular.net is a bad idea. >> >> >> If I set up Auth will Spamassasn still score it high? I believe it would. >> If I use Auth will that get a ALL_TRUSTED Value that I can use to >> Lower > the score? >> >> As Always MY Life and job hang in the balance on this issue, since >> one of the Ipones belongs to the owner of the company. :P >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.freegard at fsl.com Wed Sep 22 17:52:32 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Sep 22 17:52:45 2010 Subject: Problem with Iphones In-Reply-To: <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com> Message-ID: <4C9A3450.4040401@fsl.com> Alex, On 22/09/10 17:05, Alex Neuman wrote: > You're using sendmail. > > Find cfhead.m4 - should be in /usr/share/sendmail-cf/m4 if you're using CentOS. > > Look for the line (on or near line 274) that says: > define(`confRECEIVED_HEADER', `_REC_HDR_ > > This is where the header is defined. The next line reads: > _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) > > Change it to: > _REC_FULL_AUTH_$?{auth_ssf} YOURTOKEN bits=${auth_ssf}$.) > > The REC_FULL_AUTH will give you a better idea of the username that authenticated - not just *the fact that the user did authenticate*. Ddon't edit sendmail supplied m4 files. Edit /etc/mail/sendmail.mc instead; all of those macros should still be available to you there... e.g. define(`confRECEIVED_HEADER', `......')dnl > The YOURTOKEN would be something that's not obviously "your token" so it doesn't get picked up by spammers. This is what we'll look for using SA. > > Find your local.cf for spamassassin. This should be in /etc/mail/spamassassin. Go to the end and add: > > header YOURTOKEN ALL =~ /YOURTOKEN/ Yuck. Don't use 'ALL' when Received is far more appropriate. On messages with a lot of headers you'll waste a load of CPU and time. Instead: header YOURTOKEN Received =~ /foo/ You can also make it less spoofable using X-Spam-Relays-Trusted: metadata header added by SpamAssassin. Run one of these messages through 'spamassassin -D -t < msg | grep X-Spam-Relays' and look what output you get for 'auth=' for an example message. You can then write an un-spoofable rule (provided your TrustPath is correct) via: header FOO X-Spam-Relays-Trusted =~ /auth=foo/i With this method - you might not even need this particular rule as with the trust path correct; the OPs problem of hitting RCVD_IN_PBL, RDNS_DYNAMIC etc. goes away as trusted hosts aren't tested. Regards, Steve. From alex at rtpty.com Wed Sep 22 18:03:10 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 18:08:38 2010 Subject: Problem with Iphones In-Reply-To: <4C9A3450.4040401@fsl.com> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com><4C9A3450.4040401@fsl.com> Message-ID: <763124281-1285175304-cardhu_decombobulator_blackberry.rim.net-1631833386-@bda957.bisx.prod.on.blackberry> That's the beauty of the list. You can turn my crude thing into something more elegant ;-) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Freegard Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 22 Sep 2010 17:52:32 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Problem with Iphones Alex, On 22/09/10 17:05, Alex Neuman wrote: > You're using sendmail. > > Find cfhead.m4 - should be in /usr/share/sendmail-cf/m4 if you're using CentOS. > > Look for the line (on or near line 274) that says: > define(`confRECEIVED_HEADER', `_REC_HDR_ > > This is where the header is defined. The next line reads: > _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) > > Change it to: > _REC_FULL_AUTH_$?{auth_ssf} YOURTOKEN bits=${auth_ssf}$.) > > The REC_FULL_AUTH will give you a better idea of the username that authenticated - not just *the fact that the user did authenticate*. Ddon't edit sendmail supplied m4 files. Edit /etc/mail/sendmail.mc instead; all of those macros should still be available to you there... e.g. define(`confRECEIVED_HEADER', `......')dnl > The YOURTOKEN would be something that's not obviously "your token" so it doesn't get picked up by spammers. This is what we'll look for using SA. > > Find your local.cf for spamassassin. This should be in /etc/mail/spamassassin. Go to the end and add: > > header YOURTOKEN ALL =~ /YOURTOKEN/ Yuck. Don't use 'ALL' when Received is far more appropriate. On messages with a lot of headers you'll waste a load of CPU and time. Instead: header YOURTOKEN Received =~ /foo/ You can also make it less spoofable using X-Spam-Relays-Trusted: metadata header added by SpamAssassin. Run one of these messages through 'spamassassin -D -t < msg | grep X-Spam-Relays' and look what output you get for 'auth=' for an example message. You can then write an un-spoofable rule (provided your TrustPath is correct) via: header FOO X-Spam-Relays-Trusted =~ /auth=foo/i With this method - you might not even need this particular rule as with the trust path correct; the OPs problem of hitting RCVD_IN_PBL, RDNS_DYNAMIC etc. goes away as trusted hosts aren't tested. Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Phil.Udel at SalemCorp.com Wed Sep 22 19:11:04 2010 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Sep 22 19:12:07 2010 Subject: Problem with Iphones In-Reply-To: <763124281-1285175304-cardhu_decombobulator_blackberry.rim.net-1631833386-@bda957.bisx.prod.on.blackberry> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com><4C9A3450.4040401@fsl.com> <763124281-1285175304-cardhu_decombobulator_blackberry.rim.net-1631833386-@bda957.bisx.prod.on.blackberry> Message-ID: <0C8EE0CF5673471A8DDD8209E58E28E0@salemcorp.com> Woot. Ok I have it working :P I changed the cfhead.m4 by hand. I am working on the M4 Commands. This is what I have so far. define(`_REC_AUTH_', `_REC_FULL_AUTH_') define(`_REC_FULL_AUTH_', `$.$?{auth_type}(user=${auth_authen} $?{auth_author}author=${auth_author} YOURTOKEN $.mech=${auth_type}') -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Wednesday, September 22, 2010 1:03 PM To: MailScanner discussion Subject: Re: Problem with Iphones That's the beauty of the list. You can turn my crude thing into something more elegant ;-) -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Steve Freegard Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 22 Sep 2010 17:52:32 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Problem with Iphones Alex, On 22/09/10 17:05, Alex Neuman wrote: > You're using sendmail. > > Find cfhead.m4 - should be in /usr/share/sendmail-cf/m4 if you're using CentOS. > > Look for the line (on or near line 274) that says: > define(`confRECEIVED_HEADER', `_REC_HDR_ > > This is where the header is defined. The next line reads: > _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.) > > Change it to: > _REC_FULL_AUTH_$?{auth_ssf} YOURTOKEN bits=${auth_ssf}$.) > > The REC_FULL_AUTH will give you a better idea of the username that authenticated - not just *the fact that the user did authenticate*. Ddon't edit sendmail supplied m4 files. Edit /etc/mail/sendmail.mc instead; all of those macros should still be available to you there... e.g. define(`confRECEIVED_HEADER', `......')dnl > The YOURTOKEN would be something that's not obviously "your token" so it doesn't get picked up by spammers. This is what we'll look for using SA. > > Find your local.cf for spamassassin. This should be in /etc/mail/spamassassin. Go to the end and add: > > header YOURTOKEN ALL =~ /YOURTOKEN/ Yuck. Don't use 'ALL' when Received is far more appropriate. On messages with a lot of headers you'll waste a load of CPU and time. Instead: header YOURTOKEN Received =~ /foo/ You can also make it less spoofable using X-Spam-Relays-Trusted: metadata header added by SpamAssassin. Run one of these messages through 'spamassassin -D -t < msg | grep X-Spam-Relays' and look what output you get for 'auth=' for an example message. You can then write an un-spoofable rule (provided your TrustPath is correct) via: header FOO X-Spam-Relays-Trusted =~ /auth=foo/i With this method - you might not even need this particular rule as with the trust path correct; the OPs problem of hitting RCVD_IN_PBL, RDNS_DYNAMIC etc. goes away as trusted hosts aren't tested. Regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rob at poeweb.com Wed Sep 22 21:16:58 2010 From: rob at poeweb.com (Rob Poe) Date: Wed Sep 22 21:17:09 2010 Subject: Problem with Iphones In-Reply-To: <2DA18835-2FD9-407D-8437-6E2564DF546E@rtpty.com> References: <4C9A1999.1020103@poeweb.com> <2DA18835-2FD9-407D-8437-6E2564DF546E@rtpty.com> Message-ID: <4C9A643A.8000305@poeweb.com> Never said it was security by obscurity. It's called letting your remote users auth to the "home" system instead of your MailScanner On 9/22/2010 10:03 AM, Alex Neuman wrote: > Security by obscurity is not security. > > Using SMTP AUTH - and checking/scoring for it at the SA level - would help a lot without compromising the security. > > On Sep 22, 2010, at 9:58 AM, Rob Poe wrote: > > >> I set up a weird/strange port to the internal SMTP server and let the iPhones auth against the internal email server instead of trying to maintain users on the MailScanner servers. >> > From alex at rtpty.com Wed Sep 22 21:26:20 2010 From: alex at rtpty.com (Alex Neuman) Date: Wed Sep 22 21:31:46 2010 Subject: Problem with Iphones In-Reply-To: <4C9A643A.8000305@poeweb.com> References: <4C9A1999.1020103@poeweb.com><2DA18835-2FD9-407D-8437-6E2564DF546E@rtpty.com><4C9A643A.8000305@poeweb.com> Message-ID: <38482895-1285187493-cardhu_decombobulator_blackberry.rim.net-365844397-@bda957.bisx.prod.on.blackberry> the MS server should be able to reject at the MTA level any invalid users though, otherwise it'll backscatter. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Rob Poe Sender: mailscanner-bounces@lists.mailscanner.info Date: Wed, 22 Sep 2010 15:16:58 To: MailScanner discussion Reply-To: MailScanner discussion Subject: Re: Problem with Iphones Never said it was security by obscurity. It's called letting your remote users auth to the "home" system instead of your MailScanner On 9/22/2010 10:03 AM, Alex Neuman wrote: > Security by obscurity is not security. > > Using SMTP AUTH - and checking/scoring for it at the SA level - would help a lot without compromising the security. > > On Sep 22, 2010, at 9:58 AM, Rob Poe wrote: > > >> I set up a weird/strange port to the internal SMTP server and let the iPhones auth against the internal email server instead of trying to maintain users on the MailScanner servers. >> > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From micoots at yahoo.com Thu Sep 23 03:00:44 2010 From: micoots at yahoo.com (Michael Mansour) Date: Thu Sep 23 03:00:54 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4C9A0D0D.6020405@msapiro.net> Message-ID: <649160.62943.qm@web33302.mail.mud.yahoo.com> Hi Mark, --- On Thu, 23/9/10, Mark Sapiro wrote: > From: Mark Sapiro > Subject: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Thursday, 23 September, 2010, 12:05 AM > On 11:59 AM, Michael Mansour wrote: > > > > Having tested this now, I can say that the removal of > the ":" did not affect it. These "infections": > > The colon is correct. It should be there in Spam-Virus > Header in > MailScanner.conf as it defines the header and the colon is > part of the > header. The lack of a colon in 'header' in the spamassassin > file is also > correct as this just references the 'name' of the header > which does not > include the colon. Ok, I have re-added the colon in MailScanner.conf. > Did you by chance change your org-name? I.e. I have > > Spam-Virus Header = > X-%org-name%-MailScanner-SpamVirus-Report: > > in MailScanner.conf and > > header MS_FOUND_SPAMVIRUS > exists:X-GPC-MailScanner-SpamVirus-Report > > in spamassassin. This only works if > > %org-name% = GPC > > in MailScanner.conf. I haven't changed the %org-name% no. I do have a different setting for this though: # Name of this host, or a name like "the MailScanner" if you want to hide # the real hostname. It is used in the Help Desk note contained in the # virus warnings sent to users. # Remember you can use $HOSTNAME in here, so you might want to set it to # Hostname = the %org-name% ($HOSTNAME) MailScanner # This can also be the filename of a ruleset. Hostname = %rules-dir%/hostname.rules where I define: FromOrTo: *@blah.com the blah ($HOSTNAME) mailscanner FromOrTo: default the %org-name% ($HOSTNAME) Mailscanner but I'm not sure that would impact any headers. Another question, I use MailWatch, should the X-MailScanner-blah headers be present when viewing the message headers in MailWatch? I don't see them in MailWatch, but when I release the message from MailWatch to my Inbox and view full headers, I see the MailScanner lines no problems. > > Clamd: message was infected: > INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916) > > > > > still get blocked when I want them scored. > > If the above does not solve the problem, please post > exactly what you > have in Mailscanner.conf for "Spam-Virus Header" and "Virus > Names Which > Are Spam". In particular, does your "Virus Names Which Are > Spam" > pattern(s) match the virus name? My settings are: Spam-Virus Header = X-NPGX-MailScanner-SpamVirus-Report: Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* MBL*UNOFFICIAL *SecuriteInfo*UNOFFICIAL INetMsg.SpamDomain*UNOFFICIAL NPGX.DomainAddr*UNOFFICIAL NPGX.EmailAddr.*UNOFFICIAL winnow*UNOFFICIAL Yes, all the above do match the virus names presented when the clamd scanner finds the signature in the 3rd party DB. All this really used to work fine but the last time I "noticed" it working was a couple of MailScanner versions ago (fromthe latest stable to the beta's before that). Somewhere down that line things broke and I didn't notice until recently. Thanks for your help and suggestions so far. Michael. > -- > Mark Sapiro ? > ? ? ? The highway is for gamblers, > San Francisco Bay Area, California? ? better use > your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From Phil.Udel at SalemCorp.com Thu Sep 23 12:04:40 2010 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Thu Sep 23 12:04:51 2010 Subject: Problem with Iphones In-Reply-To: <0C8EE0CF5673471A8DDD8209E58E28E0@salemcorp.com> References: <950C7F95-7FFA-452B-AFB7-CD911F8653B8@rtpty.com> <08E4A7B3-D491-4108-85D0-4F05A81341CD@rtpty.com><4C9A3450.4040401@fsl.com><763124281-1285175304-cardhu_decombobulator_blackberry.rim.net-1631833386-@bda957.bisx.prod.on.blackberry> <0C8EE0CF5673471A8DDD8209E58E28E0@salemcorp.com> Message-ID: Thanks for all your help, You all really saved the Day. From jvoorhees1 at gmail.com Thu Sep 23 14:36:23 2010 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Thu Sep 23 14:36:32 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: References: Message-ID: Any idea? :( Maybe Julian? On Wed, Sep 22, 2010 at 10:55 AM, Jason Voorhees wrote: > Hi: > > On Wed, Sep 22, 2010 at 10:25 AM, Martin Hepworth wrote: >> Does user1@domain.com sending internally to domain.com go via MS at all??? >> >> Are there any MS email headers in the message when recieved to show that MS >> has indeed scanned it? >> >> Have you got anything in the "Scan Messages" messages if its from and to >> domain.com and from an internal address that says don't scan the email? >> >> > > 1. "Scan Messages = Yes" in MailScanner.conf > 2. According to logs I'm sure that all those messages were scanned by > MailScanner. Take a look at: > > http://pastebin.com/upLxLKf5 > > This was a message of 1.9 MB (approx) that wasn't rejected by size. > > I forgot to mention this: MS is running integrated with Zimbra. But I > believe this has nothing to do because it's just a typical > postfix+header_checks configuration. > > Thanks > From mark at msapiro.net Thu Sep 23 15:26:01 2010 From: mark at msapiro.net (Mark Sapiro) Date: Thu Sep 23 15:26:06 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <649160.62943.qm@web33302.mail.mud.yahoo.com> References: <649160.62943.qm@web33302.mail.mud.yahoo.com> Message-ID: <4C9B6379.6060306@msapiro.net> On Sept 22 at 7:00 PM, Michael Mansour wrote: > > --- On Thu, 23/9/10, Mark Sapiro wrote: > > I haven't changed the %org-name% no. > > I do have a different setting for this though: This is not relevant in your case. it only matters if you have the default or similar setting for Spam-Virus Header which includes %org-name%. > Another question, I use MailWatch, should the X-MailScanner-blah headers be present when viewing the message headers in MailWatch? > > I don't see them in MailWatch, but when I release the message from MailWatch to my Inbox and view full headers, I see the MailScanner lines no problems. I have never used MailWatch. I can't answer that. >> If the above does not solve the problem, please post >> exactly what you >> have in Mailscanner.conf for "Spam-Virus Header" and "Virus >> Names Which >> Are Spam". In particular, does your "Virus Names Which Are >> Spam" >> pattern(s) match the virus name? > > My settings are: > > Spam-Virus Header = X-NPGX-MailScanner-SpamVirus-Report: > > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* MBL*UNOFFICIAL *SecuriteInfo*UNOFFICIAL INetMsg.SpamDomain*UNOFFICIAL NPGX.DomainAddr*UNOFFICIAL NPGX.EmailAddr.*UNOFFICIAL winnow*UNOFFICIAL > > Yes, all the above do match the virus names presented when the clamd scanner finds the signature in the 3rd party DB. OK. What's in your logs? Do you have messages like Sep 22 06:56:27 sbh16 MailScanner[10759]: Clamd::INFECTED:: Sanesecurity.Junk.12181.UNOFFICIAL :: ./835336900BC.A01F3/ Sep 22 06:56:27 sbh16 MailScanner[10759]: Found spam-virus Sanesecurity.Junk.12181.UNOFFICIAL in 835336900BC.A01F3 In particular, do you have the Found spam-virus message? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From ssilva at sgvwater.com Thu Sep 23 15:56:02 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 23 15:56:23 2010 Subject: Problem with Iphones In-Reply-To: References: Message-ID: on 9-22-2010 7:46 AM Phil Udel spake the following: > HI, I am a long time user of Sendmail and Mailscanner but I have hit a problem > that I cant seem to find a solution for. Currently I am using the latest > version of everything on a centos 5.1 sandbox. > Just a side note... You can't have CentOS 5.1 AND the latest of everything... CentOS 5 is up to 5.5 now... Are you that far behind on updates? From alex at rtpty.com Thu Sep 23 17:45:03 2010 From: alex at rtpty.com (Alex Neuman) Date: Thu Sep 23 17:50:29 2010 Subject: Problem with Iphones In-Reply-To: References: Message-ID: <1023101108-1285260615-cardhu_decombobulator_blackberry.rim.net-142907314-@bda957.bisx.prod.on.blackberry> True dat. -- Alex Neuman BBM 20EA17C5 +507 6781-9505 Skype:alex@rtpty.com -----Original Message----- From: Scott Silva Sender: mailscanner-bounces@lists.mailscanner.info Date: Thu, 23 Sep 2010 07:56:02 To: Reply-To: MailScanner discussion Subject: Re: Problem with Iphones on 9-22-2010 7:46 AM Phil Udel spake the following: > HI, I am a long time user of Sendmail and Mailscanner but I have hit a problem > that I cant seem to find a solution for. Currently I am using the latest > version of everything on a centos 5.1 sandbox. > Just a side note... You can't have CentOS 5.1 AND the latest of everything... CentOS 5 is up to 5.5 now... Are you that far behind on updates? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From andrew.kerber at gmail.com Fri Sep 24 03:33:08 2010 From: andrew.kerber at gmail.com (Andrew Kerber) Date: Fri Sep 24 03:33:17 2010 Subject: newby question Message-ID: Ok, this is probably a newbie question, but I have googled thoroughly and cant find an answer. My mailserver went down with a bad hdd, I was using mailscanner/spammasssin/clam It appears to be just the boot sectors that are damaged, so I managed to boot with linux rescue and mount the drives. However, I cannot get it to boot off the drive, and fsck shows all kinds of errors. I have stood up another server, but I need to figure out what to copy over to the server. I can read and copy all the files I need, or at least I think so. I just cant quite figure out what files I need. I dont really care about the messages, its just all the accounts and passwords, as well as the mailscanner config files that I need to copy. I have /etc/mail and /etc/MailScanner copied. Can I just copy the linux OS and password files (redhat 5) to the new server? If so, what are those files? Should I just reinstall everything, then copy the config files? If so, what files? What other files do I need to copy? I have a usb drive that I am copying everything to, and I have another server stood up with the redhat (actually oel) install. Its not a business critical system obviously, but I think I will make a good backup next time. -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100923/3a74f296/attachment.html From iulianld at gmail.com Fri Sep 24 12:19:25 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Fri Sep 24 12:19:33 2010 Subject: newby question In-Reply-To: References: Message-ID: On Fri, Sep 24, 2010 at 5:33 AM, Andrew Kerber wrote: >I dont really care about the messages, its just all the accounts and passwords, as well as the mailscanner config files that I need to copy.? I have /etc/mail and /etc/MailScanner copied.? Can I just copy the linux OS and password files (redhat 5) to the new server?? If so, what are those files? > > Should I just reinstall everything, then copy the config files?? If so, what files? > In a similar situation i find some good tips for user account migration in this tutorial: http://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/ Beside /etc/MailScanner folder you need the files you modified (ex: clamd.conf; /usr/lib/MailScanner/*.* ; etc.) . Other files may be required for MailWatch, spamassassin and associated programs ( databases, configs, custom rules, etc) Iulian L.D. From kkobb at skylinecorp.com Fri Sep 24 13:08:56 2010 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Fri Sep 24 13:09:11 2010 Subject: clamd and tnef error? In-Reply-To: <76415AED4CCF214F80FD9B0DA9A9EE4501373832@HC-MBX01.herefordshire.gov.uk> References: <4C8F44A4.5040807@sme-ecom.co.uk><4C8F74F3.3060205@sme-ecom.co.uk><4C8F7C7E.4010900@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE45013737E7@HC-MBX01.herefordshire.gov.uk><76415AED4CCF214F80FD9B0DA9A9EE45013737EC@HC-MBX01.herefordshire.gov.uk> <4C90CF6B.1050503@fsl.com><76415AED4CCF214F80FD9B0DA9A9EE4501373804@HC-MBX01.herefordshire.gov.uk> <4C90E7E5.5000303@fsl.com> <76415AED4CCF214F80FD9B0DA9A9EE4501373832@HC-MBX01.herefordshire.gov.uk> Message-ID: <4C9C94D8.4040504@skylinecorp.com> On 9/15/2010 12:05 PM, Randal, Phil wrote: > That doesn't work either, still get the lstat errors. > > If I get the time, I'll look a bit deeper into this. > > Phil > > -- > Phil Randal | Networks Engineer > NHS Herefordshire& Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > email: prandal@herefordshire.gov.uk > > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard > Sent: 15 September 2010 16:36 > To: MailScanner discussion > Subject: Re: clamd and tnef error? > > On 15/09/10 15:48, Randal, Phil wrote: >> Run As group = >> >> (not normally used for sendmail, says MailScanner.conf) >> >> AllowSupplementaryGroups Yes >> > > Then the 'fix' for this would appear to be to set: > > Run As Group = clamav (or whatever user/group clamav runs as) > *and* > Incoming Work Permissions = 0660 > > Regards, > Steve. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ?Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council or Herefordshire Primary Care Trust. You should be aware that Herefordshire Council& Herefordshire Primary Care Trust monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Please consider the environment before printing this e-mail.? > Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. > You should be aware that Herefordshire Council monitors its email service. > This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. > I was getting the same error messages. Except for switching away from the external TNEF package, I believe I tried all the suggestions and settings mentioned and still had the problem. Finally, I made this change to the TNEF.pm file: --- TNEF.pm.orig 2010-09-17 04:52:58.000000000 -0400 +++ TNEF.pm 2010-09-22 11:08:43.000000000 -0400 @@ -235,7 +235,7 @@ "$dir/$unpackdir"); return 0; } - chmod 0700, "$dir/$unpackdir"; + chmod 0770, "$dir/$unpackdir"; my $cmd = MailScanner::Config::Value('tnefexpander') . " -f $dir/$tnefname -C $dir/$unpackdir --overwrite"; This might not be the right answer, and I may have something else setup wrong, but since I did this I haven't had a single error. From jwithrow at matech.net Fri Sep 24 15:11:27 2010 From: jwithrow at matech.net (Joshua F. Withrow) Date: Fri Sep 24 15:13:20 2010 Subject: Deny Filetypes Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 7337 bytes Desc: image001.jpg Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100924/ce161aec/image001.jpg From wolfgang at sweet-haven.com Fri Sep 24 22:01:56 2010 From: wolfgang at sweet-haven.com (Lew Wolfgang) Date: Fri Sep 24 22:04:06 2010 Subject: Process on Message-ID header contents? Message-ID: <4C9D11C4.8060702@sweet-haven.com> Hi Folks, I've been getting blasted with porn-spam from hotmail.com for the past few weeks. The spam has been getting past my (rather old) MailScanner installation. It would be nice to just block everything from hotmail, but that won't work due to much legitimate traffic from there. I've noticed that there are always two "To:" addressees, the one legit plus one to *@live.com or *@wanadoo.fr. I tried making a blacklist rule to block on these addresses, but the one good address on the To: header is enough to complete delivery. Also, all of spams have a common domain in the Message-ID: *@phx.gbl. Is there any way to have a blacklist.rules rule trigger on any "one" hit in the To: header? Alternatively, is there anyway to process based on the Message-ID header? I'm sure there's a way to do this with spamassassian or procmail, but I'm rather rusty on both of them. Thanks, Lew Wolfgang From james at gray.net.au Sat Sep 25 23:47:27 2010 From: james at gray.net.au (James Gray) Date: Sat Sep 25 23:47:54 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4C9A0D0D.6020405@msapiro.net> References: <943946.78068.qm@web33302.mail.mud.yahoo.com> <4C9A0D0D.6020405@msapiro.net> Message-ID: <32AEE703-175A-4406-AF2C-69865E1408A8@gray.net.au> On 23/09/2010, at 12:05 AM, Mark Sapiro wrote: > On 11:59 AM, Michael Mansour wrote: >> >> Having tested this now, I can say that the removal of the ":" did not affect it. These "infections": > > > The colon is correct. It should be there in Spam-Virus Header in > MailScanner.conf as it defines the header and the colon is part of the > header. The lack of a colon in 'header' in the spamassassin file is also > correct as this just references the 'name' of the header which does not > include the colon. > > Did you by chance change your org-name? I.e. I have > > Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: > > in MailScanner.conf and > > header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report > > in spamassassin. This only works if > > %org-name% = GPC > > in MailScanner.conf. > > >> Clamd: message was infected: INetMsg.SpamDomain-2w.on9mail_com.UNOFFICIAL(b296e7ae61a7c8480c7219a4e2a27390:1916) >> >> still get blocked when I want them scored. > > > If the above does not solve the problem, please post exactly what you > have in Mailscanner.conf for "Spam-Virus Header" and "Virus Names Which > Are Spam". In particular, does your "Virus Names Which Are Spam" > pattern(s) match the virus name? Hi All, Even though I'm not on the latest MS version (4.80.1) I'm not seeing any effect on the message scoring with the unofficial signatures in CLamAV too. Here's an example from this morning: MailScanner.conf: Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: SpamAssassin rule: header MS_FOUND_SPAMVIRUS exists:X-MyOrg-MailScanner-SpamVirus-Report describe MS_FOUND_SPAMVIRUS ClamAV found a Spam Virus via MailScanner score MS_FOUND_SPAMVIRUS 5.899 Relevant message headers: X-MyOrg-MailScanner-SpamVirus-Report: Sanesecurity.Junk.32803.UNOFFICIAL X-MyOrg-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=30.564, required 5, autolearn=spam, BAYES_99 3.85, BODY_GAPPY_TEXT 1.92, HTML_MESSAGE 0.00, NO_RELAYS -0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89, RAZOR2_CHECK 0.92, SUBJ_OBFU_REPLICA 5.11, SUBJ_SPAMWORD 0.20, SUBJ_SWISS_WATCH 2.11, SUBJ_WATCH 0.91, T_SURBL_MULTI1 0.01, T_SURBL_MULTI2 0.01, T_SURBL_MULTI3 0.01, T_SURBL_MULTI4 0.01, T_URIBL_BLACK_OVERLAP 0.01, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.73, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.25, URIBL_OB_SURBL 0.12, URIBL_SBL 1.62, URIBL_SC_SURBL 0.57, URIBL_WS_SURBL 1.61) Finally, the mail log for this batch (one message in it): Sep 26 07:14:07 MailScanner[6199]: New Batch: Scanning 1 messages, 8060 bytes Sep 26 07:14:08 MailScanner[6199]: Virus and Content Scanning: Starting Sep 26 07:14:13 MailScanner[6199]: 1732B7029C096.ABA62.header: Sanesecurity.Junk.32803.UNOFFICIAL FOUND Sep 26 07:14:13 MailScanner[6199]: Found spam-virus Sanesecurity.Junk.32803.UNOFFICIAL in 1732B7029C096.ABA62 Sep 26 07:14:13 MailScanner[6199]: tag found in message 1732B7029C096.ABA62 from izettanella_ys@cypressconsulting.com Sep 26 07:14:13 MailScanner[6199]: Virus Scanning completed at 1417 bytes per second Sep 26 07:14:13 MailScanner[6199]: Spam Checks: Starting Sep 26 07:14:19 MailScanner[6199]: Message 1732B7029C096.ABA62 from 10.0.0.50 (izettanella_ys@cypressconsulting.com) to MyServer is spam, SpamAssassin (not cached, score=30.564, required 5, autolearn=spam, BAYES_99 3.85, BODY_GAPPY_TEXT 1.92, HTML_MESSAGE 0.00, NO_RELAYS -0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89, RAZOR2_CHECK 0.92, SUBJ_OBFU_REPLICA 5.11, SUBJ_SPAMWORD 0.20, SUBJ_SWISS_WATCH 2.11, SUBJ_WATCH 0.91, T_SURBL_MULTI1 0.01, T_SURBL_MULTI2 0.01, T_SURBL_MULTI3 0.01, T_SURBL_MULTI4 0.01, T_URIBL_BLACK_OVERLAP 0.01, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.73, URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.25, URIBL_OB_SURBL 0.12, URIBL_SBL 1.62, URIBL_SC_SURBL 0.57, URIBL_WS_SURBL 1.61) Sep 26 07:14:19 MailScanner[6199]: Spam Checks: Found 1 spam messages Sep 26 07:14:19 MailScanner[6199]: Delivery of spam: message 1732B7029C096.ABA62 from izettanella_ys@cypressconsulting.com to james@MyOrg with subject Perfect Watches Clones Cheap from $150. Buy Rep1icaWatches: Swiss Rep1icaWatch 2r Sep 26 07:14:19 MailScanner[6199]: Spam Actions: message 1732B7029C096.ABA62 actions are attachment,deliver,header Sep 26 07:14:19 MailScanner[6199]: Spam Checks completed at 1355 bytes per second Sep 26 07:14:19 MailScanner[6199]: Requeue: 1732B7029C096.ABA62 to AABA37029A7C5 Any takers?? Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3826 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100926/c43ee28d/smime.bin From micoots at yahoo.com Sun Sep 26 03:31:17 2010 From: micoots at yahoo.com (Michael Mansour) Date: Sun Sep 26 03:31:28 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4C9B6379.6060306@msapiro.net> Message-ID: <115698.78455.qm@web33302.mail.mud.yahoo.com> Hi Mark, --- On Fri, 24/9/10, Mark Sapiro wrote: > From: Mark Sapiro > Subject: Re: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Friday, 24 September, 2010, 12:26 AM > On Sept 22 at 7:00 PM, Michael > Mansour wrote: > > > > --- On Thu, 23/9/10, Mark Sapiro > wrote: > > > > I haven't changed the %org-name% no. > > > > I do have a different setting for this though: > > > This is not relevant in your case. it only matters if you > have the > default or similar setting for Spam-Virus Header which > includes %org-name%. > > > > Another question, I use MailWatch, should the > X-MailScanner-blah headers be present when viewing the > message headers in MailWatch? > > > > I don't see them in MailWatch, but when I release the > message from MailWatch to my Inbox and view full headers, I > see the MailScanner lines no problems. > > > I have never used MailWatch. I can't answer that. > > > >> If the above does not solve the problem, please > post > >> exactly what you > >> have in Mailscanner.conf for "Spam-Virus Header" > and "Virus > >> Names Which > >> Are Spam". In particular, does your "Virus Names > Which Are > >> Spam" > >> pattern(s) match the virus name? > > > > My settings are: > > > > Spam-Virus Header = > X-NPGX-MailScanner-SpamVirus-Report: > > > > Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* > MBL*UNOFFICIAL *SecuriteInfo*UNOFFICIAL > INetMsg.SpamDomain*UNOFFICIAL NPGX.DomainAddr*UNOFFICIAL > NPGX.EmailAddr.*UNOFFICIAL winnow*UNOFFICIAL > > > > Yes, all the above do match the virus names presented > when the clamd scanner finds the signature in the 3rd party > DB. > > > OK. > > What's in your logs? Do you have messages like > > Sep 22 06:56:27 sbh16 MailScanner[10759]: > Clamd::INFECTED:: > Sanesecurity.Junk.12181.UNOFFICIAL :: ./835336900BC.A01F3/ > Sep 22 06:56:27 sbh16 MailScanner[10759]: Found spam-virus > Sanesecurity.Junk.12181.UNOFFICIAL in 835336900BC.A01F3 I get plenty of this stuff: Sep 26 00:11:34 server MailScanner[11193]: Clamd::INFECTED:: INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) :: ./o8PEBTxB019677/ Sep 26 00:11:49 server clamd[8474]: /home/MailScanner/incoming/11197/o8PEBhQ5020119.message: INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(45b8f7efd3217ee092b222ad2fb8e090:23955) FOUND > In particular, do you have the Found spam-virus message? No, nothing at all that says "spam-virus" and I've searched all current mail logs. Note that when this used to work, I do remember seeing the "spam-virus" responses from MailScanner in the logs. Could this have something to do with the Clam version? I'm using 3 packages of clamav, clamav-db, clamd from RPMforge and all are 0.96.3. Thanks. Michael. > -- > Mark Sapiro ? > ? ? ? The highway is for gamblers, > San Francisco Bay Area, California? ? better use > your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From mikael at syska.dk Sun Sep 26 07:28:37 2010 From: mikael at syska.dk (Mikael Syska) Date: Sun Sep 26 07:28:51 2010 Subject: MailScanner dying with a "unblessed reference" perl error Message-ID: Hi, I have a mailscanner server that keeps dying on me with the following error: root [/var/spool]# MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Id: Can't call method "CombineReports" on unblessed reference at /usr/local/lib/MailScanner/MailScanner/MessageBatch.pm line 740. root [/var/spool]# It started today ... and I cannot find anything on google or anything ... completely lost here. I have another system ... almost identical ... that works just fine. I'm not sure what information you will need ... but please let me know. maybe its a know issue. The System information: FreeBSD 8.1 postfix-2.7.1,1 A secure alternative to widely-used Sendmail MailScanner-4.81.4_1 root [/var/spool]# MailScanner -v Running on FreeBSD spam02.onehosting.dk 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.81.4 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.30 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.07_03 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.68 HTML::Entities 3.68 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.06 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.428 MIME::Decoder 5.428 MIME::Decoder::UU 5.428 MIME::Head 5.428 MIME::Parser 3.08 MIME::QuotedPrint 5.428 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.21 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog missing Test::Pod 0.96 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.68 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.82 DB_File 1.29 DBD::SQLite 1.615 DBI 1.16 Digest 1.02 Digest::HMAC 2.39 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect missing Error 0.2703 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long missing Inline 1.08 IO::String 1.10 IO::Zlib 2.27 IP::Country missing Mail::ClamAV 3.003001 Mail::SpamAssassin missing Mail::SPF missing Mail::SPF::Query 0.3607 Module::Build missing Net::CIDR::Lite 0.66 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP 4.028 NetAddr::IP missing Parse::RecDescent missing SAVI 3.22 Test::Harness missing Test::Manifest 2.0.0 Text::Balanced 1.55 URI 0.77 version missing YAML root [/var/spool]# From andrew.kerber at gmail.com Mon Sep 27 03:56:47 2010 From: andrew.kerber at gmail.com (Andrew Kerber) Date: Mon Sep 27 03:56:57 2010 Subject: configuration copy issue Message-ID: Ok. I copied over my mailscanner configuration, all the directories from my old server. I can now send and receive as long as I am on my internal network. However, I cannot receive emails from any external network. I can telnet to the smtp port, and it appears to be correct, but I am not receiving any external emails, This is the output when connecting via smtp from an external ip. I dont see any problems, but no connection information even shows up in maillog: 220 dbakerber.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 26 Sep 2010 21:55:34 -0500 500 5.5.1 Command unrecognized: {{}" EHLO test 250-dbakerber.net Hello [10.12.1.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100926/49955d79/attachment.html From noel.butler at ausics.net Mon Sep 27 04:52:42 2010 From: noel.butler at ausics.net (Noel Butler) Date: Mon Sep 27 04:52:59 2010 Subject: configuration copy issue In-Reply-To: References: Message-ID: <1285559562.10998.4.camel@tardis> Hi Andrew, On Sun, 2010-09-26 at 21:56 -0500, Andrew Kerber wrote: > Ok. I copied over my mailscanner configuration, all the directories > from my old server. I can now send and receive as long as I am on my > internal network. However, I cannot receive emails from any external > network. I can telnet to the smtp port, and it appears to be correct, > but I am not receiving any external emails, This is the output when > connecting via smtp from an external ip. I dont see any problems, but > no connection information even shows up in maillog: > > 220 dbakerber.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 26 Sep 2010 > 21:55:34 -0500 > 500 5.5.1 Command unrecognized: {{}" > EHLO test > 250-dbakerber.net Hello [10.12.1.1], pleased to meet you > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250-DSN > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP telnet mail.dbakerber.net 25 Trying 99.169.49.213... telnet: Unable to connect to remote host: Connection timed out Seems like a firewall or port forward issue. Also, why do you have two MX0's that are different names, but yet the same? Although it will not be your problem, I'd rather see you also clean your DNS as well, just leave the one in there that is mail.db..... Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100927/5300a585/attachment.html From jdwirtz at cox.net Mon Sep 27 05:35:57 2010 From: jdwirtz at cox.net (Jim Wirtz) Date: Mon Sep 27 05:36:07 2010 Subject: configuration copy issue In-Reply-To: References: Message-ID: <001201cb5dfd$7af840b0$70e8c210$@net> By chance did you change your sendmail.cf/mc dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl Jim From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Kerber Sent: Sunday, September 26, 2010 9:57 PM To: mailscanner@lists.mailscanner.info Subject: configuration copy issue Ok. I copied over my mailscanner configuration, all the directories from my old server. I can now send and receive as long as I am on my internal network. However, I cannot receive emails from any external network. I can telnet to the smtp port, and it appears to be correct, but I am not receiving any external emails, This is the output when connecting via smtp from an external ip. I dont see any problems, but no connection information even shows up in maillog: 220 dbakerber.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 26 Sep 2010 21:55:34 -0500 500 5.5.1 Command unrecognized: {{}" EHLO test 250-dbakerber.net Hello [10.12.1.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH LOGIN PLAIN 250-DELIVERBY 250 HELP -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.856 / Virus Database: 271.1.1/3161 - Release Date: 09/26/10 13:40:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100926/827263dd/attachment.html From andrew.kerber at gmail.com Mon Sep 27 13:51:55 2010 From: andrew.kerber at gmail.com (Andrew Kerber) Date: Mon Sep 27 13:52:03 2010 Subject: configuration copy issue In-Reply-To: <001201cb5dfd$7af840b0$70e8c210$@net> References: <001201cb5dfd$7af840b0$70e8c210$@net> Message-ID: Yes, I did change that setting. But it is looking like a firewall issue, ssh seems to be blocked externally also. Strange I didnt have that problem before. I wonder if my isp has decided to change some settings. I cant get back to it until tonight though, I appreciate the help. On Sun, Sep 26, 2010 at 11:35 PM, Jim Wirtz wrote: > By chance did you change your sendmail.cf/mc > > dnl # The following causes sendmail to only listen on the IPv4 loopback > address > > dnl # 127.0.0.1 and not on any other network devices. Remove the loopback > > dnl # address restriction to accept email from the internet or intranet. > > dnl # > > DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl > > > > Jim > > > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Andrew Kerber > *Sent:* Sunday, September 26, 2010 9:57 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* configuration copy issue > > > > Ok. I copied over my mailscanner configuration, all the directories from > my old server. I can now send and receive as long as I am on my internal > network. However, I cannot receive emails from any external network. I can > telnet to the smtp port, and it appears to be correct, but I am not > receiving any external emails, This is the output when connecting via smtp > from an external ip. I dont see any problems, but no connection information > even shows up in maillog: > > 220 dbakerber.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 26 Sep 2010 21:55:34 > -0500 > 500 5.5.1 Command unrecognized: {{}" > EHLO test > 250-dbakerber.net Hello [10.12.1.1], pleased to meet you > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250-DSN > 250-AUTH LOGIN PLAIN > 250-DELIVERBY > 250 HELP > > > -- > Andrew W. Kerber > > 'If at first you dont succeed, dont take up skydiving.' > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.856 / Virus Database: 271.1.1/3161 - Release Date: 09/26/10 > 13:40:00 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100927/2a8d2261/attachment.html From mark at msapiro.net Mon Sep 27 14:08:14 2010 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 27 14:08:18 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <32AEE703-175A-4406-AF2C-69865E1408A8@gray.net.au> References: <943946.78068.qm@web33302.mail.mud.yahoo.com> <4C9A0D0D.6020405@msapiro.net> <32AEE703-175A-4406-AF2C-69865E1408A8@gray.net.au> Message-ID: <4CA0973E.2000303@msapiro.net> On 11:59 AM, James Gray wrote: > > > Even though I'm not on the latest MS version (4.80.1) I'm not seeing any effect on the message scoring with the unofficial signatures in CLamAV too. Here's an example from this morning: > > MailScanner.conf: > Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: > > SpamAssassin rule: > header MS_FOUND_SPAMVIRUS exists:X-MyOrg-MailScanner-SpamVirus-Report > describe MS_FOUND_SPAMVIRUS ClamAV found a Spam Virus via MailScanner > score MS_FOUND_SPAMVIRUS 5.899 > > Relevant message headers: > X-MyOrg-MailScanner-SpamVirus-Report: Sanesecurity.Junk.32803.UNOFFICIAL > X-MyOrg-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=30.564, required 5, autolearn=spam, BAYES_99 3.85, > BODY_GAPPY_TEXT 1.92, HTML_MESSAGE 0.00, NO_RELAYS -0.00, > RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.89, > RAZOR2_CHECK 0.92, SUBJ_OBFU_REPLICA 5.11, SUBJ_SPAMWORD 0.20, > SUBJ_SWISS_WATCH 2.11, SUBJ_WATCH 0.91, T_SURBL_MULTI1 0.01, > T_SURBL_MULTI2 0.01, T_SURBL_MULTI3 0.01, T_SURBL_MULTI4 0.01, > T_URIBL_BLACK_OVERLAP 0.01, URIBL_AB_SURBL 4.50, URIBL_BLACK 1.73, > URIBL_DBL_SPAM 1.70, URIBL_JP_SURBL 1.25, URIBL_OB_SURBL 0.12, > URIBL_SBL 1.62, URIBL_SC_SURBL 0.57, URIBL_WS_SURBL 1.61) [...] This is not the same issue that Michael Mansour has. In your case, this is strictly a spamassassin issue. The "X-MyOrg-MailScanner-SpamVirus-Report:" header is in the message and you have the spamassassin rule header MS_FOUND_SPAMVIRUS exists:X-MyOrg-MailScanner-SpamVirus-Report yet the rule doesn't trigger. Assuming "MyOrg" is the same string in both cases, spamassassin is not seeing your rule. Where is it? -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From davejones70 at gmail.com Mon Sep 27 14:35:39 2010 From: davejones70 at gmail.com (Dave Jones) Date: Mon Sep 27 14:35:49 2010 Subject: X-???-MailScanner-SpamCheck: header empty when forwarding with rules Message-ID: Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes I am trying to send nonspam and spam to alternate mailboxes for copying email using rules with the forward action. When a forward comes from the Spam Actions rule, I get the subject tagged with spam like I expect and I get a full SpamCheck: header like below. However, when I put an email address in both Spam Actions and Non Spam Actions rule, I appear to get all email forwarded to my copy mailbox without and subject changes and the SpamCheck: is empty. The original recipient doesn't get the email when it's obviously High Spam based on the subject so the problem seems to only be with the forwarded address. Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = delete Non Spam Actions = %rules-dir%/nonspam.actions.rules X-???-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=8.939, required 6, DCC_CHECK 1.10, HTML_MESSAGE 0.50, INVALID_DATE 1.10, KAM_MX4 2.00, MIME_HTML_MOSTLY 0.43, MIME_QP_LONG_LINE 0.00, MPART_ALT_DIFF 0.79, SPF_PASS -0.20, T_DOS_OUTLOOK_TO_MX_IMAGE 0.01, URIBL_DBL_SPAM 1.70, URIBL_RHS_DOB 1.51) %rules-dir%/nonspam.actions.rules ========================== FromOrTo: mailbox@mydomain.com deliver forward mailbox@archive.mydomain.com FromOrTo: default deliver %rules-dir%/spam.actions.rules ======================= FromOrTo: mailbox@mydomain.com deliver striphtml forward mailbox@archive.mydomain.com FromOrTo: default deliver striphtml An interesting point to note is that when I put my archive address in as the default, everything appears to work properly and I receive the SpamCheck: header and the subjects are modified. I realize I could use the Archive feature but I wasn't sure if this feature followed the Actions rules. I don't want to copy High Scoring Spam. Does the Archive feature forward all email? Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100927/96b7b554/attachment.html From mark at msapiro.net Mon Sep 27 14:37:32 2010 From: mark at msapiro.net (Mark Sapiro) Date: Mon Sep 27 14:37:35 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <115698.78455.qm@web33302.mail.mud.yahoo.com> References: <115698.78455.qm@web33302.mail.mud.yahoo.com> Message-ID: <4CA09E1C.6050803@msapiro.net> On 11:59 AM, Michael Mansour wrote: > I get plenty of this stuff: > > Sep 26 00:11:34 server MailScanner[11193]: Clamd::INFECTED:: INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) :: ./o8PEBTxB019677/ And this says MailScanner got the report from clamd > No, nothing at all that says "spam-virus" and I've searched all current mail logs. Yet this says that MailScanner didn't recognize that INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) was a spam virus. > Note that when this used to work, I do remember seeing the "spam-virus" responses from MailScanner in the logs. > > Could this have something to do with the Clam version? I'm using 3 packages of clamav, clamav-db, clamd from RPMforge and all are 0.96.3. I'm running the same clamav/clamd and it works for me. I do note that my log entries do not contain things like (56c0464fb2737c4622779d0b765fb23d:29099) (apparently the signature that matched). Try adding * after UNOFFICIAL in your various "Virus Names Which Are Spam" patterns, e.g. INetMsg.SpamDomain*UNOFFICIAL* instead of just INetMsg.SpamDomain*UNOFFICIAL or possibly remove "LogVerbose yes" and/or "ExtendedDetectionInfo yes" (I don't know which controls this) from clamd.conf. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From davejones70 at gmail.com Mon Sep 27 14:45:37 2010 From: davejones70 at gmail.com (Dave Jones) Date: Mon Sep 27 14:45:47 2010 Subject: X-???-MailScanner-SpamCheck: header empty when forwarding with rules In-Reply-To: References: Message-ID: Update: The problem seems to occur mainly when I have the forward in the nonspam.actions.rules file. I get all email to the forwarded address including High Spam that should be deleted. MailScanner Version Number = 4.79.11 On Mon, Sep 27, 2010 at 8:35 AM, Dave Jones wrote: > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > > I am trying to send nonspam and spam to alternate mailboxes for copying > email using rules with the forward action. When a forward comes from the > Spam Actions rule, I get the subject tagged with spam like I expect and I > get a full SpamCheck: header like below. However, when I put an email > address in both Spam Actions and Non Spam Actions rule, I appear to get all > email forwarded to my copy mailbox without and subject changes and the > SpamCheck: is empty. The original recipient doesn't get the email when it's > obviously High Spam based on the subject so the problem seems to only be > with the forwarded address. > > Spam Actions = %rules-dir%/spam.actions.rules > High Scoring Spam Actions = delete > Non Spam Actions = %rules-dir%/nonspam.actions.rules > > X-???-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=8.939, > required 6, DCC_CHECK 1.10, HTML_MESSAGE 0.50, INVALID_DATE 1.10, > KAM_MX4 2.00, MIME_HTML_MOSTLY 0.43, MIME_QP_LONG_LINE 0.00, > MPART_ALT_DIFF 0.79, SPF_PASS -0.20, T_DOS_OUTLOOK_TO_MX_IMAGE 0.01, > URIBL_DBL_SPAM 1.70, URIBL_RHS_DOB 1.51) > > %rules-dir%/nonspam.actions.rules > ========================== > FromOrTo: mailbox@mydomain.com deliver forward > mailbox@archive.mydomain.com > FromOrTo: default deliver > > %rules-dir%/spam.actions.rules > ======================= > FromOrTo: mailbox@mydomain.com deliver striphtml forward > mailbox@archive.mydomain.com > FromOrTo: default deliver striphtml > > An interesting point to note is that when I put my archive address in as > the default, everything appears to work properly and I receive the > SpamCheck: header and the subjects are modified. > > I realize I could use the Archive feature but I wasn't sure if this feature > followed the Actions rules. I don't want to copy High Scoring Spam. Does > the Archive feature forward all email? > > Dave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100927/5839d179/attachment.html From hvdkooij at vanderkooij.org Mon Sep 27 15:42:16 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Sep 27 15:47:58 2010 Subject: Maximum Message Size, how do rules work? In-Reply-To: References: Message-ID: from= to= On Wed, 22 Sep 2010 09:52:28 -0500, Jason Voorhees wrote: > From: user1@domain.com 1M > From: user2@domain.com 2M > From: user3@domain.com 4M > From: *@domain.com 512K > To: *@domain.com 2M > FromOrTo: default 0 So we get 1 hit on the sender user1@domain.com and another one at the recipient where users7 matches the wildcard. So what happens with an extra line on top: From: *@domain.com AND To: *@domain 1M Rulesets should be handled based on the first hit. Also make absolutely sure you did not past in any odd character. I prefer to use tabs exclusevely in the rules files. But cutting and pasting may convert tabs to spaces. So when in doubt make sure you type in the proper lines to test with. On first glance your file seems to match the documentantion on http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:readme But looks can be rather deceitful. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From iulianld at gmail.com Tue Sep 28 08:24:19 2010 From: iulianld at gmail.com (Iulian L Dragomir) Date: Tue Sep 28 08:24:29 2010 Subject: configuration copy issue In-Reply-To: References: <001201cb5dfd$7af840b0$70e8c210$@net> Message-ID: Andrew , Few suggestions fore a successful transition: Backup your new machine files before modifying. Change the ip of the new machine to match the old machine ip or modify your external firewall in order to forward the ports to your new machine Import from the old server the named configs ( /var/named/) and also the dovecot settings if you use it. If you use certificates with saslauthd you need to import them also. From J.Ede at birchenallhowden.co.uk Tue Sep 28 09:13:07 2010 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 28 09:13:46 2010 Subject: OT postfix multiple instances and recipient verification Message-ID: I'm thinking of using multiple postfix instances to split up emails with multiple recipients (to make sure blacklisting and whitelisting works properly) and maybe to sign some outbound emails using domain keys... >From what I've read on the postfix documentation I'll have an inbound postfix instance that just passes all email on internally via a port I specify to the next instance where MS does its work and then sends it on to the destination server. All of this seems relatively straightforward so far. However, I use recipient verification to make sure we only accept emails that can be delivered. As the inbound postfix will not have any direct SMTP out then will this still work as it won't be able to check where the emails are going to as it just passes all emails on to another port? I could put a transports file in place, but surely that would contradict a relayhosts setting in main.cf? Also have others used multiple instances like this before with MS and what is the performance hit in having multiple instances? Are there any gotchas that I need to be aware of? Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100928/815f9d81/attachment.html From twiztar at gmail.com Tue Sep 28 09:34:12 2010 From: twiztar at gmail.com (Erik Weber) Date: Tue Sep 28 09:34:21 2010 Subject: OT postfix multiple instances and recipient verification In-Reply-To: References: Message-ID: On Tue, Sep 28, 2010 at 10:13 AM, Jason Ede wrote: > I?m thinking of using multiple postfix instances to split up emails with > multiple recipients (to make sure blacklisting and whitelisting works > properly) and maybe to sign some outbound emails using domain keys? > > > > From what I?ve read on the postfix documentation I?ll have an inbound > postfix instance that just passes all email on internally via a port I > specify to the next instance where MS does its work and then sends it on to > the destination server. All of this seems relatively straightforward so far. > > > > However, I use recipient verification to make sure we only accept emails > that can be delivered. As the inbound postfix will not have any direct SMTP > out then will this still work as it won?t be able to check where the emails > are going to as it just passes all emails on to another port? I could put a > transports file in place, but surely that would contradict a relayhosts > setting in main.cf? Take a look at addess_verify_default_transport and/or address_verify_transport_maps (and the other address_verify_* settings), they're there for settings like these. -- Erik From hvdkooij at vanderkooij.org Tue Sep 28 13:17:54 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 28 13:23:38 2010 Subject: configuration copy issue In-Reply-To: References: <001201cb5dfd$7af840b0$70e8c210$@net> Message-ID: On Mon, 27 Sep 2010 07:51:55 -0500, Andrew Kerber wrote: Yes, I did change that setting. But it is looking like a firewall issue, ssh seems to be blocked externally also. Strange I didnt have that problem before. I wonder if my isp has decided to change some settings. I cant get back to it until tonight though, I appreciate the help. I actually expect ISP to start shutting down SMTP and other ports to endusers. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100928/51e92aaf/attachment.html From hvdkooij at vanderkooij.org Tue Sep 28 13:20:45 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 28 13:26:26 2010 Subject: Process on Message-ID header contents? In-Reply-To: <4C9D11C4.8060702@sweet-haven.com> References: <4C9D11C4.8060702@sweet-haven.com> Message-ID: <8a8577b475dbf6c2fa139064c6ae885c@127.0.0.1> On Fri, 24 Sep 2010 14:01:56 -0700, Lew Wolfgang wrote: > Hi Folks, > > I've been getting blasted with porn-spam from hotmail.com for the past few > weeks. > The spam has been getting past my (rather old) MailScanner installation. > It would be > nice to just block everything from hotmail, but that won't work due to > much > legitimate traffic from there. Please pastebin a sample somewhere so we can inspect all headers. Also tell us which MTA you are using so suggestions may include MTA specific solutions. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From andrew.kerber at gmail.com Tue Sep 28 13:31:49 2010 From: andrew.kerber at gmail.com (Andrew Kerber) Date: Tue Sep 28 13:31:58 2010 Subject: configuration copy issue In-Reply-To: References: <001201cb5dfd$7af840b0$70e8c210$@net> Message-ID: Got it working finally last night. Looks like a hardware issue. When I first put up the mailserver I had to talk to my ISP to get them to open port 25. They did it without any fuss it all. However, I have two different routers behind the ISP router with public IP's. The ISP router is supposed to open the firewall whenever it assigns a public, as opposed to private ip. But it looks like to me it will actually only open the firewall for one public IP at a time, even though it says it has both unblocked. I plan to work with it some more tonight to see if there are any ways around it. On Tue, Sep 28, 2010 at 7:17 AM, Hugo van der Kooij < hvdkooij@vanderkooij.org> wrote: > On Mon, 27 Sep 2010 07:51:55 -0500, Andrew Kerber > wrote: > > Yes, I did change that setting. But it is looking like a firewall issue, > ssh seems to be blocked externally also. Strange I didnt have that problem > before. I wonder if my isp has decided to change some settings. I cant get > back to it until tonight though, I appreciate the help. > > I actually expect ISP to start shutting down SMTP and other ports to > endusers. > > Hugo. > > -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG ? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.' -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100928/47b6b9e2/attachment.html From hvdkooij at vanderkooij.org Tue Sep 28 15:46:48 2010 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Sep 28 15:52:30 2010 Subject: MailScanner dying with a "unblessed reference" perl error In-Reply-To: References: Message-ID: On Sun, 26 Sep 2010 08:28:37 +0200, Mikael Syska wrote: > I have another system ... almost identical ... that works just fine. Almost identical doesn't count with computers ;-) What is the exact perl version on both systems? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc From mikael at syska.dk Tue Sep 28 18:46:11 2010 From: mikael at syska.dk (Mikael Syska) Date: Tue Sep 28 18:46:27 2010 Subject: MailScanner dying with a "unblessed reference" perl error In-Reply-To: References: Message-ID: Hi, Well ... almost identical ... yes, I know, that does not count with computers. Upgraded to FreeBSD 8.1 did not fix the issue. Upgraded to Perl 4.12 did not dix the issue. So I removed all mails from the queue ... and let it run for a while with Virus disabled all the time. And seem to do the trick ... I havent testes yet with Virus scanner enabled and some 3 part SA rules. But I will let you know if I can reproduce the problem ... right now I'm just happy the system runs again. Still ... the odd thing is that is just started to crash ... so maybe a speciel "clamd" rule made it crachs sometimes ... But one thing I tried, not sure if its anything I need to be scared about is this: truss -p 3000 ( the process id ) Gives me this: lseek(17,0x51,SEEK_SET) = 81 (0x51) lseek(17,0x0,SEEK_CUR) = 81 (0x51) lseek(17,0x236,SEEK_SET) = 566 (0x236) lseek(17,0x0,SEEK_CUR) = 566 (0x236) read(17,"N0Received: from KSTWDTNMV (unkn"...,4096) = 2211 (0x8a3) lseek(17,0x60e,SEEK_SET) = 1550 (0x60e) lseek(17,0x0,SEEK_CUR) = 1550 (0x60e) lseek(17,0x60e,SEEK_SET) = 1550 (0x60e) lseek(17,0x0,SEEK_CUR) = 1550 (0x60e) read(17,"N,This is a multi-part message i"...,4096) = 1227 (0x4cb) pipe(0xbfbfe724) = 0 (0x0) ioctl(18,TIOCGETA,0xbfbfe570) ERR#25 'Inappropriate ioctl for device' lseek(18,0x0,SEEK_CUR) ERR#29 'Illegal seek' ioctl(19,TIOCGETA,0xbfbfe570) ERR#25 'Inappropriate ioctl for device' lseek(19,0x0,SEEK_CUR) ERR#29 'Illegal seek' fcntl(18,F_SETFD,FD_CLOEXEC) = 0 (0x0) fcntl(19,F_SETFD,FD_CLOEXEC) = 0 (0x0) lseek(17,0xad7,SEEK_SET) = 2775 (0xad7) lseek(17,0x0,SEEK_CUR) = 2775 (0xad7) fork() = 92101 (0x167c5) close(19) = 0 (0x0) sigprocmask(SIG_BLOCK,SIGALRM,0x0) = 0 (0x0) sigaction(SIGALRM,{ 0x28112200 0x0 ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0) sigprocmask(SIG_SETMASK,0x0,0x0) = 0 (0x0) setitimer(0,{0.000000, 150.000000 },{0.000000, 0.000000 }) = 0 (0x0) read(18,"16.191\n",4096) = 7 (0x7) read(18,"spam\n",4096) = 5 (0x5) read(18,"BAYES_99 3.50, FSL_HELO_NON_FQDN"...,4096) = 267 (0x10b) read(18,"Spam detection software, running"...,4096) = 2193 (0x891) close(18) = 0 (0x0) wait4(0x167c5,0xbfbfe728,0x0,0x0,0x2,0x281c6bf8) = 92101 (0x167c5) setitimer(0,{0.000000, 0.000000 },{0.000000, 143.106027 }) = 0 (0x0) sigprocmask(SIG_BLOCK,SIGALRM,0x0) = 0 (0x0) sigaction(SIGALRM,{ SIG_DFL 0x0 ss_t },{ 0x28112200 0x0 ss_t }) = 0 (0x0) sigprocmask(SIG_SETMASK,0x0,0x0) = 0 (0x0) setitimer(0,{0.000000, 0.000000 },{0.000000, 0.000000 }) = 0 (0x0) sigprocmask(SIG_UNBLOCK,SIGALRM,0x0) = 0 (0x0) umask(0x3f,0x94a8404,0x1da7b,0x281200be,0x281c8d64,0x2f) = 63 (0x3f) getpid() = 83106 (0x144a2) __sysctl(0xbfbfe5e0,0x4,0x0,0x0,0x28ce2800,0x26) = 0 (0x0) getpid() = 83106 (0x144a2) __sysctl(0xbfbfe5e0,0x4,0x0,0x0,0x28ce2800,0x28) = 0 (0x0) lseek(10,0x0,SEEK_SET) = 0 (0x0) lseek(10,0x0,SEEK_CUR) = 0 (0x0) read(10,"CO 1766 63"...,4096) = 2422 (0x976) lseek(10,0x51,SEEK_SET) = 81 (0x51) lseek(10,0x0,SEEK_CUR) = 81 (0x51) lseek(10,0x27d,SEEK_SET) = 637 (0x27d) lseek(10,0x0,SEEK_CUR) = 637 (0x27d) read(10,"NAReceived: from nr-drn.pairerci"...,4096) = 1785 (0x6f9) lseek(10,0x528,SEEK_SET) = 1320 (0x528) lseek(10,0x0,SEEK_CUR) = 1320 (0x528) lseek(10,0x528,SEEK_SET) = 1320 (0x528) lseek(10,0x0,SEEK_CUR) = 1320 (0x528) read(10,"N\^[Top medical alert companiesN"...,4096) = 1102 (0x44e) pipe(0xbfbfe724) = 0 (0x0) ioctl(18,TIOCGETA,0xbfbfe570) ERR#25 'Inappropriate ioctl for device' lseek(18,0x0,SEEK_CUR) ERR#29 'Illegal seek' ioctl(19,TIOCGETA,0xbfbfe570) ERR#25 'Inappropriate ioctl for device' lseek(19,0x0,SEEK_CUR) ERR#29 'Illegal seek' fcntl(18,F_SETFD,FD_CLOEXEC) = 0 (0x0) fcntl(19,F_SETFD,FD_CLOEXEC) = 0 (0x0) lseek(10,0x965,SEEK_SET) = 2405 (0x965) lseek(10,0x0,SEEK_CUR) = 2405 (0x965) fork() = 92121 (0x167d9) close(19) = 0 (0x0) sigprocmask(SIG_BLOCK,SIGALRM,0x0) = 0 (0x0) sigaction(SIGALRM,{ 0x28112200 0x0 ss_t },{ SIG_DFL 0x0 ss_t }) = 0 (0x0) sigprocmask(SIG_SETMASK,0x0,0x0) = 0 (0x0) setitimer(0,{0.000000, 150.000000 },{0.000000, 0.000000 }) = 0 (0x0) Make a notice of the ERR# messages in the above output ... ps ax | grep "MailS" show me that the MS processes was waiting to deliver Uninfedted messages .... When running "top" ..... the State of the processes was "fifoow" and someone told me it was a locking issue ... :-s But ... I'm still investigating things ... but if anyone got ideas ... do please let me know. Thanks Mikael Syska On Tue, Sep 28, 2010 at 4:46 PM, Hugo van der Kooij wrote: > On Sun, 26 Sep 2010 08:28:37 +0200, Mikael Syska wrote: > >> I have another system ... almost identical ... that works just fine. > > Almost identical doesn't count with computers ;-) > > What is the exact perl version on both systems? > > Hugo. > > -- > hvdkooij@vanderkooij.org ? http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From campbell at cnpapers.com Tue Sep 28 19:27:04 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Sep 28 19:27:46 2010 Subject: OT - sendmail undying processes Message-ID: <4CA23378.10708@cnpapers.com> I'm using sendmail. Whenever a process gets blocked by either my access file rules or a dnsbl, the email gets stopped right away, but the process seems to be hanging on for about an hour (indicating "cmd read") Does anyone know what a good option for this might be in my sendmail configuration? I've adjusted most of my parms a long time ago, but apparently this one particular option escapes me and isn't redefined. Thanks for any ideas. Steve Campbell From wolfgang at sweet-haven.com Tue Sep 28 20:26:15 2010 From: wolfgang at sweet-haven.com (Lew Wolfgang) Date: Tue Sep 28 20:26:31 2010 Subject: Process on Message-ID header contents? In-Reply-To: <8a8577b475dbf6c2fa139064c6ae885c@127.0.0.1> References: <4C9D11C4.8060702@sweet-haven.com> <8a8577b475dbf6c2fa139064c6ae885c@127.0.0.1> Message-ID: <4CA24157.3030608@sweet-haven.com> On 09/28/2010 05:20 AM, Hugo van der Kooij wrote: > On Fri, 24 Sep 2010 14:01:56 -0700, Lew Wolfgang > > wrote: >> Hi Folks, >> >> I've been getting blasted with porn-spam from hotmail.com for the past > few >> weeks. >> The spam has been getting past my (rather old) MailScanner installation. >> It would be >> nice to just block everything from hotmail, but that won't work due to >> much >> legitimate traffic from there. > Please pastebin a sample somewhere so we can inspect all headers. > > Also tell us which MTA you are using so suggestions may include MTA > specific solutions. Hi Hugo, I've included a paste of a recent spam below. The "phx.gbl" in the Message-ID header is common in all these spams, as are the two addresses on the To: line. The live.com accounts don't exist. There's also some Bayes spoilage in each message. The last relay has always been in the hotmail.com domain, but different actual servers show up. MTA is sendmail. Regards, Lew Received: from snt0-omc4-s32.snt0.hotmail.com (snt0-omc4-s32.snt0.hotmail.com [65.55.90.235]) by sanrail.com (8.12.11.20060308/8.12.10/SuSE Linux 0.7) with ESMTP id o8SG74a7013200 for; Tue, 28 Sep 2010 09:07:10 -0700 Received: from SNT135-W16 ([65.55.90.200]) by snt0-omc4-s32.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 28 Sep 2010 09:07:02 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_8336028d-e177-48a9-8f40-59061affa14e_" X-Originating-IP: [77.203.214.143] From: Avis Ludwig To:, Subject: Check Hot Russians Absiolutely Free Photos Date: Tue, 28 Sep 2010 16:07:01 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 28 Sep 2010 16:07:02.0483 (UTC) FILETIME=[300ECA30:01CB5F27] X-Sanrail-MailScanner-Information: Please contact postmaster@sanrail.com for more information X-Sanrail-MailScanner: Found to be clean X-Sanrail-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.102, required 3.2, autolearn=not spam, BAYES_00 -2.60, HTML_40_50 0.50, HTML_MESSAGE 0.00) X-Sanrail-MailScanner-From: avilliigle@hotmail.com --_8336028d-e177-48a9-8f40-59061affa14e_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Check Hot Russians Absiolutely Free Photos dog down?The top dog in this kennel=2C whom I am sure you will be meeting s= oon=2C Was the explosion an accident? If it wasnt-who caused it? There aret= here with us=2C singing the song. You could see that? The difference is obv= ious I suppose=2C to someonethe note in my palm when I read it. On the seve= nth day we did not rest. After a final round of rehearsal = --_8336028d-e177-48a9-8f40-59061affa14e_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Check H= ot Russians Absiolutely Free Photos
dog down?The top dog in this kennel=2C whom I am sure you will be meet= ing soon=2C Was the explosion an accident? If it wasnt-who caused it? There= arethere with us=2C singing the song. You could see that? The difference i= s obvious I suppose=2C to someonethe note in my palm when I read it. On the= seventh day we did not rest. After a final round of rehearsal
= = --_8336028d-e177-48a9-8f40-59061affa14e_-- From ssilva at sgvwater.com Tue Sep 28 20:59:50 2010 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Sep 28 21:00:18 2010 Subject: OT - sendmail undying processes In-Reply-To: <4CA23378.10708@cnpapers.com> References: <4CA23378.10708@cnpapers.com> Message-ID: on 9-28-2010 11:27 AM Steve Campbell spake the following: > I'm using sendmail. Whenever a process gets blocked by either my access file > rules or a dnsbl, the email gets stopped right away, but the process seems to > be hanging on for about an hour (indicating "cmd read") > > Does anyone know what a good option for this might be in my sendmail > configuration? I've adjusted most of my parms a long time ago, but apparently > this one particular option escapes me and isn't redefined. > > Thanks for any ideas. > > Steve Campbell > Have you tried all of this? http://weldonwhipple.com/sendmail/dossed.html (The old Technoids stuff) From steve.freegard at fsl.com Tue Sep 28 21:49:15 2010 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Sep 28 21:49:27 2010 Subject: Process on Message-ID header contents? In-Reply-To: <4CA24157.3030608@sweet-haven.com> References: <4C9D11C4.8060702@sweet-haven.com> <8a8577b475dbf6c2fa139064c6ae885c@127.0.0.1> <4CA24157.3030608@sweet-haven.com> Message-ID: <4CA254CB.30407@fsl.com> On 28/09/10 20:26, Lew Wolfgang wrote: > The "phx.gbl" in the Message-ID header is common in all these spams, as > are the two addresses on the To: line. All mail from Hotmail/Live will have Message-IDs ending in @phx.gbl, so you don't want to add a rule for that. How about something like this (UNTESTED): header __TO_WOLFGANG To =~ /wolfgang\@sweet-haven\.com/i header __TO_WOLFGANG79 To =~ /wolfgang79\@live\.com/i meta LOCAL_WOLFGANG_SPAM (__TO_WOLFGANG && __TO_WOLFGANG79) score LOCAL_WOLFGANG_SPAM 5.0 Regards, Steve. From wolfgang at sweet-haven.com Tue Sep 28 22:53:07 2010 From: wolfgang at sweet-haven.com (Lew Wolfgang) Date: Tue Sep 28 22:53:25 2010 Subject: Process on Message-ID header contents? In-Reply-To: <4CA254CB.30407@fsl.com> References: <4C9D11C4.8060702@sweet-haven.com> <8a8577b475dbf6c2fa139064c6ae885c@127.0.0.1> <4CA24157.3030608@sweet-haven.com> <4CA254CB.30407@fsl.com> Message-ID: <4CA263C3.2070502@sweet-haven.com> On 09/28/2010 01:49 PM, Steve Freegard wrote: > On 28/09/10 20:26, Lew Wolfgang wrote: >> The "phx.gbl" in the Message-ID header is common in all these spams, as >> are the two addresses on the To: line. > > All mail from Hotmail/Live will have Message-IDs ending in @phx.gbl, so you don't want to add a rule for that. > > How about something like this (UNTESTED): > > header __TO_WOLFGANG To =~ /wolfgang\@sweet-haven\.com/i > header __TO_WOLFGANG79 To =~ /wolfgang79\@live\.com/i > meta LOCAL_WOLFGANG_SPAM (__TO_WOLFGANG && __TO_WOLFGANG79) > score LOCAL_WOLFGANG_SPAM 5.0 Hi Steve, Ah, I didn't know about the phx.gbl thing. This implies that the spam is being created organically by hotmail/live customers, right? I'd rather not use a user-specific filter, there are about 350 other users on this MTA, most without local accounts. Interesting problem, thanks for your help. Regards, Lew From mrebsamen at unimatrix0.ch Wed Sep 29 09:48:15 2010 From: mrebsamen at unimatrix0.ch (Marco Rebsamen) Date: Wed Sep 29 09:48:30 2010 Subject: "Notices To" As a ruleset Message-ID: Hello Everbody I set the parameter "Notices to" to %rules-dir%/notice_recipients.rules . But now I have seen in the logfile that the notice messages are delivered to this: /etc/mailscanner/rules/notice_recipients.rules@mx-rel.unimatrix0.ch which i guess isn't correct obviously.... What did happen here ?? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100929/f66658b5/attachment.html From campbell at cnpapers.com Wed Sep 29 14:00:14 2010 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Sep 29 14:00:29 2010 Subject: OT - sendmail undying processes In-Reply-To: References: <4CA23378.10708@cnpapers.com> Message-ID: <4CA3385E.7030509@cnpapers.com> On 9/28/2010 3:59 PM, Scott Silva wrote: > on 9-28-2010 11:27 AM Steve Campbell spake the following: >> I'm using sendmail. Whenever a process gets blocked by either my access file >> rules or a dnsbl, the email gets stopped right away, but the process seems to >> be hanging on for about an hour (indicating "cmd read") >> >> Does anyone know what a good option for this might be in my sendmail >> configuration? I've adjusted most of my parms a long time ago, but apparently >> this one particular option escapes me and isn't redefined. >> >> Thanks for any ideas. >> >> Steve Campbell >> > Have you tried all of this? > http://weldonwhipple.com/sendmail/dossed.html > > (The old Technoids stuff) Most of those were defined ages ago. It appears that the command timeout, define(confTO_COMMAND did the trick. I reset it from the default to 2 minutes and now see that these processes die after two minuntes. I still don't understand why Sendmail doesn't kill them outright after being denied by the DNSBL rules, but just glad to fix it. steve From micoots at yahoo.com Thu Sep 30 04:57:48 2010 From: micoots at yahoo.com (Michael Mansour) Date: Thu Sep 30 04:58:00 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <4CA09E1C.6050803@msapiro.net> Message-ID: <905647.13494.qm@web33305.mail.mud.yahoo.com> Hi Mark, Thank you for analysing my output and your reply. --- On Mon, 27/9/10, Mark Sapiro wrote: > From: Mark Sapiro > Subject: Re: Re: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Monday, 27 September, 2010, 11:37 PM > On 11:59 AM, Michael Mansour wrote: > > > I get plenty of this stuff: > > > > Sep 26 00:11:34 server MailScanner[11193]: > Clamd::INFECTED:: > INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) > :: ./o8PEBTxB019677/ > > > And this says MailScanner got the report from clamd > > > > No, nothing at all that says "spam-virus" and I've > searched all current mail logs. > > > Yet this says that MailScanner didn't recognize that > INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) > was a spam virus. > > > > Note that when this used to work, I do remember seeing > the "spam-virus" responses from MailScanner in the logs. > > > > Could this have something to do with the Clam version? > I'm using 3 packages of clamav, clamav-db, clamd from > RPMforge and all are 0.96.3. > > > I'm running the same clamav/clamd and it works for me. I do > note that my > log entries do not contain things like > (56c0464fb2737c4622779d0b765fb23d:29099) (apparently the > signature that > matched). Try adding * after UNOFFICIAL in your various > "Virus Names > Which Are Spam" patterns, e.g. > INetMsg.SpamDomain*UNOFFICIAL* instead of > just INetMsg.SpamDomain*UNOFFICIAL or possibly remove > "LogVerbose yes" > and/or "ExtendedDetectionInfo yes" (I don't know which > controls this) > from clamd.conf. I've added the "*" after the "UNOFFICIAL" to hopefully match the clamd output. I've checked the clamd.conf file and have: # Enable verbose logging. # Default: no #LogVerbose yes # Provide additional information about the infected file, such as its # size and hash, together with the virus name. It's recommended to enable # this option along with SubmitDetectionStats in freshclam.conf. #ExtendedDetectionInfo yes ExtendedDetectionInfo yes So it's the second option which is enabled. I enable this to provide virus stats to Clam. I'll leave this enabled for now and monitor the mail queues/virus detected files to see if the "*" has fixed it. If not, I'll disable the ExtendedDetectionInfo setting and try again. Hopefully your "*" recommendation has fixed the issue. I'll post to the list when I find out. Thanks. Michael. > -- > Mark Sapiro ? > ? ? ? The highway is for gamblers, > San Francisco Bay Area, California? ? better use > your sense - B. Dylan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From micoots at yahoo.com Thu Sep 30 09:11:50 2010 From: micoots at yahoo.com (Michael Mansour) Date: Thu Sep 30 09:12:01 2010 Subject: Spam-Virus scoring not working any more for me In-Reply-To: <905647.13494.qm@web33305.mail.mud.yahoo.com> Message-ID: <111450.11899.qm@web33302.mail.mud.yahoo.com> Hi Mark, --- On Thu, 30/9/10, Michael Mansour wrote: > From: Michael Mansour > Subject: Re: Re: Re: Spam-Virus scoring not working any more for me > To: "MailScanner discussion" > Received: Thursday, 30 September, 2010, 1:57 PM > Hi Mark, > > Thank you for analysing my output and your reply. > > --- On Mon, 27/9/10, Mark Sapiro > wrote: > > > From: Mark Sapiro > > Subject: Re: Re: Re: Spam-Virus scoring not working > any more for me > > To: "MailScanner discussion" > > Received: Monday, 27 September, 2010, 11:37 PM > > On 11:59 AM, Michael Mansour wrote: > > > > > I get plenty of this stuff: > > > > > > Sep 26 00:11:34 server MailScanner[11193]: > > Clamd::INFECTED:: > > > INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) > > :: ./o8PEBTxB019677/ > > > > > > And this says MailScanner got the report from clamd > > > > > > > No, nothing at all that says "spam-virus" and > I've > > searched all current mail logs. > > > > > > Yet this says that MailScanner didn't recognize that > > > INetMsg.SpamDomain-2m.e2ma_net.UNOFFICIAL(56c0464fb2737c4622779d0b765fb23d:29099) > > was a spam virus. > > > > > > > Note that when this used to work, I do remember > seeing > > the "spam-virus" responses from MailScanner in the > logs. > > > > > > Could this have something to do with the Clam > version? > > I'm using 3 packages of clamav, clamav-db, clamd from > > RPMforge and all are 0.96.3. > > > > > > I'm running the same clamav/clamd and it works for me. > I do > > note that my > > log entries do not contain things like > > (56c0464fb2737c4622779d0b765fb23d:29099) (apparently > the > > signature that > > matched). Try adding * after UNOFFICIAL in your > various > > "Virus Names > > Which Are Spam" patterns, e.g. > > INetMsg.SpamDomain*UNOFFICIAL* instead of > > just INetMsg.SpamDomain*UNOFFICIAL or possibly remove > > "LogVerbose yes" > > and/or "ExtendedDetectionInfo yes" (I don't know > which > > controls this) > > from clamd.conf. > > I've added the "*" after the "UNOFFICIAL" to hopefully > match the clamd output. > > I've checked the clamd.conf file and have: > > # Enable verbose logging. > # Default: no > #LogVerbose yes > > # Provide additional information about the infected file, > such as its > # size and hash, together with the virus name. It's > recommended to enable > # this option along with SubmitDetectionStats in > freshclam.conf. > #ExtendedDetectionInfo yes > ExtendedDetectionInfo yes > > So it's the second option which is enabled. I enable this > to provide virus stats to Clam. I'll leave this enabled for > now and monitor the mail queues/virus detected files to see > if the "*" has fixed it. > > If not, I'll disable the ExtendedDetectionInfo setting and > try again. > > Hopefully your "*" recommendation has fixed the issue. I'll > post to the list when I find out. You were spot on with this, as soon as I made that change I waited for spam-viruses to come in and there they were, detected and scored correctly. Basically it was the additional info that ExtendedDetectionInfo setting in clamd.conf adds to the report send to MailScanner. What a great result after months of this not working :) Thanks again. Michael. > Thanks. > > Michael. > > > -- > > Mark Sapiro ? > > ? ? ? The highway is for gamblers, > > San Francisco Bay Area, California? ? better use > > your sense - B. Dylan > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off > the > > website! > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > From GSilver at rampuptech.com Thu Sep 30 15:50:06 2010 From: GSilver at rampuptech.com (Gavin Silver) Date: Thu Sep 30 15:50:19 2010 Subject: example database structure for rules and configs Message-ID: Does anyone have any working examples of database/table structures that they use for SQL support in mailscanner (rulesets and config)? I have read through the conf file in the SQL section but I am still not certain I am comfortable enough to jump right in and I cannot find any other documentation on the subject. Thanks in advance. ---------------------------------- Gavin Silver -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20100930/2a0bcd3f/attachment.html From bttterceira at net.sapo.pt Thu Sep 30 22:18:02 2010 From: bttterceira at net.sapo.pt (Ludgero Parreira) Date: Thu Sep 30 22:18:17 2010 Subject: spam.blacklist.rules Message-ID: Hello, I have this file: /etc/MailScanner/rules/spam.blacklist.rules with all the email address's I considered spam. This was working with no problems, but the last 2 or 3 days it stop, and I started to receive spam from this address's. I haven't changed anything lately and double checked my config files, and it's all setup as it should. Any idea what could have happend, or anyway I can check a log for errors ? Thanks in Advance. Ludgero Parreira