From donald.dawson at bakerbotts.com Fri Apr 1 02:42:18 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Apr 1 02:42:34 2011 Subject: Performance issues with MS and SA In-Reply-To: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D8DE@BBEXVS04.bakerbotts.net> Good point! We are experiencing high CPU load during the day causing sendmail to defer and eventually reject messages. The delay before an email increases up to 2 minutes. Also, internal mail servers are not able to send email since the MX server defers and/or rejects email. Our CPU load has been increasing over time. I have received a few good tips e.g. create our own DCC server, commands for Bayes. We have plans to dedicate a MX server to outbound mail which should help. Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas Sent: Thursday, March 31, 2011 5:49 PM To: MailScanner discussion Subject: RE: Performance issues with MS and SA Hello Donald Maybe I'm a big thick headed but I don't see you mention what your performance issue is? You say you process 150k mails with 4 servers each with 4 cores (that's how I read it anyway) But what is the problem, are you incoming mail queues too big, or do you expect a quick increase in mail volume in the near future? Or do you simply want to optimize your setup, and don't have a problem per say? Cheers Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. From maxsec at gmail.com Fri Apr 1 12:24:08 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Apr 1 12:24:19 2011 Subject: Performance issues with MS and SA In-Reply-To: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> Message-ID: Couple of things that can ridically reduce the load is have the inbound MTA reject on invalid recipients. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users Other is greylisting which Stevef did a recent study on and still found it to be very effective. You don't mention if you're doing either of these also http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassin must update that last one as the rulesemporium stuff can be ignored now. -- Martin Hepworth Oxford, UK On 31 March 2011 23:49, Jonas wrote: > Hello Donald > > Maybe I'm a big thick headed but I don't see you mention what your > performance issue is? > > You say you process 150k mails with 4 servers each with 4 cores (that's how > I read it anyway) > > But what is the problem, are you incoming mail queues too big, or do you > expect a quick increase in mail volume in the near future? > > Or do you simply want to optimize your setup, and don't have a problem per > say? > > Cheers > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110401/384fc1cf/attachment.html From bbecken at aafp.org Fri Apr 1 14:32:11 2011 From: bbecken at aafp.org (Brad Beckenhauer) Date: Fri Apr 1 14:32:42 2011 Subject: Email campaign Message-ID: <4D958D8B0200006800085083@smtp.aafp.org> Just sharing an issue we had this week with everyone else on the MailScanner forum. This week, I've been working with an organization that is running an email campaign that is bombarding us with undesirable content and I figured I'd share with the rest of you as it's likely some of your systems are also getting this "junk". If you browse to the web link below you will find a campaign concerning 'circumcision'. The concept they use is simple, you read the text and if you concur with the statement, you sign the petition. In the background, the website takes your contact information, extracts your email address and then sends an email to a mass distribution list using your email address as the sender. The email is part of an email campaign that is using an online company to send the email enmass. The email has no opt-out and if you reply to the email, your email is sent to the unwitting soul (person) who signed the online statement. The subject lines are always one of the two lines below: Subject: It's time to end infant circumcision! Subject: =?UTF-8?Q?It's_time_to_end_=E2=80=9Croutine=E2=80=9D_infant_circumcision!?= You can take a look at the alert that generates these messages here: http://org2.democracyinaction.org/o/5922/t/6483/campaign.jsp?campaign_KEY=2543 Just sharing this information in case you want to do something to protect your clients as well. thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110401/cc02ffad/attachment.html From glenn.steen at gmail.com Fri Apr 1 16:38:02 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 1 16:38:12 2011 Subject: Performance issues with MS and SA In-Reply-To: References: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> Message-ID: Apart from these excellent suggestions, you should look long and har d on _why_ the load is high. Are you experiencing a lot of processes in the D state, which will add 1/process-in-state-D, then you shouould investigate is you can mitigate that (problem areas might be piece-of-crap NIC drivers or somesuch)... Or perhaps you employ an inefficient virus scanner (if using clamscan -> use clamd instead ... if using the old bitdefender -> stop doing that ...), or spend a lot of power on plain ol' spamassassin (make sure you use sa-compile!) ... Lots of things to look at:-). Load is very problematic as a sole source of performance information, as you minght already be aware of:) Cheers -- -- Glenn On 1 April 2011 13:24, Martin Hepworth wrote: > Couple of things that can ridically reduce the load is have the inbound MTA > reject on invalid recipients. > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:reject_non_existent_users > > > Other is greylisting which Stevef did a recent study on and still found it > to be very effective. > > > You don't mention if you're doing either of these > > also > > http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips > > http://wiki.mailscanner.info/doku.php?id=maq:index#getting_the_best_out_of_spamassassin > > must update that last one as the rulesemporium stuff can be ignored now. > > -- > Martin Hepworth > Oxford, UK > > > On 31 March 2011 23:49, Jonas wrote: >> >> Hello Donald >> >> Maybe I'm a big thick headed but I don't see you mention what your >> performance issue is? >> >> You say you process 150k mails with 4 servers each with 4 cores (that's >> how I read it anyway) >> >> But what is the problem, are you incoming mail queues too big, or do you >> expect a quick increase in mail volume in the near future? >> >> Or do you simply want to optimize your setup, and don't have a problem per >> say? >> >> Cheers >> >> Med venlig hilsen / Best regards >> >> Jonas Akrouh Larsen >> >> TechBiz ApS >> Laplandsgade 4, 2. sal >> 2300 K?benhavn S >> >> Office: 7020 0979 >> Direct: 3336 9974 >> Mobile: 5120 1096 >> Fax:??? 7020 0978 >> Web: www.techbiz.dk >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maxsec at gmail.com Fri Apr 1 16:43:31 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Apr 1 16:43:40 2011 Subject: Performance issues with MS and SA In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D8DE@BBEXVS04.bakerbotts.net> References: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> <8FB531F78038DC4497B80CBAE8E927E20831D8DE@BBEXVS04.bakerbotts.net> Message-ID: Also don't confuse high load with slow performance Just because has a high load av (ie X processes waiting for resource) doesn't mean your actual performance on the server is poor. I've seen servers with load Av's of well over 80 performing very nicely thankyou very much, by time the default sendmail settings would have cut you off along time ago. maybe increase the 'load' cut off for the LoadAv figure in sendmail -- Martin Hepworth Oxford, UK On 1 April 2011 02:42, wrote: > Good point! We are experiencing high CPU load during the day causing > sendmail to defer and eventually reject messages. The delay before an email > increases up to 2 minutes. Also, internal mail servers are not able to send > email since the MX server defers and/or rejects email. Our CPU load has > been increasing over time. > > I have received a few good tips e.g. create our own DCC server, commands > for Bayes. > > We have plans to dedicate a MX server to outbound mail which should help. > > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas > Sent: Thursday, March 31, 2011 5:49 PM > To: MailScanner discussion > Subject: RE: Performance issues with MS and SA > > Hello Donald > > Maybe I'm a big thick headed but I don't see you mention what your > performance issue is? > > You say you process 150k mails with 4 servers each with 4 cores (that's how > I read it anyway) > > But what is the problem, are you incoming mail queues too big, or do you > expect a quick increase in mail volume in the near future? > > Or do you simply want to optimize your setup, and don't have a problem per > say? > > Cheers > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Confidentiality Notice: The information contained in this email and any > attachments is intended only for the recipient[s] listed above and may be > privileged and confidential. Any dissemination, copying, or use of or > reliance upon such information by or to anyone other than the recipient[s] > listed above is prohibited. If you have received this message in error, > please notify the sender immediately at the email address above and destroy > any and all copies of this message. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110401/7dc73a1a/attachment.html From bbecken at aafp.org Fri Apr 1 18:51:49 2011 From: bbecken at aafp.org (Brad Beckenhauer) Date: Fri Apr 1 18:52:22 2011 Subject: CENTOS or RHE OS In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D8AC@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D8AC@BBEXVS04.bakerbotts.net> Message-ID: <4D95CA6502000068000851BE@smtp.aafp.org> We're been running Centos/MailScanner since June 2006 using the packages from the MailScanner.info site. No issues. >>> On 3/31/2011 at 11:18 AM, wrote: We are using Fedora Core 8 (mistake) and plan to move to a more stable, Enterprise version of Linux. I don't expect we will need support, but which is better RHE or CENTOS, or other? I understand CENTOS is a close mirror to RHE, but is open source. When I look at MailScanner-related packages to download, I see references to RHE and CENTOS. We have four MX servers running Fedora Core 8 with the latest MS/SA versions. We are contemplating FSL.COM/s MS yum repository for easier builds of the new servers. Any input appreciated. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110401/bb3536ec/attachment.html From alex at vidadigital.com.pa Fri Apr 1 20:32:06 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Fri Apr 1 20:41:38 2011 Subject: Email campaign In-Reply-To: <4D958D8B0200006800085083@smtp.aafp.org> References: <4D958D8B0200006800085083@smtp.aafp.org> Message-ID: <6076C701-DB39-4B78-9A86-E3DA18CF8A4E@vidadigital.com.pa> Mail comes from a server called "mailscanner.salsalabs.net". Probably a misconfiguration being abused. On Apr 1, 2011, at 8:32 AM, Brad Beckenhauer wrote: > Just sharing an issue we had this week with everyone else on the MailScanner forum. > > This week, I've been working with an organization that is running an email campaign that is bombarding us with undesirable content and I figured I'd share with the rest of you as it's likely some of your systems are also getting this "junk". > > If you browse to the web link below you will find a campaign concerning 'circumcision'. The concept they use is simple, you read the text and if you concur with the statement, you sign the petition. > > In the background, the website takes your contact information, extracts your email address and then sends an email to a mass distribution list using your email address as the sender. The email is part of an email campaign that is using an online company to send the email enmass. > > The email has no opt-out and if you reply to the email, your email is sent to the unwitting soul (person) who signed the online statement. > > The subject lines are always one of the two lines below: > Subject: It's time to end infant circumcision! > Subject: =?UTF-8?Q?It's_time_to_end_=E2=80=9Croutine=E2=80=9D_infant_circumcision!?= > > You can take a look at the alert that generates these messages here: > http://org2.democracyinaction.org/o/5922/t/6483/campaign.jsp?campaign_KEY=2543 > > > Just sharing this information in case you want to do something to protect your clients as well. > > thanks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From bbecken at aafp.org Fri Apr 1 21:33:50 2011 From: bbecken at aafp.org (Brad Beckenhauer) Date: Fri Apr 1 21:34:24 2011 Subject: Email campaign In-Reply-To: <6076C701-DB39-4B78-9A86-E3DA18CF8A4E@vidadigital.com.pa> References: <4D958D8B0200006800085083@smtp.aafp.org> <6076C701-DB39-4B78-9A86-E3DA18CF8A4E@vidadigital.com.pa> Message-ID: <4D95F05E02000068000852CB@smtp.aafp.org> I've spoken with salsalabs, and requested they remove all email addresses from their database, they have told me twice that they would stop the campaign and then they gave me the clients phone number after it continued. All the client wanted was to know how he could ensure that their marketing message was received. I told him that my clients had already received over 20000 of the same message so far and asked how much was enough. Needless to say, he would not offer up removing our addresses from their system, so I've taken to dropping the messages at the mta. >>> On 4/1/2011 at 02:32 PM, Alex Neuman wrote: Mail comes from a server called "mailscanner.salsalabs.net". Probably a misconfiguration being abused. On Apr 1, 2011, at 8:32 AM, Brad Beckenhauer wrote: > Just sharing an issue we had this week with everyone else on the MailScanner forum. > > This week, I've been working with an organization that is running an email campaign that is bombarding us with undesirable content and I figured I'd share with the rest of you as it's likely some of your systems are also getting this "junk". > > If you browse to the web link below you will find a campaign concerning 'circumcision'. The concept they use is simple, you read the text and if you concur with the statement, you sign the petition. > > In the background, the website takes your contact information, extracts your email address and then sends an email to a mass distribution list using your email address as the sender. The email is part of an email campaign that is using an online company to send the email enmass. > > The email has no opt-out and if you reply to the email, your email is sent to the unwitting soul (person) who signed the online statement. > > The subject lines are always one of the two lines below: > Subject: It's time to end infant circumcision! > Subject: =?UTF-8?Q?It's_time_to_end_=E2=80=9Croutine=E2=80=9D_infant_circumcision!?= > > You can take a look at the alert that generates these messages here: > http://org2.democracyinaction.org/o/5922/t/6483/campaign.jsp?campaign_KEY=2543 > > > Just sharing this information in case you want to do something to protect your clients as well. > > thanks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110401/4826025f/attachment.html From eli at orbsky.homelinux.org Mon Apr 4 05:53:10 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon Apr 4 05:53:48 2011 Subject: Problem with Fedora 14 Message-ID: <201104040753.10422.eli@orbsky.homelinux.org> Hi I'm hoping somebody can help I just upgraded from Fedora 13 to 14 and I was and now trying to run MailScanner MailScanner-4.83.4-1. Now when I have MailScanner running I get the following in messages when MailScanner tries to process the mail trying to come through. MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 When I run MailScanner --debug I get the following.... Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread- multi/Filesys/Df.pm line 39. Needless to say with MailScanner running. No mail is getting to the mailboxes under these circumstances. Please help Thanks Eli From maxsec at gmail.com Mon Apr 4 06:33:01 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Apr 4 06:33:10 2011 Subject: Problem with Fedora 14 In-Reply-To: <201104040753.10422.eli@orbsky.homelinux.org> References: <201104040753.10422.eli@orbsky.homelinux.org> Message-ID: Try reinstalling mailscanner Also check mailscanner -v and --lint Running ms on fedora can lead to these problems as it's a bit bleeding edge and relatively unstable . You might to consider centos as an alternative Martin On Monday, 4 April 2011, Eli Wapniarski wrote: > Hi > > I'm hoping somebody can help > > I just upgraded from Fedora 13 to 14 and I was and now trying to run > MailScanner MailScanner-4.83.4-1. > > > Now when I have MailScanner running I get the following in messages when > MailScanner tries to process the mail trying to come through. > > MailScanner: waiting for children to die: Process did not exit cleanly, > returned 255 with signal 0 > > When I run MailScanner --debug I get the following.... > > Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", > line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread- > multi/Filesys/Df.pm line 39. > > Needless to say with MailScanner running. No mail is getting to the mailboxes > under these circumstances. > > Please help > > Thanks > > Eli > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK From eli at orbsky.homelinux.org Mon Apr 4 08:11:11 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon Apr 4 08:12:02 2011 Subject: Problem with Fedora 14 In-Reply-To: References: <201104040753.10422.eli@orbsky.homelinux.org> Message-ID: <201104040711.p347BCM6006911@gw.home.local> Hi Thanks for responding.... Its unlikely that I will be switching Centos. Besides, I've been using MailScanner with Fedora for years. The output that you've requested is as follows Thanks again for any help you can provide. Eli MailScanner --lint Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 867 hostnames from the phishing whitelist Read 6238 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 28 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 26 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.83.4) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 5 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi/Filesys/Df.pm line 39. MailScanner -v Running on Linux gw.home.local 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux This is Fedora release 14 (Laughlin) This is Perl version 5.012003 (5.12.3) This is MailScanner version 4.83.4 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.17 Carp 2.03 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.125 Data::Dumper 2.30 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.78 File::Basename 2.18 File::Copy 2.02 FileHandle 2.08_01 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.68 HTML::Entities 3.68 HTML::Parser 3.57 HTML::TokeParser 1.25_02 IO 1.14 IO::File 1.13 IO::Pipe 2.07 Mail::Header 1.89_01 Math::BigInt 0.24 Math::BigRat 3.08 MIME::Base64 5.428 MIME::Decoder 5.428 MIME::Decoder::UU 5.428 MIME::Head 5.428 MIME::Parser 3.08 MIME::QuotedPrint 5.428 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.14 Pod::Simple 1.19 POSIX 1.22 Scalar::Util 1.87_01 Socket 2.22 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.44 Test::Pod 0.94 Test::Simple 1.9719 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.64 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.82 DB_File 1.29 DBD::SQLite 1.613 DBI 1.16 Digest 1.02 Digest::HMAC 2.39 Digest::MD5 2.12 Digest::SHA1 1.01 Encode::Detect 0.17016 Error 0.27 ExtUtils::CBuilder 2.21 ExtUtils::ParseXS 2.38 Getopt::Long missing Inline missing IO::String 1.10 IO::Zlib 2.26 IP::Country missing Mail::ClamAV 3.003002 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.3603 Module::Build 0.20 Net::CIDR::Lite 0.65 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.027 NetAddr::IP 1.964 Parse::RecDescent missing SAVI 3.17 Test::Harness missing Test::Manifest 2.02 Text::Balanced 1.54 URI 0.88 version 0.70 YAML Quoting Martin Hepworth : > Try reinstalling mailscanner > > Also check mailscanner -v and --lint > > Running ms on fedora can lead to these problems as it's a bit bleeding > edge and relatively unstable . You might to consider centos as an > alternative > > Martin > > On Monday, 4 April 2011, Eli Wapniarski wrote: >> Hi >> >> I'm hoping somebody can help >> >> I just upgraded from Fedora 13 to 14 and I was and now trying to run >> MailScanner MailScanner-4.83.4-1. >> >> >> Now when I have MailScanner running I get the following in messages when >> MailScanner tries to process the mail trying to come through. >> >> MailScanner: waiting for children to die: Process did not exit cleanly, >> returned 255 with signal 0 >> >> When I run MailScanner --debug I get the following.... >> >> Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", >> line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread- >> multi/Filesys/Df.pm line 39. >> >> Needless to say with MailScanner running. No mail is getting to the >> mailboxes >> under these circumstances. >> >> Please help >> >> Thanks >> >> Eli >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From eli at orbsky.homelinux.org Sun Apr 3 14:23:14 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon Apr 4 08:22:38 2011 Subject: Problem with Fedora 14 Message-ID: <201104031623.14308.eli@orbsky.homelinux.org> Hi I'm hoping somebody can help I just upgraded from Fedora 13 to 14 and I was and now trying to run MailScanner MailScanner-4.83.4-1. Now when I have MailScanner running I get the following in messages when MailScanner tries to process the mail trying to come through. MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 When I run MailScanner --debug I get the following.... Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread- multi/Filesys/Df.pm line 39. Needless to say with MailScanner running. No mail is getting to the mailboxes under these circumstances. Please help Thanks Eli -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From eli at orbsky.homelinux.org Mon Apr 4 08:40:54 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon Apr 4 08:41:38 2011 Subject: Problem with Fedora 14 In-Reply-To: <201104040711.p347BCM6006911@gw.home.local> References: <201104040753.10422.eli@orbsky.homelinux.org> <201104040711.p347BCM6006911@gw.home.local> Message-ID: <201104040741.p347esom009898@gw.home.local> OK... I found the problem. It was with perl-Filesys-Df As you can see from the list below the version that MailScanner sees is 0.92. After I manually rebuilt the rpm provided in the MailScanner installation and installed it, Mailscanner worked again. Then, after updating the module again from the Fedora repository all worked as expected. Thank you so much for the pointers.... They were really very very helpful Eli Quoting Eli Wapniarski : > Hi > > Thanks for responding.... Its unlikely that I will be switching > Centos. Besides, I've been using MailScanner with Fedora for years. > The output that you've requested is as follows > > Thanks again for any help you can provide. > > Eli > > MailScanner --lint > Trying to setlogsock(unix) > > Reading configuration file /etc/MailScanner/MailScanner.conf > Reading configuration file /etc/MailScanner/conf.d/README > Read 867 hostnames from the phishing whitelist > Read 6238 hostnames from the phishing blacklists > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 28 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 26 whitelist entries > > Checking version numbers... > Version number in MailScanner.conf (4.83.4) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > > Checking for SpamAssassin errors (if you use it)... > Connected to Processing Attempts Database > Created Processing Attempts Database successfully > There are 5 messages in the Processing Attempts Database > Using locktype = posix > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > =========================================================================== > Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file > "Df.c", line 44 at > /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi/Filesys/Df.pm line > 39. > > > MailScanner -v > Running on > Linux gw.home.local 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 > 07:06:44 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux > This is Fedora release 14 (Laughlin) > This is Perl version 5.012003 (5.12.3) > > This is MailScanner version 4.83.4 > Module versions are: > 1.00 AnyDBM_File > 1.30 Archive::Zip > 0.23 bignum > 1.17 Carp > 2.03 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.125 Data::Dumper > 2.30 Date::Parse > 1.03 DirHandle > 1.06 Fcntl > 2.78 File::Basename > 2.18 File::Copy > 2.02 FileHandle > 2.08_01 File::Path > 0.22 File::Temp > 0.92 Filesys::Df > 3.68 HTML::Entities > 3.68 HTML::Parser > 3.57 HTML::TokeParser > 1.25_02 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.07 Mail::Header > 1.89_01 Math::BigInt > 0.24 Math::BigRat > 3.08 MIME::Base64 > 5.428 MIME::Decoder > 5.428 MIME::Decoder::UU > 5.428 MIME::Head > 5.428 MIME::Parser > 3.08 MIME::QuotedPrint > 5.428 MIME::Tools > 0.14 Net::CIDR > 1.25 Net::IP > 0.19 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.14 Pod::Simple > 1.19 POSIX > 1.22 Scalar::Util > 1.87_01 Socket > 2.22 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.44 Test::Pod > 0.94 Test::Simple > 1.9719 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.64 Archive::Tar > 0.23 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.82 DB_File > 1.29 DBD::SQLite > 1.613 DBI > 1.16 Digest > 1.02 Digest::HMAC > 2.39 Digest::MD5 > 2.12 Digest::SHA1 > 1.01 Encode::Detect > 0.17016 Error > 0.27 ExtUtils::CBuilder > 2.21 ExtUtils::ParseXS > 2.38 Getopt::Long > missing Inline > missing IO::String > 1.10 IO::Zlib > 2.26 IP::Country > missing Mail::ClamAV > 3.003002 Mail::SpamAssassin > v2.007 Mail::SPF > missing Mail::SPF::Query > 0.3603 Module::Build > 0.20 Net::CIDR::Lite > 0.65 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.027 NetAddr::IP > 1.964 Parse::RecDescent > missing SAVI > 3.17 Test::Harness > missing Test::Manifest > 2.02 Text::Balanced > 1.54 URI > 0.88 version > 0.70 YAML > > > > Quoting Martin Hepworth : > >> Try reinstalling mailscanner >> >> Also check mailscanner -v and --lint >> >> Running ms on fedora can lead to these problems as it's a bit bleeding >> edge and relatively unstable . You might to consider centos as an >> alternative >> >> Martin >> >> On Monday, 4 April 2011, Eli Wapniarski wrote: >>> Hi >>> >>> I'm hoping somebody can help >>> >>> I just upgraded from Fedora 13 to 14 and I was and now trying to run >>> MailScanner MailScanner-4.83.4-1. >>> >>> >>> Now when I have MailScanner running I get the following in messages when >>> MailScanner tries to process the mail trying to come through. >>> >>> MailScanner: waiting for children to die: Process did not exit cleanly, >>> returned 255 with signal 0 >>> >>> When I run MailScanner --debug I get the following.... >>> >>> Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: >>> file "Df.c", >>> line 44 at /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread- >>> multi/Filesys/Df.pm line 39. >>> >>> Needless to say with MailScanner running. No mail is getting to >>> the mailboxes >>> under these circumstances. >>> >>> Please help >>> >>> Thanks >>> >>> Eli >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> -- >> -- >> Martin Hepworth >> Oxford, UK >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Apr 4 09:09:32 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 4 09:09:41 2011 Subject: Problem with Fedora 14 In-Reply-To: <201104040711.p347BCM6006911@gw.home.local> References: <201104040753.10422.eli@orbsky.homelinux.org> <201104040711.p347BCM6006911@gw.home.local> Message-ID: On 4 April 2011 09:11, Eli Wapniarski wrote: > Hi > > Thanks for responding.... Its unlikely that I will be switching ?Centos. > Besides, I've been using MailScanner with Fedora for years. The output that > you've requested is as follows > > Thanks again for any help you can provide. > > Eli > > MailScanner --lint (snip) > Found these virus scanners installed: clamav > =========================================================================== > Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", > line 44 at > /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi/Filesys/Df.pm > line 39. > (snip) Well, you have a very obvious error there.... I'm sure someone will tellyou why this happens, but in the meantime, why not try switch to using the much more efficient clamd scanner (as per the advice in the wiki)? For testing purposes, try switchng off virus scanning and see if that helps and if so... go for clamd and see how that sits. Other things would be to check why you get that error in Filesys::Df, and what it tries to do on that particular line. It might be easily fixed:-). I have a nagging feeling a search of the archives might help you there;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From eli at orbsky.homelinux.org Mon Apr 4 09:16:51 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Mon Apr 4 09:17:34 2011 Subject: Problem with Fedora 14 In-Reply-To: References: <201104040753.10422.eli@orbsky.homelinux.org> <201104040711.p347BCM6006911@gw.home.local> Message-ID: <201104040816.p348GpeQ013045@gw.home.local> Thanks for that Glenn... I did try to switch of Virus Scanning. It didn't help. As noted in a previous response, I managed to fix the problem.... It was somekind of foul up with perl-Filesys-Df. Things seem to be working now. I will take a look at your advice regarding clamd. Thanks Again Eli Quoting Glenn Steen : > On 4 April 2011 09:11, Eli Wapniarski wrote: >> Hi >> >> Thanks for responding.... Its unlikely that I will be switching ?Centos. >> Besides, I've been using MailScanner with Fedora for years. The output that >> you've requested is as follows >> >> Thanks again for any help you can provide. >> >> Eli >> >> MailScanner --lint > (snip) >> Found these virus scanners installed: clamav >> =========================================================================== >> Assertion ((svtype)((_svi)->sv_flags & 0xff)) >= SVt_PV failed: file "Df.c", >> line 44 at >> /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi/Filesys/Df.pm >> line 39. >> > (snip) > Well, you have a very obvious error there.... I'm sure someone will > tellyou why this happens, but in the meantime, why not try switch to > using the much more efficient clamd scanner (as per the advice in the > wiki)? > For testing purposes, try switchng off virus scanning and see if that > helps and if so... go for clamd and see how that sits. > Other things would be to check why you get that error in Filesys::Df, > and what it tries to do on that particular line. It might be easily > fixed:-). I have a nagging feeling a search of the archives might help > you there;). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From luis.silva at dreamware.pt Mon Apr 4 12:34:47 2011 From: luis.silva at dreamware.pt (Luis Silva) Date: Mon Apr 4 12:34:57 2011 Subject: Mailbox size limit Message-ID: <015d01cbf2bc$4dd77390$e9865ab0$@silva@dreamware.pt> Hi, I'm having a problem with the maximum mailbox size. The mysql users table has the quota defined has int(10) and this doesn't allow me to use 5G of mailbox size. My question is can I alter the type to bigint and all of the Mailscanner system still work's normally? Or are there some issues regarding the data value change? Regards, Luis Silva -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110404/17dc209b/attachment.html From glenn.steen at gmail.com Mon Apr 4 18:00:23 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 4 18:00:34 2011 Subject: Mailbox size limit In-Reply-To: <3210764992525953336@unknownmsgid> References: <3210764992525953336@unknownmsgid> Message-ID: Hello Luis, I think this isn't the correct forum for your request... MailScanner as such doesn't involve itself with the actual mail store system, and hence have no real notion of quotas... You'll have to direct your inquiry to the user forum of that system... Be it cyrus, dovecot, "your MTA" (sendmail, postfix, exim), exchange or whatnot. Cheers -- -- Glenn Den 4 apr 2011 13.42, "Luis Silva" skrev: Hi, I?m having a problem with the maximum mailbox size. The mysql users table has the quota defined has int(10) and this doesn?t allow me to use 5G of mailbox size. My question is can I alter the type to bigint and all of the Mailscanner system still work?s normally? Or are there some issues regarding the data value change? Regards, Luis Silva -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110404/fe10a6a4/attachment.html From richard.coombe at taffhousing.co.uk Tue Apr 5 10:45:12 2011 From: richard.coombe at taffhousing.co.uk (Richard Coombe) Date: Tue Apr 5 10:45:24 2011 Subject: Blocking emails with dangerous attachments Message-ID: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Hi, We're blocking all incoming exe attachments. However we're getting some spam/virus email with exe attachments, ("Your DHL / UPS package is ready" type stuff). The exe gets removed and then the rest of the message is delivered with an attachment warning report. This is annoying my end users as they're not interested in the email in any way. Is there a config setting to quarantine emails that have had their attachments stripped? I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I also have emails from other legitimate mailing lists that have URLs in them which get 'disarmed' and I _do_ want to deliver these message. So I don't think I can change this to 'no', I think I need a more fine grained approach. Am using Mailscanner with spamassassin and clamav. Cheers, Richard IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. From prandal at herefordshire.gov.uk Tue Apr 5 11:01:21 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Apr 5 11:01:41 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B853ABE18AE@HC-EXMBX02.herefordshire.gov.uk> Easiest way is to use MimeHeader SA plugin, and create rules to detect attachment names like UPS.ZIP (and all the variants you see) and score them highly. Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council? | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Coombe Sent: 05 April 2011 10:45 To: 'mailscanner@lists.mailscanner.info' Subject: Blocking emails with dangerous attachments Hi, We're blocking all incoming exe attachments. However we're getting some spam/virus email with exe attachments, ("Your DHL / UPS package is ready" type stuff). The exe gets removed and then the rest of the message is delivered with an attachment warning report. This is annoying my end users as they're not interested in the email in any way. Is there a config setting to quarantine emails that have had their attachments stripped? I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I also have emails from other legitimate mailing lists that have URLs in them which get 'disarmed' and I _do_ want to deliver these message. So I don't think I can change this to 'no', I think I need a more fine grained approach. Am using Mailscanner with spamassassin and clamav. Cheers, Richard IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From maxsec at gmail.com Tue Apr 5 14:08:59 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Apr 5 14:09:08 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Message-ID: check you're scanning inside zip archives - these are coming in as zip not .exe -- Martin Hepworth Oxford, UK On 5 April 2011 10:45, Richard Coombe wrote: > Hi, > > We're blocking all incoming exe attachments. However we're getting some > spam/virus email with exe attachments, ("Your DHL / UPS package is ready" > type stuff). The exe gets removed and then the rest of the message is > delivered with an attachment warning report. This is annoying my end users > as they're not interested in the email in any way. > > Is there a config setting to quarantine emails that have had their > attachments stripped? > > I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I > also have emails from other legitimate mailing lists that have URLs in them > which get 'disarmed' and I _do_ want to deliver these message. So I don't > think I can change this to 'no', I think I need a more fine grained > approach. > > Am using Mailscanner with spamassassin and clamav. > > Cheers, > Richard > IT Manager, Taff Housing Association > > > > > > > > This message is private and confidential. If you have received this message > in error, please notify us and remove it from your system. > Please consider the environment before printing this email. > > Any views or other information in this message which do not relate to our > business are not authorised by us, nor does this message form part of any > contract unless so stated. > > Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing > Association registered under the Industrial and Provident Societies Acts > 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. > Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff > CF5 1JD. VAT Registration Number: 869 8405 65. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110405/f94ba0f4/attachment.html From prandal at herefordshire.gov.uk Tue Apr 5 15:51:04 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Apr 5 15:51:30 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B853ABE3DC2@HC-EXMBX02.herefordshire.gov.uk> The other thing is to use the Sanesecurity patterns for ClamAV. They catch these pretty quickly. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: 05 April 2011 14:09 To: MailScanner discussion Subject: Re: Blocking emails with dangerous attachments check you're scanning inside zip archives - these are coming in as zip not .exe -- Martin Hepworth Oxford, UK On 5 April 2011 10:45, Richard Coombe > wrote: Hi, We're blocking all incoming exe attachments. However we're getting some spam/virus email with exe attachments, ("Your DHL / UPS package is ready" type stuff). The exe gets removed and then the rest of the message is delivered with an attachment warning report. This is annoying my end users as they're not interested in the email in any way. Is there a config setting to quarantine emails that have had their attachments stripped? I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I also have emails from other legitimate mailing lists that have URLs in them which get 'disarmed' and I _do_ want to deliver these message. So I don't think I can change this to 'no', I think I need a more fine grained approach. Am using Mailscanner with spamassassin and clamav. Cheers, Richard IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110405/15ea948f/attachment.html From chris at techquility.net Tue Apr 5 16:16:57 2011 From: chris at techquility.net (Chris Barber) Date: Tue Apr 5 16:17:10 2011 Subject: Messages being delayed in the MailScanner hold queue Message-ID: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> Hi All, Basically, over the past couple weeks, we've been having several of our users report 1-2 hour delays in email. When checking the server logs, the SMTP headers of the delayed emails would show the time at which the emails got sent out. They would also indicate our server was receiving them not too much longer afterward. However, the spam filter would release the emails 1-2 hours later. After parsing the maillog file in /var/log on the spamfilter, we determined that the delayed emails were getting dropped in the Mailscanner hold queue and remaining there (for hours) before getting requeued and getting sent out. We cannot find the log that reports what is going on when the emails get stuck in the mailscanner hold queue. Has anyone seen this before? Is there a way to log for this issue? Thanks! Chris Barber From richard.coombe at taffhousing.co.uk Tue Apr 5 16:47:50 2011 From: richard.coombe at taffhousing.co.uk (Richard Coombe) Date: Tue Apr 5 16:48:02 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B853ABE3DC2@HC-EXMBX02.herefordshire.gov.uk> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> <7CA580B59C1ABD45B4614ED90D4C7B853ABE3DC2@HC-EXMBX02.herefordshire.gov.uk> Message-ID: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4C@taff-mail1.taffhousing.local> > From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Randal, Phil > Sent: 05 April 2011 15:51 > > The other thing is to use the Sanesecurity patterns for ClamAV. Hi Folks, I've installed the Sanesecutiy signatures, all is now good. Thanks! Richard -- IT Manager, Taff Housing Association > On 5 April 2011 10:45, Richard Coombe wrote: > Hi, > > We're blocking all incoming exe attachments. However we're getting some spam/virus email with exe attachments, ("Your DHL / UPS package is ready" > type stuff). The exe gets removed and then the rest of the message is delivered with an attachment warning report. This is annoying my end users as > they're not interested in the email in any way. > > Is there a config setting to quarantine emails that have had their attachments stripped? > > I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I also have emails from other legitimate mailing lists that have URLs in them > which get 'disarmed' and I _do_ want to deliver these message. So I don't think I can change this to 'no', I think I need a more fine grained approach. > > Am using Mailscanner with spamassassin and clamav. This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. From maxsec at gmail.com Tue Apr 5 16:49:13 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Apr 5 16:49:22 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> Message-ID: should be information in the maillog to help with this - you using the default batch processing??? -- Martin Hepworth Oxford, UK On 5 April 2011 16:16, Chris Barber wrote: > Hi All, > > Basically, over the past couple weeks, we've been having several of our > users report 1-2 hour delays in email. When checking the server logs, the > SMTP headers of the delayed emails would show the time at which the emails > got sent out. They would also indicate our server was receiving them not > too much longer afterward. However, the spam filter would release the > emails 1-2 hours later. > > After parsing the maillog file in /var/log on the spamfilter, we determined > that the delayed emails were getting dropped in the Mailscanner hold queue > and remaining there (for hours) before getting requeued and getting sent > out. We cannot find the log that reports what is going on when the emails > get stuck in the mailscanner hold queue. > > Has anyone seen this before? Is there a way to log for this issue? > > Thanks! > > Chris Barber > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110405/48dc8e4a/attachment.html From ssilva at sgvwater.com Tue Apr 5 17:29:20 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 5 17:29:37 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Message-ID: on 4/5/2011 2:45 AM Richard Coombe spake the following: > Hi, > > We're blocking all incoming exe attachments. However we're getting some spam/virus email with exe attachments, ("Your DHL / UPS package is ready" type stuff). The exe gets removed and then the rest of the message is delivered with an attachment warning report. This is annoying my end users as they're not interested in the email in any way. > > Is there a config setting to quarantine emails that have had their attachments stripped? > > I can only find 'Deliver Cleaned Messages' in MailScanner.conf. However I also have emails from other legitimate mailing lists that have URLs in them which get 'disarmed' and I _do_ want to deliver these message. So I don't think I can change this to 'no', I think I need a more fine grained approach. > > Am using Mailscanner with spamassassin and clamav. > > Cheers, > Richard > IT Manager, Taff Housing Association Aren't they getting caught as viruses? THen they would fall under the "still deliver silent viruses" area. From glenn.steen at gmail.com Tue Apr 5 17:37:28 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 5 17:37:38 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> Message-ID: True, this does sound like that kind of misconfig... Either that, or a seriously overloaded system, perhaps coupled with something that kills ms... But that is pretty unlikely. Den 5 apr 2011 17.57, "Martin Hepworth" skrev: should be information in the maillog to help with this - you using the default batch processing??? -- Martin Hepworth Oxford, UK On 5 April 2011 16:16, Chris Barber wrote: > > Hi All, > > Basically, ove... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110405/77661240/attachment.html From mrm at medicine.wisc.edu Tue Apr 5 17:49:34 2011 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Apr 5 17:50:01 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> Message-ID: <4D9B01CE0200003E0000F628@gwmail.medicine.wisc.edu> We recently experienced this exact same problem after updating to 4.82.6-1. I updated to 4.83.4-1 late last week and the problem has gone away. -Mike >>> On 4/5/2011 at 10:16 AM, in message <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local>, Chris Barber wrote: Hi All, Basically, over the past couple weeks, we've been having several of our users report 1-2 hour delays in email. When checking the server logs, the SMTP headers of the delayed emails would show the time at which the emails got sent out. They would also indicate our server was receiving them not too much longer afterward. However, the spam filter would release the emails 1-2 hours later. After parsing the maillog file in /var/log on the spamfilter, we determined that the delayed emails were getting dropped in the Mailscanner hold queue and remaining there (for hours) before getting requeued and getting sent out. We cannot find the log that reports what is going on when the emails get stuck in the mailscanner hold queue. Has anyone seen this before? Is there a way to log for this issue? Thanks! Chris Barber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110405/9533a3e6/attachment.html From richard.coombe at taffhousing.co.uk Tue Apr 5 18:01:00 2011 From: richard.coombe at taffhousing.co.uk (Richard Coombe) Date: Tue Apr 5 18:05:17 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> Message-ID: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> > From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Scott Silva > Sent: 05 April 2011 17:29 > Aren't they getting caught as viruses? THen they would fall under the "still deliver silent viruses" area. Unfortunately they weren't. Since adding in the sanesecutiy sigs the DHL emails are getting detected as virus "Sanesecurity.Malware.15940.UNOFFICIAL" and are now blocked. My clamav sigs are all up to date although I'm on quite an old version of the engine (0.95.3) as the box is running Ubuntu 8.04. Cheers, Richard IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. From prandal at herefordshire.gov.uk Tue Apr 5 18:12:17 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Apr 5 18:12:35 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B853ABE48A8@HC-EXMBX02.herefordshire.gov.uk> You'll need to update to ClamAV 0.97 ASAP, then. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council? | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Coombe Sent: 05 April 2011 18:01 To: mailscanner@lists.mailscanner.info Subject: RE: Blocking emails with dangerous attachments > From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Scott Silva > Sent: 05 April 2011 17:29 > Aren't they getting caught as viruses? THen they would fall under the "still deliver silent viruses" area. Unfortunately they weren't. Since adding in the sanesecutiy sigs the DHL emails are getting detected as virus "Sanesecurity.Malware.15940.UNOFFICIAL" and are now blocked. My clamav sigs are all up to date although I'm on quite an old version of the engine (0.95.3) as the box is running Ubuntu 8.04. Cheers, Richard IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. From ssilva at sgvwater.com Tue Apr 5 19:15:12 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 5 19:15:27 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> Message-ID: on 4/5/2011 10:01 AM Richard Coombe spake the following: >> From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Scott Silva >> Sent: 05 April 2011 17:29 > >> Aren't they getting caught as viruses? THen they would fall under the "still deliver silent viruses" area. > > Unfortunately they weren't. Since adding in the sanesecutiy sigs the DHL emails are getting detected as virus "Sanesecurity.Malware.15940.UNOFFICIAL" and are now blocked. > > My clamav sigs are all up to date although I'm on quite an old version of the engine (0.95.3) as the box is running Ubuntu 8.04. > > Cheers, > Richard Old engines usually stop working in Clam. I would never be more than 1 or 2 versions back at any given time. Found this on a forum... "Just add : deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu maverick main in the sourceAPT line in your software center settings, other software tab, click add..." From chris at techquility.net Tue Apr 5 23:23:28 2011 From: chris at techquility.net (Chris Barber) Date: Tue Apr 5 23:23:39 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> Message-ID: <87977233ECC1CD4381FB63BE565D44790390FADC42@SERVER.techquility.local> We have adjusted the batch sizes some, is that what you are referring to when you say default batch processing? I don't think the system is overloaded, heavily used yes, but emails go through in seconds usually. I also saw a response from Michael Masse that said he upgraded to the newest MailScanner to resolve this. I will try this also. Thanks, Chris From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, April 05, 2011 12:37 PM To: MailScanner discussion Subject: Re: Messages being delayed in the MailScanner hold queue True, this does sound like that kind of misconfig... Either that, or a seriously overloaded system, perhaps coupled with something that kills ms... But that is pretty unlikely. Den 5 apr 2011 17.57, "Martin Hepworth" skrev: should be information in the maillog to help with this - you using the default batch processing??? -- Martin Hepworth Oxford, UK On 5 April 2011 16:16, Chris Barber wrote: > > Hi All, > > Basically, ove... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard.coombe at taffhousing.co.uk Wed Apr 6 09:06:25 2011 From: richard.coombe at taffhousing.co.uk (Richard Coombe) Date: Wed Apr 6 09:06:35 2011 Subject: Blocking emails with dangerous attachments In-Reply-To: References: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D43@taff-mail1.taffhousing.local> <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4D@taff-mail1.taffhousing.local> Message-ID: <6327C87E0B310946AFD4D4893CB97B2C042F4D0D4E@taff-mail1.taffhousing.local> From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Scott Silva Sent: 05 April 2011 19:15 > on 4/5/2011 10:01 AM Richard Coombe spake the following: >> From: mailscanner-bounces@lists.mailscanner.info On Behalf Of Scott Silva >> Sent: 05 April 2011 17:29 > >>> Aren't they getting caught as viruses? THen they would fall under the "still deliver silent viruses" area. >> >> Unfortunately they weren't. Since adding in the sanesecutiy sigs the DHL emails are getting detected as virus >> "Sanesecurity.Malware.15940.UNOFFICIAL" and are now blocked. >> >> My clamav sigs are all up to date although I'm on quite an old version of the engine (0.95.3) as the box is running Ubuntu 8.04. > > Old engines usually stop working in Clam. I would never be more than 1 or 2 versions back at any given time. Found this on a forum... > "Just add : deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu maverick main in the sourceAPT line in your software center settings, other > software tab, click add..." Yup. Was reading the PPA pages and browsing the backports repository last night. Oh what an exciting life. Thanks, Rich IT Manager, Taff Housing Association This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Please consider the environment before printing this email. Any views or other information in this message which do not relate to our business are not authorised by us, nor does this message form part of any contract unless so stated. Taff Housing Association - www.taffhousing.co.uk - A Charitable Housing Association registered under the Industrial and Provident Societies Acts 1965 No. 21408R. Registered by The National Assembly for Wales No. L009. Registered address: Alexandra House, 307-315 Cowbridge Road East, Cardiff CF5 1JD. VAT Registration Number: 869 8405 65. From glenn.steen at gmail.com Wed Apr 6 09:57:23 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 6 09:57:33 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: <87977233ECC1CD4381FB63BE565D44790390FADC42@SERVER.techquility.local> References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> <87977233ECC1CD4381FB63BE565D44790390FADC42@SERVER.techquility.local> Message-ID: The processing mode of ms should be set to batch, not queue... Look in the conf file and you'll see. Cheers Den 6 apr 2011 00.29, "Chris Barber" skrev: We have adjusted the batch sizes some, is that what you are referring to when you say default batch processing? I don't think the system is overloaded, heavily used yes, but emails go through in seconds usually. I also saw a response from Michael Masse that said he upgraded to the newest MailScanner to resolve this. I will try this also. Thanks, Chris From: mailscanner-bounces@lists.mailscanner.info [mailto: mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, April 05, 2011 12:37 PM To: MailScanner discussion Subject: Re: Messages being delayed in the MailScanner hold queue True, this does sound like that kind of misconfig... Either that, or a seriously overloaded system,... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110406/39f32176/attachment.html From dm.gouveia at gmail.com Wed Apr 6 19:02:47 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Wed Apr 6 19:02:57 2011 Subject: disable Archive Mail Message-ID: Hi guys, Does anyone knows how to disable the option Archive Mail in mailscanner? I'm running it with 'Archive Mail = /var/spool/MailScanner/archive' but to my environment it's a security issue and I need to disable it. Thanks in advance, -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110406/b87c87ed/attachment.html From alex at vidadigital.com.pa Wed Apr 6 19:26:58 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed Apr 6 19:27:12 2011 Subject: disable Archive Mail In-Reply-To: References: Message-ID: What happens when you put: Archive Mail = (nothing after the =) And you restart MailScanner? On Apr 6, 2011, at 1:02 PM, Danilo Marques de Gouveia wrote: > Hi guys, > > Does anyone knows how to disable the option Archive Mail in mailscanner? > > I'm running it with 'Archive Mail = /var/spool/MailScanner/archive' but to my environment it's a security issue and I need to disable it. > > Thanks in advance, > -- > Danilo Marques de Gouveia > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From space_rat at gmx.de Thu Apr 7 13:25:35 2011 From: space_rat at gmx.de (Space Rat) Date: Thu Apr 7 13:25:45 2011 Subject: Mailscanner + Spamassassin + Postfix - Spams are not delivered anymore Message-ID: <85F1E790-5C61-460D-BD77-A392CB5E4ED2@gmx.de> Hi! I've got the setup named in the config on my debian lenny. Today I removed a (from the beginning not working) spamassassin user setting component from my froxlor server management which should not harm the whole mailscanner construct but somehow it did and I don't know why & what to do: Earlier today I received a Spam which was marked correctly as ****SPAM**** but still delivered to me like I want it. Since I removed the froxlor stuff the spam get's deleted directly which I don't want. I re-sent me the earlier spam detected message or event sent me a test one (http://www.etes.de/downloads/spamassassin/) Here's the log where the message was delivered: --- Apr 7 00:20:54 server3 MailScanner[22408]: New Batch: Scanning 1 messages, 3881 bytes Apr 7 00:20:54 server3 MailScanner[22408]: Virus and Content Scanning: Starting Apr 7 00:21:12 server3 MailScanner[22408]: Spam Checks: Found 1 spam messages Apr 7 00:21:12 server3 MailScanner[22408]: Requeue: F1E815AA214.A70C9 to A0E015AA219 Apr 7 00:21:12 server3 MailScanner[22408]: Uninfected: Delivered 1 messages --- Here's the log where it was not delivered: --- Apr 7 11:57:23 server3 MailScanner[9532]: New Batch: Scanning 1 messages, 2382 bytes Apr 7 11:57:23 server3 MailScanner[9532]: Virus and Content Scanning: Starting Apr 7 11:57:30 server3 MailScanner[9532]: Spam Checks: Found 1 spam messages Apr 7 11:57:30 server3 MailScanner[9532]: Deleted 1 messages from processing-database --- The same with the test message - it get's not delivered. Why? Link to the mailscanner.conf -> http://bit.ly/dIh4K5 Thanks & Regards, Spacey From gelgin at internut.com Thu Apr 7 13:53:17 2011 From: gelgin at internut.com (george elgin) Date: Thu Apr 7 13:53:34 2011 Subject: Archive mess Message-ID: <702762.30234.qm@web30607.mail.mud.yahoo.com> somewhat new to MailScanner/MailWatch so forgive if these have been asked/answered ! 1) Archive Mail = # If a location specified in "Archive Mail" is not found, how would it help/hurt me to save these, and why would it be a security issue ?? i would like to reduce those nag emails about "problem messages" somehow. i seem to get lots. 2) will there be a need to purge mysql in some fashion after a period of time or does mailscanner use some sort of circular buffering of quarantines/archives that i don't see documented. ? thanks so far MailScanner way exceeded my expectations except working with pyzor/razor maybe. George http://nomenware.net/Admin.htm ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110407/501b0f06/attachment.html From dm.gouveia at gmail.com Thu Apr 7 14:02:08 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Thu Apr 7 14:02:18 2011 Subject: disable Archive Mail In-Reply-To: References: Message-ID: My server crashed yesterday while I was moving an backup, so I'm testing it today and it looks like the mailscanner is not archiving the emails anymore. Now that is working. Thanks Alex. On Wed, Apr 6, 2011 at 3:26 PM, Alex Neuman wrote: > What happens when you put: > > Archive Mail = > > (nothing after the =) > > And you restart MailScanner? > > On Apr 6, 2011, at 1:02 PM, Danilo Marques de Gouveia wrote: > > > Hi guys, > > > > Does anyone knows how to disable the option Archive Mail in mailscanner? > > > > I'm running it with 'Archive Mail = /var/spool/MailScanner/archive' but > to my environment it's a security issue and I need to disable it. > > > > Thanks in advance, > > -- > > Danilo Marques de Gouveia > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110407/065475a2/attachment.html From roalda at gmail.com Fri Apr 8 14:21:51 2011 From: roalda at gmail.com (Roald) Date: Fri Apr 8 14:22:00 2011 Subject: Watermark Ruleset - File Format Message-ID: Hi, I have a few domains, one of which I want to use the watermark feature on. Anybody have examples for the ruleset-format? Add Watermark = ruleset-file ruleset-file: To: domaintowatermark.com yes To: default no Check Watermarks With No Sender = ruleset-file2 To: domaintowatermark.com yes To: default no Treat Invalid Watermarks With No Sender as Spam = ruleset-file3 ruleset-file2: To: domaintowatermark.com spam To: default nothing Would these three files be correct? I want to (for the time being) only check one watermarks on one of the domains. -- Roald Amundsen From markus at markusoft.se Fri Apr 8 16:02:49 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Apr 8 16:03:04 2011 Subject: Watermark Ruleset - File Format In-Reply-To: Message-ID: <19344871.319.1302274965325.JavaMail.markus@cronlabworkstation0> Hi Roald, I don't use the Watermarking feature myself, but am using the rulesets quite a lot. Your files look fine, just remeber that they must be named .rule or .rules! /Markus ----- Original Message ----- From: "Roald" To: mailscanner@lists.mailscanner.info Sent: fredag, 8 apr 2011 15:21:51 Subject: Watermark Ruleset - File Format Hi, I have a few domains, one of which I want to use the watermark feature on. Anybody have examples for the ruleset-format? Add Watermark = ruleset-file ruleset-file: To: domaintowatermark.com yes To: default no Check Watermarks With No Sender = ruleset-file2 To: domaintowatermark.com yes To: default no Treat Invalid Watermarks With No Sender as Spam = ruleset-file3 ruleset-file2: To: domaintowatermark.com spam To: default nothing Would these three files be correct? I want to (for the time being) only check one watermarks on one of the domains. -- Roald Amundsen -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=4DCDD1226001.A69FE-&learn=spam&host=212.91.140.53 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From donald.dawson at bakerbotts.com Mon Apr 11 21:59:27 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Apr 11 21:59:43 2011 Subject: Large number of directories (~7000) in SpamAssassin Temporary Dir Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D9F4@BBEXVS04.bakerbotts.net> Since I have upgraded to the latest MS and SA version, I have a large number of directories in my 'SpamAssassin Temporary Dir' as defined in the MailScanner.conf file. Is this normal? If not, is there a configuration setting I need to change? .spamassassin100446jK6yCtmp: total 208 -rw------- 1 root root 199179 Apr 11 15:39 raw.eml -rw------- 1 root root 399 Apr 11 15:39 top_links_rt61.gif .spamassassin100448GiwDwtmp: total 444 -rw------- 1 root root 69153 Apr 11 15:39 juris-e-mail-topper_Revised.jpg -rw------- 1 root root 28 Apr 11 15:39 juris-e-mail-topper_Revised.jpg.err -rw------- 1 root root 153590 Apr 11 15:39 juris-e-mail-topper_Revised.jpg.pnm -rw------- 1 root root 199179 Apr 11 15:39 raw.eml .spamassassin10044BX0ypPtmp: total 208 -rw------- 1 root root 199179 Apr 11 15:39 raw.eml -rw------- 1 root root 489 Apr 11 15:39 sidebar_btm61.gif .spamassassin10044HJPhfFtmp: total 212 -rw------- 1 root root 7140 Apr 11 15:39 JP-US-Law-2010-Cov_sml.gif -rw------- 1 root root 199179 Apr 11 15:39 raw.eml .spamassassin10044Mw1AGWtmp: total 208 -rw------- 1 root root 199179 Apr 11 15:39 raw.eml -rw------- 1 root root 294 Apr 11 15:39 top_links_btm61.gif Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110411/733764b9/attachment.html From noel.butler at ausics.net Tue Apr 12 01:18:58 2011 From: noel.butler at ausics.net (Noel Butler) Date: Tue Apr 12 01:19:14 2011 Subject: Large number of directories (~7000) in SpamAssassin Temporary Dir In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D9F4@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D9F4@BBEXVS04.bakerbotts.net> Message-ID: <1302567538.6012.3.camel@tardis> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110412/a25b05ba/attachment.bin From james at pattinson.org Tue Apr 12 12:43:08 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 12:43:21 2011 Subject: Authenticated senders Message-ID: <4DA43ACC.4070600@pattinson.org> Hi List! I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. Would love to get some input on this :) Cheers James From alex at vidadigital.com.pa Tue Apr 12 12:57:16 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 12:57:30 2011 Subject: Authenticated senders In-Reply-To: <4DA43ACC.4070600@pattinson.org> References: <4DA43ACC.4070600@pattinson.org> Message-ID: This is how I would do it: 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. 2. Send another message, authenticated, somewhere else. 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. 4. Write a custom rule in spamassassin to score it -100 for example. I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: > Hi List! > > I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. > > I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. > > I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. > > As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! > > Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. > > Would love to get some input on this :) > > Cheers > James > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From james at pattinson.org Tue Apr 12 13:05:56 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 13:06:14 2011 Subject: Authenticated senders In-Reply-To: References: <4DA43ACC.4070600@pattinson.org> Message-ID: <4DA44024.9020307@pattinson.org> Hi Alex That makes sense, and is probably similar to what I will end up doing, but it still doesn't seem like an ideal solution - it still seems like I am doing something "wrong" and it requires a kludge to work. Does anyone have a better way or doing things? Should I be using something other than SMTP auth to really trust my senders? James On 12/04/2011 12:57, Alex Neuman wrote: > This is how I would do it: > > 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. > 2. Send another message, authenticated, somewhere else. > 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. > 4. Write a custom rule in spamassassin to score it -100 for example. > > I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. > > This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. > > On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: > >> Hi List! >> >> I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. >> >> I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. >> >> I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. >> >> As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! >> >> Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. >> >> Would love to get some input on this :) >> >> Cheers >> James >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From markus at markusoft.se Tue Apr 12 13:18:15 2011 From: markus at markusoft.se (Markus Nilsson) Date: Tue Apr 12 13:18:31 2011 Subject: Authenticated senders In-Reply-To: Message-ID: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> Hi, Another way could be to set smtpd_sasl_authenticated_header = yes in postfix and score ALL_TRUSTED in SA with a negative score. This should also bypasses SPF and RBL within SA /M ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: tisdag, 12 apr 2011 13:57:16 Subject: Re: Authenticated senders This is how I would do it: 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. 2. Send another message, authenticated, somewhere else. 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. 4. Write a custom rule in spamassassin to score it -100 for example. I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: > Hi List! > > I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. > > I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. > > I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. > > As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! > > Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. > > Would love to get some input on this :) > > Cheers > James > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=A86EC1B76063.A630B-&learn=spam&host=212.91.140.53 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From alex at vidadigital.com.pa Tue Apr 12 13:54:47 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 13:54:59 2011 Subject: Authenticated senders In-Reply-To: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> Message-ID: Is SA smart enough to understand an authenticated header? What steps does it take to avoid a forged authenticated header? On Apr 12, 2011, at 7:18 AM, Markus Nilsson wrote: > Hi, > > Another way could be to set > > smtpd_sasl_authenticated_header = yes > > in postfix and score ALL_TRUSTED in SA with a negative score. > > This should also bypasses SPF and RBL within SA > > /M > > ----- Original Message ----- > From: "Alex Neuman" > To: "MailScanner discussion" > Sent: tisdag, 12 apr 2011 13:57:16 > Subject: Re: Authenticated senders > > This is how I would do it: > > 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. > 2. Send another message, authenticated, somewhere else. > 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. > 4. Write a custom rule in spamassassin to score it -100 for example. > > I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. > > This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. > > On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: > >> Hi List! >> >> I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. >> >> I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. >> >> I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. >> >> As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! >> >> Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. >> >> Would love to get some input on this :) >> >> Cheers >> James >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > > CronLab scanned this message. We don't think it was spam. If it was, > please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=A86EC1B76063.A630B-&learn=spam&host=212.91.140.53 > > > > > > -- > This message has been scanned for viruses and dangerous content by CronLab > (www.cronlab.com), and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From alex at vidadigital.com.pa Tue Apr 12 13:58:24 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 13:58:36 2011 Subject: Authenticated senders In-Reply-To: <4DA44024.9020307@pattinson.org> References: <4DA43ACC.4070600@pattinson.org> <4DA44024.9020307@pattinson.org> Message-ID: <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> It's not a kludge, it's more of a workaround. The problem is philosophical... MS is MTA-agnostic (or at least MTA-diverse) and, as such, doesn't directly understand when a user is or isn't authenticated. Using something else than SMTP auth still involves other workarounds. If having SA skip over authenticated e-mail is too ugly or unelegant for your taste, you might try: 1. Running a separate instance of postfix on another IP address or port, which would "skip" MS. You'd lose archiving, inline sigs, etc. - all the "non antispam/antivirus" goodies we're used to using MS. 2. Running a VPN daemon and whitelisting stuff that comes from your internal net. The disadvantage is that you have to be connected to the VPN for this to happen, and some places might not allow VPN traffic. \On Apr 12, 2011, at 7:05 AM, James Pattinson wrote: > Hi Alex > > That makes sense, and is probably similar to what I will end up doing, but it still doesn't seem like an ideal solution - it still seems like I am doing something "wrong" and it requires a kludge to work. > > Does anyone have a better way or doing things? Should I be using something other than SMTP auth to really trust my senders? > > James > > On 12/04/2011 12:57, Alex Neuman wrote: >> This is how I would do it: >> >> 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. >> 2. Send another message, authenticated, somewhere else. >> 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. >> 4. Write a custom rule in spamassassin to score it -100 for example. >> >> I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. >> >> This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. >> >> On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: >> >>> Hi List! >>> >>> I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. >>> >>> I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. >>> >>> I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. >>> >>> As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! >>> >>> Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. >>> >>> Would love to get some input on this :) >>> >>> Cheers >>> James >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> -- >> >> Alex Neuman van der Hans >> Reliant Technologies / Vida Digital >> http://vidadigital.com.pa/ >> >> +507-6781-9505 >> +507-832-6725 >> +1-440-253-9789 (USA) >> >> Follow @AlexNeuman on Twitter >> http://facebook.com/vidadigital >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From james at pattinson.org Tue Apr 12 14:05:38 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 14:05:58 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> Message-ID: <4DA44E22.3030600@pattinson.org> Hi > Another way could be to set > > smtpd_sasl_authenticated_header = yes > > in postfix and score ALL_TRUSTED in SA with a negative score. > > This should also bypasses SPF and RBL within SA > I have already set smtpd_sasl_authenticated_header = yes so I have headers like this: Received: from banana.local (89-168-169-227.dynamic.dsl.as9105.com [89.168.169.227]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: patricia) by bear.localdomain (Postfix) with ESMTP id D4B05318373 for; Tue, 12 Apr 2011 12:22:50 +0100 (BST) I've then set ALL_TRUSTED to -10 but I still get marked as spam: X-Charter-MailScanner: Found to be clean X-Charter-MailScanner-SpamCheck: spam, spamhaus-ZEN, SpamAssassin (score=-11.9, required 4, autolearn=not spam, ALL_TRUSTED -10.00, BAYES_00 -1.90) X-Charter-MailScanner-From: james@pattinson.org X-Spam-Status: Yes What is going on here? score=-11.9 and still spam? :( Cheers James -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110412/df9b1200/attachment.html From james at pattinson.org Tue Apr 12 14:07:36 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 14:07:51 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> References: <4DA43ACC.4070600@pattinson.org> <4DA44024.9020307@pattinson.org> <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> Message-ID: <4DA44E98.1020309@pattinson.org> Alex, fair points! I do actually connect using a VPN most of the time, however this only works on devices that support it. So my iPad, mobile phone etc are all out of the picture. I will continue working towards a "kludge" safe in the knowledge that it's what other people are doing as well. Cheers James On 12/04/2011 13:58, Alex Neuman wrote: > It's not a kludge, it's more of a workaround. > > The problem is philosophical... MS is MTA-agnostic (or at least MTA-diverse) and, as such, doesn't directly understand when a user is or isn't authenticated. > > Using something else than SMTP auth still involves other workarounds. > > If having SA skip over authenticated e-mail is too ugly or unelegant for your taste, you might try: > > 1. Running a separate instance of postfix on another IP address or port, which would "skip" MS. You'd lose archiving, inline sigs, etc. - all the "non antispam/antivirus" goodies we're used to using MS. > 2. Running a VPN daemon and whitelisting stuff that comes from your internal net. The disadvantage is that you have to be connected to the VPN for this to happen, and some places might not allow VPN traffic. > > \On Apr 12, 2011, at 7:05 AM, James Pattinson wrote: > >> Hi Alex >> >> That makes sense, and is probably similar to what I will end up doing, but it still doesn't seem like an ideal solution - it still seems like I am doing something "wrong" and it requires a kludge to work. >> >> Does anyone have a better way or doing things? Should I be using something other than SMTP auth to really trust my senders? >> >> James >> >> On 12/04/2011 12:57, Alex Neuman wrote: >>> This is how I would do it: >>> >>> 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. >>> 2. Send another message, authenticated, somewhere else. >>> 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. >>> 4. Write a custom rule in spamassassin to score it -100 for example. >>> >>> I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. >>> >>> This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. >>> >>> On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: >>> >>>> Hi List! >>>> >>>> I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. >>>> >>>> I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. >>>> >>>> I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. >>>> >>>> As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! >>>> >>>> Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. >>>> >>>> Would love to get some input on this :) >>>> >>>> Cheers >>>> James >>>> >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> -- >>> >>> Alex Neuman van der Hans >>> Reliant Technologies / Vida Digital >>> http://vidadigital.com.pa/ >>> >>> +507-6781-9505 >>> +507-832-6725 >>> +1-440-253-9789 (USA) >>> >>> Follow @AlexNeuman on Twitter >>> http://facebook.com/vidadigital >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From markus at markusoft.se Tue Apr 12 14:12:41 2011 From: markus at markusoft.se (Markus Nilsson) Date: Tue Apr 12 14:12:59 2011 Subject: Authenticated senders In-Reply-To: Message-ID: <19253218.143.1302613957958.JavaMail.markus@cronlabworkstation0> Yes, since it is part of the received header of a trusted host (the current host)! /M ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: tisdag, 12 apr 2011 14:54:47 Subject: Re: Authenticated senders Is SA smart enough to understand an authenticated header? What steps does it take to avoid a forged authenticated header? On Apr 12, 2011, at 7:18 AM, Markus Nilsson wrote: > Hi, > > Another way could be to set > > smtpd_sasl_authenticated_header = yes > > in postfix and score ALL_TRUSTED in SA with a negative score. > > This should also bypasses SPF and RBL within SA > > /M > > ----- Original Message ----- > From: "Alex Neuman" > To: "MailScanner discussion" > Sent: tisdag, 12 apr 2011 13:57:16 > Subject: Re: Authenticated senders > > This is how I would do it: > > 1. Send a message from myself to someone else in the same domain WITHOUT using authentication. In theory, it should work - authentication is usually only necessary to send mail OUTSIDE of the domain. > 2. Send another message, authenticated, somewhere else. > 3. Check the headers. There should be a difference; something like "user xxx with yyy auth and zzz bits" in the header. > 4. Write a custom rule in spamassassin to score it -100 for example. > > I don't know Postfix as well as sendmail; at sendmail's /etc/mail/sendmail.mc I modify the REC_FULL_AUTH part so that it includes an additional word and then check for it with "header soandso" in /etc/mail/spamassassin/local.cf. > > This wouldn't bypass MailScanner completely, but it insures it won't be scored as SPAM. > > On Apr 12, 2011, at 6:43 AM, James Pattinson wrote: > >> Hi List! >> >> I am using MailScanner with Postfix and ClamAV to run a simple mail server for myself and my family. >> >> I use SMTP AUTH to enable mail to be sent from various places such as home ISPs and Mobile Internet providers and would ideally like to have authenticated mail skip right through the RBL checks. >> >> I know this has been discussed in the past and I did find a thread from someone who ended up writing custom perl scripts to do this. >> >> As this was a few years ago I'd like some advice as to how this is best done these days! I find it really hard to believe that this is not a really common usage scenario, surely RBL checks are completely irrelvant when SMTP auth is in use? I am even using port 587 and TLS to submit messages! >> >> Currently my workaround is to have my sending address configured in rules/spam.whitelist.rules but this is not ideal as I still get spammers faking my address. >> >> Would love to get some input on this :) >> >> Cheers >> James >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > > CronLab scanned this message. We don't think it was spam. If it was, > please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=A86EC1B76063.A630B-&learn=spam&host=212.91.140.53 > > > > > > -- > This message has been scanned for viruses and dangerous content by CronLab > (www.cronlab.com), and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=6A5671B76063.A5C51-&learn=spam&host=212.91.140.53 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From john at tradoc.fr Tue Apr 12 14:13:47 2011 From: john at tradoc.fr (John Wilcock) Date: Tue Apr 12 14:14:03 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA44E22.3030600@pattinson.org> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> Message-ID: <4DA4500B.2080908@tradoc.fr> Le 12/04/2011 15:05, James Pattinson a ?crit : > X-Charter-MailScanner: Found to be clean > X-Charter-MailScanner-SpamCheck: spam, spamhaus-ZEN, > SpamAssassin (score=-11.9, required 4, autolearn=not spam, > ALL_TRUSTED -10.00, BAYES_00 -1.90) > X-Charter-MailScanner-From:james@pattinson.org > X-Spam-Status: Yes > > What is going on here? score=-11.9 and still spam? :( SpamAssassin is giving the correct score, but you have apparently configured MailScanner to check spamhaus zen directly. Remove zen from the Spam List setting in MailScanner.conf and all will be well. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From markus at markusoft.se Tue Apr 12 14:15:51 2011 From: markus at markusoft.se (Markus Nilsson) Date: Tue Apr 12 14:16:07 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA44E22.3030600@pattinson.org> Message-ID: <16505288.149.1302614151048.JavaMail.markus@cronlabworkstation0> Hi! This is because you have configured MailScanner to categorize it as spam (probbaly) with the configurations: Spam Lists To Be Spam = 1 Spam List = spamhaus-ZEN I would recommend you to remove this from MailScanner, and enable spamhaus ZEN in spamassassin instead! /M From: "James Pattinson" To: mailscanner@lists.mailscanner.info Sent: tisdag, 12 apr 2011 15:05:38 Subject: {Spam?} Re: Authenticated senders Hi Another way could be to set smtpd_sasl_authenticated_header = yes in postfix and score ALL_TRUSTED in SA with a negative score. This should also bypasses SPF and RBL within SA I have already set smtpd_sasl_authenticated_header = yes so I have headers like this: Received: from banana.local (89-168-169-227.dynamic.dsl.as9105.com [89.168.169.227]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: patricia) by bear.localdomain (Postfix) with ESMTP id D4B05318373 for ; Tue, 12 Apr 2011 12:22:50 +0100 (BST) I've then set ALL_TRUSTED to -10 but I still get marked as spam: X-Charter-MailScanner: Found to be clean X-Charter-MailScanner-SpamCheck: spam, spamhaus-ZEN, SpamAssassin (score=-11.9, required 4, autolearn=not spam, ALL_TRUSTED -10.00, BAYES_00 -1.90) X-Charter-MailScanner-From: james@pattinson.org X-Spam-Status: Yes What is going on here? score=-11.9 and still spam? :( Cheers James CronLab scanned this message. We don't think it was spam. Was it? Report here! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. -------------- next part -------------- Skipped content of type multipart/related From james at pattinson.org Tue Apr 12 14:22:11 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 14:22:27 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA4500B.2080908@tradoc.fr> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> Message-ID: <4DA45203.1030204@pattinson.org> On 12/04/2011 14:13, John Wilcock wrote: > Le 12/04/2011 15:05, James Pattinson a ?crit : >> X-Charter-MailScanner: Found to be clean >> X-Charter-MailScanner-SpamCheck: spam, spamhaus-ZEN, >> SpamAssassin (score=-11.9, required 4, autolearn=not spam, >> ALL_TRUSTED -10.00, BAYES_00 -1.90) >> X-Charter-MailScanner-From:james@pattinson.org >> X-Spam-Status: Yes >> >> What is going on here? score=-11.9 and still spam? :( > > SpamAssassin is giving the correct score, but you have apparently > configured MailScanner to check spamhaus zen directly. > > Remove zen from the Spam List setting in MailScanner.conf and all will > be well. > OK, done. This will be my test email :) Does this mean I'm not doing any RBL checking at all now? Or will SA still do that? Cheers James From john at tradoc.fr Tue Apr 12 14:41:47 2011 From: john at tradoc.fr (John Wilcock) Date: Tue Apr 12 14:42:04 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA45203.1030204@pattinson.org> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> Message-ID: <4DA4569B.7000109@tradoc.fr> Le 12/04/2011 15:22, James Pattinson a ?crit : >> > OK, done. This will be my test email :) > > Does this mean I'm not doing any RBL checking at all now? Or will SA > still do that? Yes, SA will still do those checks. That's the current recommended practice - using MailScanner to check RBLs is only advised in cases where you don't wish to use SpamAssassin but do wish to check multiple RBLs. (And even then, recent versions of postfix offer a better solution, with MTA-level rejection based on the weighted results of multiple RBLs; I don't know whether sendmail can do this too.) John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From james at pattinson.org Tue Apr 12 14:51:38 2011 From: james at pattinson.org (James Pattinson) Date: Tue Apr 12 14:51:53 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA4569B.7000109@tradoc.fr> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> <4DA4569B.7000109@tradoc.fr> Message-ID: <4DA458EA.7050102@pattinson.org> Thanks, all seems OK now. I will see if I get much spam come in - I've had to disable razor2 in SA due to errors in my log but that's a little off topic for this list I guess. Apr 12 14:38:11 bear MailScanner[6794]: Virus and Content Scanning: Starting Apr 12 14:38:11 bear MailScanner[6794]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/6794 Apr 12 14:38:11 bear MailScanner[6794]: Virus Scanning: Clamd found 1 infections Apr 12 14:38:11 bear MailScanner[6794]: Virus Scanning: Found 1 viruses Error goes away after disabling razor2 so if that's now me not doing RBL checks I will live with it for now and see what happens! Cheers James > > That's the current recommended practice - using MailScanner to check > RBLs is only advised in cases where you don't wish to use SpamAssassin > but do wish to check multiple RBLs. > > (And even then, recent versions of postfix offer a better solution, > with MTA-level rejection based on the weighted results of multiple > RBLs; I don't know whether sendmail can do this too.) > From alex at vidadigital.com.pa Tue Apr 12 15:01:44 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 15:01:57 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA44E98.1020309@pattinson.org> References: <4DA43ACC.4070600@pattinson.org> <4DA44024.9020307@pattinson.org> <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> <4DA44E98.1020309@pattinson.org> Message-ID: iPads and Mobile phones usually support PPTP and IPSEC. If you're using a less popular VPN type, then it's usually a matter of finding a good client. On Apr 12, 2011, at 8:07 AM, James Pattinson wrote: > I do actually connect using a VPN most of the time, however this only works on devices that support it. So my iPad, mobile phone etc are all out of the picture. -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From alex at vidadigital.com.pa Tue Apr 12 15:02:02 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 15:02:13 2011 Subject: Authenticated senders In-Reply-To: <19253218.143.1302613957958.JavaMail.markus@cronlabworkstation0> References: <19253218.143.1302613957958.JavaMail.markus@cronlabworkstation0> Message-ID: <2424CBD8-2B26-4896-BC5F-51C0DBB2ABFB@vidadigital.com.pa> On Apr 12, 2011, at 8:12 AM, Markus Nilsson wrote: > What steps does it take to avoid a forged authenticated header? -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From alex at vidadigital.com.pa Tue Apr 12 15:02:40 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 15:02:53 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA45203.1030204@pattinson.org> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> Message-ID: SA will do it and score on it unless you tell it otherwise. On Apr 12, 2011, at 8:22 AM, James Pattinson wrote: > Does this mean I'm not doing any RBL checking at all now? Or will SA still do that? -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From markus at markusoft.se Tue Apr 12 15:32:06 2011 From: markus at markusoft.se (Markus Nilsson) Date: Tue Apr 12 15:32:25 2011 Subject: Authenticated senders In-Reply-To: <2424CBD8-2B26-4896-BC5F-51C0DBB2ABFB@vidadigital.com.pa> Message-ID: <2533008.165.1302618724738.JavaMail.markus@cronlabworkstation0> It trusts the recieved header if it comes from a trusted relay, and the authentication info is part of the received header. http://wiki.apache.org/spamassassin/Rules/ALL_TRUSTED http://wiki.apache.org/spamassassin/TrustedRelays /M ----- Original Message ----- From: "Alex Neuman" To: "MailScanner discussion" Sent: tisdag, 12 apr 2011 16:02:02 Subject: Re: Authenticated senders On Apr 12, 2011, at 8:12 AM, Markus Nilsson wrote: > What steps does it take to avoid a forged authenticated header? -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: http://didcot.cronlab.com/mail/index.php?id=2C5681B76063.A3A3F-&learn=spam&host=212.91.140.53 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From ssilva at sgvwater.com Tue Apr 12 15:36:25 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 12 15:36:33 2011 Subject: Authenticated senders In-Reply-To: <4DA43ACC.4070600@pattinson.org> References: <4DA43ACC.4070600@pattinson.org> Message-ID: on 4/12/2011 4:43 AM James Pattinson spake the following: > Hi List! > > I am using MailScanner with Postfix and ClamAV to run a simple mail server for > myself and my family. > > I use SMTP AUTH to enable mail to be sent from various places such as home > ISPs and Mobile Internet providers and would ideally like to have > authenticated mail skip right through the RBL checks. > > I know this has been discussed in the past and I did find a thread from > someone who ended up writing custom perl scripts to do this. > > As this was a few years ago I'd like some advice as to how this is best done > these days! I find it really hard to believe that this is not a really common > usage scenario, surely RBL checks are completely irrelvant when SMTP auth is > in use? I am even using port 587 and TLS to submit messages! > > Currently my workaround is to have my sending address configured in > rules/spam.whitelist.rules but this is not ideal as I still get spammers > faking my address. > > Would love to get some input on this :) > > Cheers > James > > Do you have your RBL's in your MTA or in MailScanner? Because if they are in your MTA, it should skip RBL checks that get authenticated. From J.Ede at birchenallhowden.co.uk Tue Apr 12 16:10:22 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Apr 12 16:10:32 2011 Subject: Authenticated senders In-Reply-To: <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> References: <4DA43ACC.4070600@pattinson.org> <4DA44024.9020307@pattinson.org> <682896A0-3AF0-4975-A8A8-3808D52F6BF6@vidadigital.com.pa> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: 12 April 2011 13:58 > To: MailScanner discussion > Subject: Re: Authenticated senders > > It's not a kludge, it's more of a workaround. > > The problem is philosophical... MS is MTA-agnostic (or at least MTA-diverse) > and, as such, doesn't directly understand when a user is or isn't > authenticated. > > Using something else than SMTP auth still involves other workarounds. > > If having SA skip over authenticated e-mail is too ugly or unelegant for your > taste, you might try: > > 1. Running a separate instance of postfix on another IP address or port, > which would "skip" MS. You'd lose archiving, inline sigs, etc. - all the "non > antispam/antivirus" goodies we're used to using MS. > 2. Running a VPN daemon and whitelisting stuff that comes from your > internal net. The disadvantage is that you have to be connected to the VPN > for this to happen, and some places might not allow VPN traffic. > You could run a separate instance of postfix that only accepts authenticated on 587 with TLS and then passes the messages onto the main instance that has MS running on it... You should be able to do a SA rule to check for the received header from the 587 instance and authenticated header and assign score accordingly. Jason From glenn.steen at gmail.com Tue Apr 12 18:28:30 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 12 18:30:16 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA458EA.7050102@pattinson.org> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> <4DA4569B.7000109@tradoc.fr> <4DA458EA.7050102@pattinson.org> Message-ID: The razor thing is because pf gas a writeprotected home dir. Search the list for the two most common fixes. ... Now back to choir practice ...:-) Den 12 apr 2011 15.56, "James Pattinson" skrev: Thanks, all seems OK now. I will see if I get much spam come in - I've had to disable razor2 in SA due to errors in my log but that's a little off topic for this list I guess. Apr 12 14:38:11 bear MailScanner[6794]: Virus and Content Scanning: Starting Apr 12 14:38:11 bear MailScanner[6794]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./razor-agent.log/Access denied. ERROR :: /var/spool/MailScanner/incoming/6794 Apr 12 14:38:11 bear MailScanner[6794]: Virus Scanning: Clamd found 1 infections Apr 12 14:38:11 bear MailScanner[6794]: Virus Scanning: Found 1 viruses Error goes away after disabling razor2 so if that's now me not doing RBL checks I will live with it for now and see what happens! Cheers James > > > That's the current recommended practice - using MailScanner to check RBLs is only advised in ... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailma... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110412/918c38fb/attachment.html From alex at vidadigital.com.pa Tue Apr 12 21:20:28 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Apr 12 21:20:41 2011 Subject: Authenticated senders In-Reply-To: <2533008.165.1302618724738.JavaMail.markus@cronlabworkstation0> References: <2533008.165.1302618724738.JavaMail.markus@cronlabworkstation0> Message-ID: I guess I'll have to look for the info off-list. I don't see specifically where and how SA will tell apart a forged auth header from a real one. On Apr 12, 2011, at 9:32 AM, Markus Nilsson wrote: >> What steps does it take to avoid a forged authenticated header? > -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From glenn.steen at gmail.com Tue Apr 12 22:06:58 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 12 22:07:08 2011 Subject: Authenticated senders In-Reply-To: References: <2533008.165.1302618724738.JavaMail.markus@cronlabworkstation0> Message-ID: Perhaps just trusting the last one added? ISTR something like that... Where's Matt Kettler when you need him...:-) Cheers! Den 12 apr 2011 22.27, "Alex Neuman" skrev: I guess I'll have to look for the info off-list. I don't see specifically where and how SA will tell apart a forged auth header from a real one. On Apr 12, 2011, at 9:32 AM, Markus Nilsson wrote: >> What steps does it take to avoid a forged au... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110412/66d53f1f/attachment.html From jplorier at montecarlotv.com.uy Tue Apr 12 22:30:36 2011 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Tue Apr 12 22:31:42 2011 Subject: Problem with mail headers? In-Reply-To: <201104121443.p3CEfd4N031418@safir.blacknight.ie> References: <201104121443.p3CEfd4N031418@safir.blacknight.ie> Message-ID: <1302643836.9376.28.camel@jplorier.montecarlotv.com.uy> Hi there, Since yesterday I'm having problems with some mails, they show without body even when the body is there. If I reply the mail, it adds the body as plain text just fine (most cases) and this happens in every client; outlook, evolution, thunderbird, etc. so this is happening between the mailscanner relay and the mail server. Is it possible that a mail can get truncated or does smtp check the mail to see if it was received as it should? Here are some headers of broken and fine mails: This is supposed to be a mail with some text and some image footers: X-montecarlotv-mailscanner-information: Please contact the ISP for more information X-montecarlotv-mailscanner-id: p3CE2jWT003955 X-montecarlotv-mailscanner: Found to be clean X-montecarlotv-mailscanner-from: prvs=1076bd8e21=javier.galli@wunderman.com X-spam-status: No Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: quoted-printable and the body shows: 64 Content-ID: Content-Description: image003.jpg Content-Location: image003.jpg THE IMAGE IN ASCII TEXT ------_=_NextPart_002_01CBF91A.46552F1C Content-Type: image/jpeg; name="image004.jpg" Content-Transfer-Encoding: base64 Content-ID: Content-Description: image004.jpg Content-Location: image004.jpg OTHER IMAGE AS TEXT ------_=_NextPart_002_01CBF91A.46552F1C Content-Type: image/jpeg; name="image005.jpg" Content-Transfer-Encoding: base64 Content-ID: Content-Description: image005.jpg Content-Location: image005.jpg AND SO ON This is other case where I could get the mail to be resend and so have the right and broken version: header of "corrupted mail" with partial size X-montecarlotv-mailscanner-information: Please contact the ISP for more information X-montecarlotv-mailscanner-id: p3CJ076N004399 X-montecarlotv-mailscanner: Found to be clean X-montecarlotv-mailscanner-from: xxx@xxxx.com.uy X-spam-status: No Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: quoted-printable header of resend of the same mail: X-mailer: Microsoft Office Outlook 11 Thread-index: Acv5Q+cmvPqAxx9iRSOj/g5DNh5m6wAAqelw X-mimeole: Produced By Microsoft MimeOLE V6.00.2900.5579 X-montecarlotv-mailscanner-information: Please contact the ISP for more information X-montecarlotv-mailscanner-id: p3CJJc8o007158 X-montecarlotv-mailscanner: Found to be clean X-montecarlotv-mailscanner-from: xxx@xxxx.com.uy X-spam-status: No Mime-version: 1.0 Content-type: multipart/mixed; boundary="----=_NextPart_000_0064_01CBF92D.7C0DB9F0" Thanks in advance -- Toda la información contenida en este correo electrónico es confidencial y para conocimiento exclusivo de su destinatario. Agradeceremos que Ud. nos comunique inmediatamente si ha recibido este correo por error. En tal caso, evite hacer uso del mismo en forma alguna y elimínelo inmediatamente de su sistema. From ssilva at sgvwater.com Tue Apr 12 22:53:16 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 12 22:53:58 2011 Subject: Problem with mail headers? In-Reply-To: <1302643836.9376.28.camel@jplorier.montecarlotv.com.uy> References: <201104121443.p3CEfd4N031418@safir.blacknight.ie> <1302643836.9376.28.camel@jplorier.montecarlotv.com.uy> Message-ID: on 4/12/2011 2:30 PM Juan Pablo Lorier spake the following: > Hi there, > > Since yesterday I'm having problems with some mails, they show without > body even when the body is there. > If I reply the mail, it adds the body as plain text just fine (most > cases) and this happens in every client; outlook, evolution, > thunderbird, etc. so this is happening between the mailscanner relay and > the mail server. > Is it possible that a mail can get truncated or does smtp check the mail > to see if it was received as it should? > > Here are some headers of broken and fine mails: > > This is supposed to be a mail with some text and some image footers: > > X-montecarlotv-mailscanner-information: Please contact the ISP for more > information > X-montecarlotv-mailscanner-id: p3CE2jWT003955 > X-montecarlotv-mailscanner: Found to be clean > X-montecarlotv-mailscanner-from: > prvs=1076bd8e21=javier.galli@wunderman.com > X-spam-status: No > Mime-version: 1.0 > Content-type: text/plain; charset="US-ASCII" > Content-transfer-encoding: quoted-printable > > and the body shows: > > 64 > Content-ID: > Content-Description: image003.jpg > Content-Location: image003.jpg > > THE IMAGE IN ASCII TEXT > > ------_=_NextPart_002_01CBF91A.46552F1C > Content-Type: image/jpeg; > name="image004.jpg" > Content-Transfer-Encoding: base64 > Content-ID: > Content-Description: image004.jpg > Content-Location: image004.jpg > > OTHER IMAGE AS TEXT > > ------_=_NextPart_002_01CBF91A.46552F1C > Content-Type: image/jpeg; > name="image005.jpg" > Content-Transfer-Encoding: base64 > Content-ID: > Content-Description: image005.jpg > Content-Location: image005.jpg > > AND SO ON > > > > This is other case where I could get the mail to be resend and so have > the right and broken version: > > header of "corrupted mail" with partial size > > X-montecarlotv-mailscanner-information: Please contact the ISP for more > information > X-montecarlotv-mailscanner-id: p3CJ076N004399 > X-montecarlotv-mailscanner: Found to be clean > X-montecarlotv-mailscanner-from: xxx@xxxx.com.uy > X-spam-status: No > Mime-version: 1.0 > Content-type: text/plain; charset="US-ASCII" > Content-transfer-encoding: quoted-printable > > > header of resend of the same mail: > > > X-mailer: Microsoft Office Outlook 11 > Thread-index: Acv5Q+cmvPqAxx9iRSOj/g5DNh5m6wAAqelw > X-mimeole: Produced By Microsoft MimeOLE V6.00.2900.5579 > X-montecarlotv-mailscanner-information: Please contact the ISP for more > information > X-montecarlotv-mailscanner-id: p3CJJc8o007158 > X-montecarlotv-mailscanner: Found to be clean > X-montecarlotv-mailscanner-from: xxx@xxxx.com.uy > X-spam-status: No > Mime-version: 1.0 > Content-type: multipart/mixed; > boundary="----=_NextPart_000_0064_01CBF92D.7C0DB9F0" > > > Thanks in advance First thing... Are all the bad messages encoded the same way? IE... quoted-printable vs base 64. Are there any other common things, like all sent from the same type of client? From chris at techquility.net Tue Apr 12 23:03:28 2011 From: chris at techquility.net (Chris Barber) Date: Tue Apr 12 23:03:40 2011 Subject: Messages being delayed in the MailScanner hold queue In-Reply-To: References: <87977233ECC1CD4381FB63BE565D44790390FADC3E@SERVER.techquility.local> <87977233ECC1CD4381FB63BE565D44790390FADC42@SERVER.techquility.local> Message-ID: <87977233ECC1CD4381FB63BE565D447903A9CB231D@SERVER.techquility.local> Thanks Glenn, it was set to batch. I actually found the issue I think. Our inbound mail queue has been getting higher than the "Max Normal Queue Size =" config setting for a few hours during the day. I think this is why some messages were sitting in the hold queue and not being processed. I've increased this parameter and so far no more messages have been reported delayed. Thanks! Chris From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Wednesday, April 06, 2011 4:57 AM To: MailScanner discussion Subject: Re: RE: Messages being delayed in the MailScanner hold queue The processing mode of ms should be set to batch, not queue... Look in the conf file and you'll see. Cheers Den 6 apr 2011 00.29, "Chris Barber" skrev: We have adjusted the batch sizes some, is that what you are referring to when you say default batch processing? ?I don't think the system is overloaded, heavily used yes, but emails go through in seconds usually. I also saw a response from Michael Masse that said he upgraded to the newest MailScanner to resolve this. I will try this also. Thanks, Chris From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, April 05, 2011 12:37 PM To: MailScanner discussion Subject: Re: Messages being delayed in the MailScanner hold queue True, this does sound like that kind of misconfig... Either that, or a seriously overloaded system,... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... From jplorier at montecarlotv.com.uy Thu Apr 14 13:49:13 2011 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu Apr 14 13:49:51 2011 Subject: Problem with mail headers? In-Reply-To: <201104131102.p3DB0OHq019329@safir.blacknight.ie> References: <201104131102.p3DB0OHq019329@safir.blacknight.ie> Message-ID: <1302785353.9376.61.camel@jplorier.montecarlotv.com.uy> Hi Scoot, thanks for your answer. I took some time to try and find some info. What I could find out is that the sender is mostly exchange v6.5 but I have some gmail and outlook 11 also. About the type, most of the mails seem to be multipart/mixed and then they get the header changed to text/plain or even when they stay like multipart/mixed, is like some of the parts are missing in the body. I also found many log entries like this: Message p3D4LOIP025579 is too big for available disk space in /var/spool/MailScanner/incoming, skipping it : 316 Time(s) So I enlarged the tmpfs to try to fix the problem. I'm trying to get more info, I'll send it asap. Regards, -- Toda la información contenida en este correo electrónico es confidencial y para conocimiento exclusivo de su destinatario. Agradeceremos que Ud. nos comunique inmediatamente si ha recibido este correo por error. En tal caso, evite hacer uso del mismo en forma alguna y elimínelo inmediatamente de su sistema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/9cbebd61/attachment.html From sachin.murudkar at netcore.co.in Thu Apr 14 17:21:12 2011 From: sachin.murudkar at netcore.co.in (sachin) Date: Thu Apr 14 17:20:46 2011 Subject: Mailscanner with clamd Message-ID: <4DA71EF8.9000400@netcore.co.in> Hi All I am trying to configure Mailscanner with clamd but it is giving me the below mentioned error and delivering the virus mail to users inbox without quarantine infected mails. I have mentioed my details below for your reference ... Please help me to resolve this. clamd version - 0.97 MailScanner version - 4.70 clamav version - 0.97 *_Configuration_:-* clamd.conf LocalSocket = /tmp/clamd Virus Scanners = clamd Clamd Socket = /tmp/clamd *_Mailscanner.conf_* Virus Scanning = yes Virus Scanners = clamd Deliver Disinfected Files = no Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ Quarantine Infections = yes Quarantine Silent Viruses = yes Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = yes Deliver Cleaned Messages = yes Notify Senders = no Notify Senders Of Viruses = no Warning Is Attachment = yes Send Notices = no Incoming Work User = clamav Incoming Work Group = Incoming Work Permissions = 0640 Quarantine User = Quarantine Group = Quarantine Permissions = 0600 _*ERROR*_ Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /usr/local/spool/MailScanner/incoming/19529 Please help to resolve this issue ... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/07e0ecba/attachment.html From lstewart at superb.net Thu Apr 14 17:31:29 2011 From: lstewart at superb.net (Landon Stewart) Date: Thu Apr 14 17:31:41 2011 Subject: Mailscanner with clamd In-Reply-To: <4DA71EF8.9000400@netcore.co.in> References: <4DA71EF8.9000400@netcore.co.in> Message-ID: Incoming Work Group = clamav Incoming Work Permissions = 0660 Also check the ownership and group ownership on /usr/local/spool/MailScanner/incoming and check the permissions it has already. Should be 660 so the clamav group can write to it. On Thu, Apr 14, 2011 at 9:21 AM, sachin wrote: > Hi All > > I am trying to configure Mailscanner with clamd but it is giving me the > below mentioned error and delivering the virus mail to users inbox without > quarantine infected mails. > > I have mentioed my details below for your reference ... Please help me to > resolve this. > > clamd version - 0.97 > MailScanner version - 4.70 > clamav version - 0.97 > > *Configuration:-* > clamd.conf > LocalSocket = /tmp/clamd > Virus Scanners = clamd > Clamd Socket = /tmp/clamd > > *Mailscanner.conf* > Virus Scanning = yes > Virus Scanners = clamd > Deliver Disinfected Files = no > Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses > Still Deliver Silent Viruses = no > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ > Quarantine Infections = yes > Quarantine Silent Viruses = yes > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = yes > Deliver Cleaned Messages = yes > Notify Senders = no > Notify Senders Of Viruses = no > Warning Is Attachment = yes > Send Notices = no > Incoming Work User = clamav > Incoming Work Group = > Incoming Work Permissions = 0640 > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > > *ERROR* > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. > ERROR :: /usr/local/spool/MailScanner/incoming/19529 > > > Please help to resolve this issue ... > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/51dad29c/attachment.html From ecasarero at gmail.com Thu Apr 14 17:58:25 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Apr 14 17:58:54 2011 Subject: OT: Statistics of an MTA (backend) Message-ID: Hi, everybody. i am sorry for the OT, but i was wondering if someone can share some backend (MTA) statistics. I need to build a test server to store emails and give imap/pop3 (this is already working), but i need some "real-world" info about email flow to big email servers. I have this kind of questions for deployments of servers with more than 1000 users: - How many emails are recieved per day or per hour (bussiest hours)? - Average Quota? ?Any other relevant data? This is just to get an idea any comment will be appreciated. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/c6bfe6d1/attachment.html From campbell at cnpapers.com Thu Apr 14 18:11:14 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 14 18:11:36 2011 Subject: OT: Statistics of an MTA (backend) In-Reply-To: References: Message-ID: <4DA72AB2.2080506@cnpapers.com> VISPAN? steve On 4/14/2011 12:58 PM, Eduardo Casarero wrote: > Hi, everybody. i am sorry for the OT, but i was wondering if someone > can share some backend (MTA) statistics. I need to build a test server > to store emails and give imap/pop3 (this is already working), but i > need some "real-world" info about email flow to big email servers. > > I have this kind of questions for deployments of servers with more > than 1000 users: > > - How many emails are recieved per day or per hour (bussiest hours)? > - Average Quota? > > ?Any other relevant data? > > This is just to get an idea any comment will be appreciated. > > Thanks! From ecasarero at gmail.com Thu Apr 14 18:17:11 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Apr 14 18:17:39 2011 Subject: OT: Statistics of an MTA (backend) In-Reply-To: <4DA72AB2.2080506@cnpapers.com> References: <4DA72AB2.2080506@cnpapers.com> Message-ID: I do have vispan, but i am more interested in the internal behaviour of the server. internet -> mta / mta -> internet is already covered. But i have little expertise on the storage side of the server. 2011/4/14 Steve Campbell > VISPAN? > > steve > > > On 4/14/2011 12:58 PM, Eduardo Casarero wrote: > >> Hi, everybody. i am sorry for the OT, but i was wondering if someone can >> share some backend (MTA) statistics. I need to build a test server to store >> emails and give imap/pop3 (this is already working), but i need some >> "real-world" info about email flow to big email servers. >> >> I have this kind of questions for deployments of servers with more than >> 1000 users: >> >> - How many emails are recieved per day or per hour (bussiest hours)? >> - Average Quota? >> >> ?Any other relevant data? >> >> This is just to get an idea any comment will be appreciated. >> >> Thanks! >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/9380a817/attachment.html From Neal at Morgan-Systems.com Thu Apr 14 18:19:50 2011 From: Neal at Morgan-Systems.com (Neal Morgan) Date: Thu Apr 14 18:20:36 2011 Subject: Statistics of an MTA (backend) In-Reply-To: References: Message-ID: > From: Eduardo Casarero > Sent: Thursday, April 14, 2011 9:58 AM > To: MailScanner discussion > Subject: OT: Statistics of an MTA (backend) > > Hi, everybody. i am sorry for the OT, but i was wondering if someone can > share some backend (MTA) statistics. I need to build a test server to > store emails and give imap/pop3 (this is already working), but i need > some "real-world" info about email flow to big email servers. > > I have this kind of questions for deployments of servers with more than > 1000 users: > - How many emails are recieved per day or per hour (bussiest hours)? > - Average Quota? > >?Any other relevant data?? > > This is just to get an idea any comment will be appreciated. > > Thanks! You might want to look into whether the MTA includes examples of graphing statistics via MRTG. MTA's usually have counters for the information you seek, and often come with an example MRTG config. From sjohnson at edina.k12.mn.us Thu Apr 14 18:23:36 2011 From: sjohnson at edina.k12.mn.us (Johnson, SE) Date: Thu Apr 14 18:23:49 2011 Subject: New domains sending spam Message-ID: <89BF87FCFFEEB64A89903D6E9CD8E82C010F91@Exchange2010.ISD273.ORG> I've been seeing a lot of new domains pop up and immediately start sending spam. In our environment we will almost never get an email from someone on a brand new domain. Is there a way to not accept an email from a domain that is say less than 30 days old? Environment ->MailScanner, Spamassassin, Postfix Thanks! Scott From steve at fsl.com Thu Apr 14 18:24:14 2011 From: steve at fsl.com (Stephen Swaney) Date: Thu Apr 14 18:24:26 2011 Subject: OT: Statistics of an MTA (backend) In-Reply-To: References: Message-ID: On Apr 14, 2011, at 12:58 PM, Eduardo Casarero wrote: > Hi, everybody. i am sorry for the OT, but i was wondering if someone can share some backend (MTA) statistics. I need to build a test server to store emails and give imap/pop3 (this is already working), but i need some "real-world" info about email flow to big email servers. > > I have this kind of questions for deployments of servers with more than 1000 users: > > - How many emails are recieved per day or per hour (bussiest hours)? > - Average Quota? > > ?Any other relevant data? > > This is just to get an idea any comment will be appreciated. > > Thanks! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Eduardo, This is a little like asking ?how much is a car?? but below are the numbers I use for a quick preliminary initial estimate for a site. And my term ?Emails? as used below refers to the number of messages that would need to be processed by MailScanner after an agressive rejection policy using DNSBLs at the incoming MTA level. Users 1,000 Emails / User 30 Email / Day 30,000 Emails / Hour 1,250 Emails / Hour (Peak) 2,500 Emails / Hour (Off Peak) 625 And these can vary a LOT depending on the site. But I believe they make a reasonable starting point., Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available From nsnidanko at harperpowerproducts.com Thu Apr 14 18:38:30 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Thu Apr 14 18:38:44 2011 Subject: OT: Statistics of an MTA (backend) References: <4DA72AB2.2080506@cnpapers.com> Message-ID: <2997C7D96F7B4549A25EBC40A9F1BF2D09479E@tor_nt01.harperdda.com> Hi Eduardo, I a not sure what platform are you looking for. But to start I would advice you to check out the following Exchange calculator: http://blogs.technet.com/b/exchange/archive/2007/01/15/3397742.aspx I know it might not apply to other platforms, but it will give you an idea of what questions you should be asking. For example something like average mailbox size, user's behavior, retention periods, concurrent connections, predicted growth rate, required availability should answer as of what vCPU, RAM and storage capacities you will require. As for busiest time of the day I find our server takes heaviest beating on Monday morning to mid-day. But again it goes back on the nature of the business your organization provides. For example even though we are 24/7 email dies down during night due to the needs and number of staff. Hope it helps, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Eduardo Casarero Sent: April 14, 2011 1:17 PM To: MailScanner discussion Subject: Re: OT: Statistics of an MTA (backend) I do have vispan, but i am more interested in the internal behaviour of the server. internet -> mta / mta -> internet is already covered. But i have little expertise on the storage side of the server. 2011/4/14 Steve Campbell VISPAN? steve On 4/14/2011 12:58 PM, Eduardo Casarero wrote: Hi, everybody. i am sorry for the OT, but i was wondering if someone can share some backend (MTA) statistics. I need to build a test server to store emails and give imap/pop3 (this is already working), but i need some "real-world" info about email flow to big email servers. I have this kind of questions for deployments of servers with more than 1000 users: - How many emails are recieved per day or per hour (bussiest hours)? - Average Quota? ?Any other relevant data? This is just to get an idea any comment will be appreciated. Thanks! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/2f2d032b/attachment.html From campbell at cnpapers.com Thu Apr 14 18:48:42 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Apr 14 18:48:54 2011 Subject: OT: Statistics of an MTA (backend) In-Reply-To: References: <4DA72AB2.2080506@cnpapers.com> Message-ID: <4DA7337A.1040705@cnpapers.com> Not sure exactly what you are looking for then, but there used to be a thing called MailScanner-MRTG that shows things like copies of MS, number of messages in quarantine, space used in the filesystem, and a few other things that is plotted by MRTG for you. It's kind old, but I've got it running on my machines. steve On 4/14/2011 1:17 PM, Eduardo Casarero wrote: > I do have vispan, but i am more interested in the internal behaviour > of the server. internet -> mta / mta -> internet is already covered. > But i have little expertise on the storage side of the server. > > 2011/4/14 Steve Campbell > > > VISPAN? > > steve > > > On 4/14/2011 12:58 PM, Eduardo Casarero wrote: > > Hi, everybody. i am sorry for the OT, but i was wondering if > someone can share some backend (MTA) statistics. I need to > build a test server to store emails and give imap/pop3 (this > is already working), but i need some "real-world" info about > email flow to big email servers. > > I have this kind of questions for deployments of servers with > more than 1000 users: > > - How many emails are recieved per day or per hour (bussiest > hours)? > - Average Quota? > > ?Any other relevant data? > > This is just to get an idea any comment will be appreciated. > > Thanks! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/cf3ec4e3/attachment.html From chris at techquility.net Thu Apr 14 18:56:36 2011 From: chris at techquility.net (Chris Barber) Date: Thu Apr 14 18:56:54 2011 Subject: New domains sending spam In-Reply-To: <89BF87FCFFEEB64A89903D6E9CD8E82C010F91@Exchange2010.ISD273.ORG> References: <89BF87FCFFEEB64A89903D6E9CD8E82C010F91@Exchange2010.ISD273.ORG> Message-ID: <87977233ECC1CD4381FB63BE565D447903B12E34DD@SERVER.techquility.local> I believe there is a spamassassin ruleset that detects this kind of thing. It's called day old bread. I think it's in any modern version of spamassassin already, but you can increase the score of this rule in order to make sure you block messages matching it: http://wiki.apache.org/spamassassin/Rules/DNS_FROM_DOB -Chris >I've been seeing a lot of new domains pop up and immediately start sending spam. > >In our environment we will almost never get an email from someone on a brand new domain. > >Is there a way to not accept an email from a domain that is say less than 30 days old? > >Environment ->MailScanner, Spamassassin, Postfix > >Thanks! > Scott From ecasarero at gmail.com Thu Apr 14 19:59:13 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Thu Apr 14 19:59:42 2011 Subject: OT: Statistics of an MTA (backend) In-Reply-To: References: Message-ID: 2011/4/14 Stephen Swaney > > > On Apr 14, 2011, at 12:58 PM, Eduardo Casarero wrote: > > > Hi, everybody. i am sorry for the OT, but i was wondering if someone can > share some backend (MTA) statistics. I need to build a test server to store > emails and give imap/pop3 (this is already working), but i need some > "real-world" info about email flow to big email servers. > > > > I have this kind of questions for deployments of servers with more than > 1000 users: > > > > - How many emails are recieved per day or per hour (bussiest hours)? > > - Average Quota? > > > > ?Any other relevant data? > > > > This is just to get an idea any comment will be appreciated. > > > > Thanks! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > Eduardo, > > This is a little like asking ?how much is a car?? but below are the numbers > I use for a quick preliminary initial estimate for a site. > > And my term ?Emails? as used below refers to the number of messages that > would need to be processed by MailScanner after an agressive rejection > policy using DNSBLs at the incoming MTA level. > > Users 1,000 > Emails / User 30 > Email / Day 30,000 > Emails / Hour 1,250 > Emails / Hour (Peak) 2,500 > Emails / Hour (Off Peak) 625 > > And these can vary a LOT depending on the site. But I believe they make a > reasonable starting point., > > Steve > -- > Steve Swaney > steve@fsl.com > 202 595-7760 ext: 601 > www.fsl.com > The most accurate and cost effective anti-spam solutions available > > Thanks Steve this was exactly the thing a was asking for, i know that this changes a lot depending on the business or the type of customer, but it is a really good starting point. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110414/bb5a5136/attachment.html From prinbra at gmail.com Fri Apr 15 05:53:43 2011 From: prinbra at gmail.com (Curu Wong) Date: Fri Apr 15 05:53:53 2011 Subject: weird mailscanner clamd error In-Reply-To: References: <201101051200.p05C0MhO008128@safir.blacknight.ie> <9453A32CAC9FFB4D8F59285E34B6A5062F6F@hotc_exch.harperotc.com> <7CA580B59C1ABD45B4614ED90D4C7B85113DFF@HC-EXMBX02.herefordshire.gov.uk> <9453A32CAC9FFB4D8F59285E34B6A5062F73@hotc_exch.harperotc.com> Message-ID: I have installed Mailscanner v4.83.4 this days. and find the following lines in change log: --------------------------------------------------------------------------------------------------- 4 Fixed permissions of ClamAV temp files to use workperms instead of 0600. Thanks to Rick Cooper for this fix! ------------------------------------------------------- However, my test shows that this has not been fixed as it should. I have pointed out that in my previous mail, the argument of unixFileAttributes() should be octal number, which I have verified. So, the correct patch should be: mailscanner_zip_permission.patch =================================================================== --- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800 +++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800 @@ -3346,7 +3346,12 @@ next if $onlycheckencryption; # Untaint member's attributes. - $member->unixFileAttributes(0600); + #$member->unixFileAttributes(0600); + my $workperms = MailScanner::Config::Value('workperms') || '0600'; + #Make it octal with a leading zero if necessary + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/; + $workperms = oct($workperms); # and back to decimal for chmod + $member->unixFileAttributes($workperms); $name = $member->fileName(); # Trim off any leading directory path ==================================================================== For anynone who use ms v4.83.4, please apply this patch: mailscanner4.83.4_zip_permission.patch =================================================================== --- Message.pm.bak 2011-04-15 12:27:29.089987794 +0800 +++ Message.pm 2011-04-15 12:27:42.910018604 +0800 @@ -3350,6 +3350,9 @@ # Untaint member's attributes. # Fix to use workperms in preference by Rick Cooper rcooper@dwford.com my $workperms = MailScanner::Config::Value('workperms') || '0600'; + #Make it octal with a leading zero if necessary + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/; + $workperms = oct($workperms); # and back to decimal for chmod $member->unixFileAttributes($workperms); $name = $member->fileName(); ==================================================================== 2011/1/7 Rick Cooper > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Curu Wong > *Sent:* Thursday, January 06, 2011 10:15 PM > > *To:* MailScanner discussion > *Subject:* Re: weird mailscanner clamd error > > Thank you Rick, the code you provided works. but I think the argument of > unixFileAttributes() should be octal number, instead of string. so I > modified the code a little. > This finally works for my MailScanner version 4.81.4-1. > [Rick Cooper] > > I just looked at the Archive::Zip documentation and it appears it that > should have worked as is. The documentation states: > unixFileAttributes( [$newAttributes] ) > > In any event that might explain the issues on other systems and hopefully > Julian will make the changes for the next release. The person to thank is > you, you are the one who caught the unexplained permission change on the > extracted files, I just looked at the code that performs the action and > unixFileAttributes(600) kind of stuck out like a sore thumb > > Rick > > after apply this patch, the permission is OK: > > Send an email with zip attachment > ============================== > =============================== > /var/spool/MailScanner/incoming/18174/8E435803B9.AB3BB: > total 3376 > -rw-r----- 1 postfix www-data 4 2011-01-07 10:49 nmsg-18174-1.txt > -rw-r----- 1 postfix www-data 1665916 2011-01-07 10:49 ntest.zip > -rw-r----- 1 postfix www-data 238 2010-10-15 18:58 zall-wcprops > -rw-r----- 1 postfix www-data 23100 2010-10-15 18:58 zbeyond3g.jpg > -rw-r----- 1 postfix www-data 26180 2010-10-15 18:58 zchi_button-02.jpg > -rw-r----- 1 postfix www-data 2472 2010-10-15 23:33 > zchi_button-reset.jpg > -rw-r----- 1 postfix www-data 2478 2010-10-15 23:33 > zchi_button-submit.jpg > -rw-r----- 1 postfix www-data 6042 2010-10-18 15:34 zchi_edm.html > -rw-r----- 1 postfix www-data 4345 2010-10-18 15:35 zchi_web.html > -rw-r----- 1 postfix www-data 890 2010-10-15 18:58 zcw.jpeg > ============================================================== > and there's no error message in maillog any more. > > mailscanner_zip_permission.patch > =================================================================== > --- MailScanner/Message.pm 2010-09-06 19:10:28.000000000 +0800 > +++ ms/Message.pm 2011-01-07 10:41:19.107764413 +0800 > @@ -3346,7 +3346,12 @@ > next if $onlycheckencryption; > > # Untaint member's attributes. > - $member->unixFileAttributes(0600); > + #$member->unixFileAttributes(0600); > + my $workperms = MailScanner::Config::Value('workperms') || '0600'; > + #Make it octal with a leading zero if necessary > + $workperms = sprintf "0%lo", $workperms unless $workperms =~ /^0/; > + $workperms = oct($workperms); # and back to decimal for chmod > + $member->unixFileAttributes($workperms); > > $name = $member->fileName(); > # Trim off any leading directory path > ==================================================================== > > 2011/1/7 Rick Cooper > >> Naz Snidanko wrote: >> > I just checked: >> > >> > /opt/MailScanner-4.82.3-1/lib/MailScanner/MessageBatch.pm >> > >> > I am using 4.82.3-1 and this modification is there. It does not solve >> > the problem. I haven't tried running clamd under root since it would >> > violate our security principles. >> > >> > Are you guys sure it is not a problem with clamd itself? Clamav >> > doesn't get this error. >> >> Actually the more I looked at this, I believe the code in Message.pm >> beginning at line 3348 that reads >> >> # Untaint member's attributes. >> $member->unixFileAttributes(0600); >> >> Should be >> >> # Untaint member's attributes. >> my $workperms = MailScanner::Config::Value('workperms') || '0600'; >> $member->unixFileAttributes($workperms); >> For some reason it appears Julian forced the extracted files to 0600 in >> the >> original code. The change I have listed above would set them to what ever >> the mailscanner config has for the work permissions or 600 if no value >> exists. >> >> Julian any comment? >> >> >> Rick >> >> > >> > Regards, >> > >> > Naz Snidanko >> > Desktop & Network Support >> > Harper Power Products Inc. >> > (p) 416 201- 7506 >> > nsnidanko@harperpowerproducts.com >> > >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info >> > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> > Iulian L Dragomir >> > Sent: January 6, 2011 6:05 AM >> > To: MailScanner discussion >> > Subject: Re: weird mailscanner clamd error >> > >> > On Thu, Jan 6, 2011 at 12:24 PM, Randal, Phil >> > wrote: >> >> The only workaround I've found is to run clamd as root. >> >> >> >> >> >> >> >> I've seen the same issue with MailScanner / sendmail on CentOS. >> > >> > If it is the same problem then try this: >> > >> > >> http://lists.mailscanner.info/pipermail/mailscanner/2010-April/095611.ht >> > ml >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/5a1b28df/attachment.html From sachin.murudkar at netcore.co.in Fri Apr 15 10:15:47 2011 From: sachin.murudkar at netcore.co.in (sachin) Date: Fri Apr 15 10:17:16 2011 Subject: Mailscanner with clamd In-Reply-To: References: <4DA71EF8.9000400@netcore.co.in> Message-ID: <4DA80CC3.1080003@netcore.co.in> Hi Landon Thanks for the reply ... I did the changes according to you but than I am getting the below mentioned error after that can you please let me know why is this error coming now ? MailScanner E-Mail Virus Scanner version 4.70.7 starting... Apr 15 14:32:59 clamav MailScanner[17703]: SpamAssassin temporary working directory is /tmp Apr 15 14:32:59 clamav MailScanner[17703]: Your "Incoming Work Directory" should be specified as an absolute path, not including any links. But I will work okay anyway. Apr 15 14:32:59 clamav MailScanner[17703]: Cannot create temporary Work Dir /17703. Are the permissions and ownership of correct? I have specified path as mentioned below in MailScanner.conf Incoming Work Dir = /usr/local/spool/MailScanner/incoming Regards Sachin On 04/14/11 22:01, Landon Stewart wrote: > Incoming Work Group = clamav > Incoming Work Permissions = 0660 > > Also check the ownership and group ownership on > /usr/local/spool/MailScanner/incoming and check the permissions it has > already. Should be 660 so the clamav group can write to it. > > On Thu, Apr 14, 2011 at 9:21 AM, sachin > wrote: > > Hi All > > I am trying to configure Mailscanner with clamd but it is giving > me the below mentioned error and delivering the virus mail to > users inbox without quarantine infected mails. > > I have mentioed my details below for your reference ... Please > help me to resolve this. > > clamd version - 0.97 > MailScanner version - 4.70 > clamav version - 0.97 > > *_Configuration_:-* > clamd.conf > LocalSocket = /tmp/clamd > Virus Scanners = clamd > Clamd Socket = /tmp/clamd > > *_Mailscanner.conf_* > Virus Scanning = yes > Virus Scanners = clamd > Deliver Disinfected Files = no > Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses > Still Deliver Silent Viruses = no > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ > Quarantine Infections = yes > Quarantine Silent Viruses = yes > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = yes > Deliver Cleaned Messages = yes > Notify Senders = no > Notify Senders Of Viruses = no > Warning Is Attachment = yes > Send Notices = no > Incoming Work User = clamav > Incoming Work Group = > Incoming Work Permissions = 0640 > Quarantine User = > Quarantine Group = > Quarantine Permissions = 0600 > > _*ERROR*_ > Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission > denied. ERROR :: /usr/local/spool/MailScanner/incoming/19529 > > > Please help to resolve this issue ... > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Landon Stewart > > SuperbHosting.Net by Superb Internet Corp. > Toll Free (US/Canada): 888-354-6128 x 4199 > Direct: 206-438-5879 > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/bc03d810/attachment-0001.html From maxsec at gmail.com Fri Apr 15 10:48:51 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Apr 15 10:49:00 2011 Subject: Mailscanner with clamd In-Reply-To: <4DA80CC3.1080003@netcore.co.in> References: <4DA71EF8.9000400@netcore.co.in> <4DA80CC3.1080003@netcore.co.in> Message-ID: check that user 'clamav' can indeed write into this space. Also check that the dir doesn't do down any symbolic links as the warning message suggests and if so put in the real path to the work dir. -- Martin Hepworth Oxford, UK On 15 April 2011 10:15, sachin wrote: > Hi Landon > > Thanks for the reply ... I did the changes according to you but than I am > getting the below mentioned error after that can you please let me know why > is this error coming now ? > > MailScanner E-Mail Virus Scanner version 4.70.7 starting... > Apr 15 14:32:59 clamav MailScanner[17703]: SpamAssassin temporary working > directory is /tmp > Apr 15 14:32:59 clamav MailScanner[17703]: Your "Incoming Work Directory" > should be specified as an absolute path, not including any links. But I will > work okay anyway. > Apr 15 14:32:59 clamav MailScanner[17703]: Cannot create temporary Work Dir > /17703. Are the permissions and ownership of correct? > > > I have specified path as mentioned below in MailScanner.conf > Incoming Work Dir = /usr/local/spool/MailScanner/incoming > > > Regards > > Sachin > > On 04/14/11 22:01, Landon Stewart wrote: > > Incoming Work Group = clamav > Incoming Work Permissions = 0660 > > Also check the ownership and group ownership on > /usr/local/spool/MailScanner/incoming and check the permissions it has > already. Should be 660 so the clamav group can write to it. > > On Thu, Apr 14, 2011 at 9:21 AM, sachin wrote: > >> Hi All >> >> I am trying to configure Mailscanner with clamd but it is giving me the >> below mentioned error and delivering the virus mail to users inbox without >> quarantine infected mails. >> >> I have mentioed my details below for your reference ... Please help me to >> resolve this. >> >> clamd version - 0.97 >> MailScanner version - 4.70 >> clamav version - 0.97 >> >> *Configuration:-* >> clamd.conf >> LocalSocket = /tmp/clamd >> Virus Scanners = clamd >> Clamd Socket = /tmp/clamd >> >> *Mailscanner.conf* >> Virus Scanning = yes >> Virus Scanners = clamd >> Deliver Disinfected Files = no >> Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses >> Still Deliver Silent Viruses = no >> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ >> Quarantine Infections = yes >> Quarantine Silent Viruses = yes >> Quarantine Modified Body = no >> Quarantine Whole Message = yes >> Quarantine Whole Messages As Queue Files = yes >> Deliver Cleaned Messages = yes >> Notify Senders = no >> Notify Senders Of Viruses = no >> Warning Is Attachment = yes >> Send Notices = no >> Incoming Work User = clamav >> Incoming Work Group = >> Incoming Work Permissions = 0640 >> Quarantine User = >> Quarantine Group = >> Quarantine Permissions = 0600 >> >> *ERROR* >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. >> ERROR :: /usr/local/spool/MailScanner/incoming/19529 >> >> >> Please help to resolve this issue ... >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > Landon Stewart > SuperbHosting.Net by Superb Internet Corp. > Toll Free (US/Canada): 888-354-6128 x 4199 > Direct: 206-438-5879 > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/880ca6ce/attachment.html From sachin.murudkar at netcore.co.in Fri Apr 15 11:56:19 2011 From: sachin.murudkar at netcore.co.in (sachin) Date: Fri Apr 15 11:57:13 2011 Subject: Mailscanner with clamd In-Reply-To: References: <4DA71EF8.9000400@netcore.co.in> <4DA80CC3.1080003@netcore.co.in> Message-ID: <4DA82453.5080504@netcore.co.in> Hi Martin The mentioned path below is the same for incoming work directory its not a symbolic link and permission are set as per what Landon said 660 ??? Regards Sachin On 04/15/11 15:18, Martin Hepworth wrote: > check that user 'clamav' can indeed write into this space. > > Also check that the dir doesn't do down any symbolic links as the > warning message suggests and if so put in the real path to the work dir. > > > -- > Martin Hepworth > Oxford, UK > > > On 15 April 2011 10:15, sachin > wrote: > > Hi Landon > > Thanks for the reply ... I did the changes according to you but > than I am getting the below mentioned error after that can you > please let me know why is this error coming now ? > > MailScanner E-Mail Virus Scanner version 4.70.7 starting... > Apr 15 14:32:59 clamav MailScanner[17703]: SpamAssassin temporary > working directory is /tmp > Apr 15 14:32:59 clamav MailScanner[17703]: Your "Incoming Work > Directory" should be specified as an absolute path, not including > any links. But I will work okay anyway. > Apr 15 14:32:59 clamav MailScanner[17703]: Cannot create temporary > Work Dir /17703. Are the permissions and ownership of correct? > > > I have specified path as mentioned below in MailScanner.conf > Incoming Work Dir = /usr/local/spool/MailScanner/incoming > > > Regards > > Sachin > > On 04/14/11 22:01, Landon Stewart wrote: >> Incoming Work Group = clamav >> Incoming Work Permissions = 0660 >> >> Also check the ownership and group ownership on >> /usr/local/spool/MailScanner/incoming and check the permissions >> it has already. Should be 660 so the clamav group can write to it. >> >> On Thu, Apr 14, 2011 at 9:21 AM, sachin >> > > wrote: >> >> Hi All >> >> I am trying to configure Mailscanner with clamd but it is >> giving me the below mentioned error and delivering the virus >> mail to users inbox without quarantine infected mails. >> >> I have mentioed my details below for your reference ... >> Please help me to resolve this. >> >> clamd version - 0.97 >> MailScanner version - 4.70 >> clamav version - 0.97 >> >> *_Configuration_:-* >> clamd.conf >> LocalSocket = /tmp/clamd >> Virus Scanners = clamd >> Clamd Socket = /tmp/clamd >> >> *_Mailscanner.conf_* >> Virus Scanning = yes >> Virus Scanners = clamd >> Deliver Disinfected Files = no >> Silent Viruses = HTML-IFrame HTML-Codebase All-Viruses >> Still Deliver Silent Viruses = no >> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ >> Quarantine Infections = yes >> Quarantine Silent Viruses = yes >> Quarantine Modified Body = no >> Quarantine Whole Message = yes >> Quarantine Whole Messages As Queue Files = yes >> Deliver Cleaned Messages = yes >> Notify Senders = no >> Notify Senders Of Viruses = no >> Warning Is Attachment = yes >> Send Notices = no >> Incoming Work User = clamav >> Incoming Work Group = >> Incoming Work Permissions = 0640 >> Quarantine User = >> Quarantine Group = >> Quarantine Permissions = 0600 >> >> _*ERROR*_ >> Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: >> Permission denied. ERROR :: >> /usr/local/spool/MailScanner/incoming/19529 >> >> >> Please help to resolve this issue ... >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> -- >> Landon Stewart > >> SuperbHosting.Net by Superb Internet Corp. >> Toll Free (US/Canada): 888-354-6128 x 4199 >> Direct: 206-438-5879 >> Web hosting and more "Ahead of the Rest": >> http://www.superbhosting.net > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/c32c2768/attachment.html From ewallis at gdrs.com Fri Apr 15 13:18:57 2011 From: ewallis at gdrs.com (ewallis@gdrs.com) Date: Fri Apr 15 13:19:15 2011 Subject: New domains sending spam In-Reply-To: <89BF87FCFFEEB64A89903D6E9CD8E82C010F91@Exchange2010.ISD273.ORG> References: <89BF87FCFFEEB64A89903D6E9CD8E82C010F91@Exchange2010.ISD273.ORG> Message-ID: <875CC519687C2E49B68B21A091C7B751066AC5D6@gdrs-exchange.gdrs.com> You could try adjusting SA's scoring for Day Old Bread Eric -----Original Message----- From: Johnson, SE [mailto:sjohnson@edina.k12.mn.us] Sent: Thursday, April 14, 2011 1:24 PM To: 'mailscanner@lists.mailscanner.info' Subject: New domains sending spam I've been seeing a lot of new domains pop up and immediately start sending spam. In our environment we will almost never get an email from someone on a brand new domain. Is there a way to not accept an email from a domain that is say less than 30 days old? Environment ->MailScanner, Spamassassin, Postfix Thanks! Scott ------------------------------------------------------- This is an e-mail from General Dynamics Robotic Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated. From sjohnson at edina.k12.mn.us Fri Apr 15 14:43:20 2011 From: sjohnson at edina.k12.mn.us (Johnson, SE) Date: Fri Apr 15 14:43:32 2011 Subject: New domains sending spam In-Reply-To: <87977233ECC1CD4381FB63BE565D447903B12E34DD@SERVER.techquility.local> Message-ID: <89BF87FCFFEEB64A89903D6E9CD8E82C0111B1@Exchange2010.ISD273.ORG> It looks like day old bread is for 5 days. Many of these sites I'm seeing now are 14-21 days old and when I google them it looks like there's numerous sites being registered by the same person at the same time. Perhaps they are holding onto them now for a couple of weeks before using them? Anyway to go higher on the date than 5 days? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Barber Sent: Thursday, April 14, 2011 12:57 PM To: MailScanner discussion Subject: RE: New domains sending spam I believe there is a spamassassin ruleset that detects this kind of thing. It's called day old bread. I think it's in any modern version of spamassassin already, but you can increase the score of this rule in order to make sure you block messages matching it: http://wiki.apache.org/spamassassin/Rules/DNS_FROM_DOB -Chris >I've been seeing a lot of new domains pop up and immediately start sending spam. > >In our environment we will almost never get an email from someone on a brand new domain. > >Is there a way to not accept an email from a domain that is say less than 30 days old? > >Environment ->MailScanner, Spamassassin, Postfix > >Thanks! > Scott From jplorier at montecarlotv.com.uy Fri Apr 15 15:48:28 2011 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Fri Apr 15 15:49:06 2011 Subject: Problem with mail headers? In-Reply-To: <201104150931.p3F9T6Hn030366@safir.blacknight.ie> References: <201104150931.p3F9T6Hn030366@safir.blacknight.ie> Message-ID: <1302878908.3603.70.camel@jplorier.montecarlotv.com.uy> Hi people, It seems to be fixed. It was the incoming folder running out of space (or at least after enlarging the tmpfs for incoming, everything worked just fine till today, cross my fingers :-) ) JULIAN: Could be MailScanner breaking the mails when trying to put them into the incoming dir and not been able to do it? When MailScanner says "is too big for available disk space in /var/spool/MailScanner/incoming, skipping it", does it actully skip it and then deliver, skip it and keep in sendmail queue for later retry or bounces it? Regards, -- Toda la información contenida en este correo electrónico es confidencial y para conocimiento exclusivo de su destinatario. Agradeceremos que Ud. nos comunique inmediatamente si ha recibido este correo por error. En tal caso, evite hacer uso del mismo en forma alguna y elimínelo inmediatamente de su sistema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/ca65e158/attachment.html From ssilva at sgvwater.com Fri Apr 15 19:37:39 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 15 19:38:22 2011 Subject: Problem with mail headers? In-Reply-To: <1302785353.9376.61.camel@jplorier.montecarlotv.com.uy> References: <201104131102.p3DB0OHq019329@safir.blacknight.ie> <1302785353.9376.61.camel@jplorier.montecarlotv.com.uy> Message-ID: on 4/14/2011 5:49 AM Juan Pablo Lorier spake the following: > Hi Scoot, > > thanks for your answer. I took some time to try and find some info. > What I could find out is that the sender is mostly exchange v6.5 but I have > some gmail and outlook 11 also. About the type, most of the mails seem to be > multipart/mixed and then they get the header changed to text/plain or even > when they stay like multipart/mixed, is like some of the parts are missing in > the body. > I also found many log entries like this: Message p3D4LOIP025579 is too big for > available disk space in /var/spool/MailScanner/incoming, skipping it : 316 Time(s) > So I enlarged the tmpfs to try to fix the problem. > I'm trying to get more info, I'll send it asap. > Regards, > > // That looks like your temporary workspace is too small... DO you have enough space there? From donald.dawson at bakerbotts.com Fri Apr 15 21:40:41 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Apr 15 21:40:54 2011 Subject: Issue with sender's 'From' address where display name is not quoted Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> We have received email from a reputable list serve that has the following format of 'From' address in the unmodified email header: H??From: Patrick A. Guida, Duffy & Sweeney, LTD The internally delivered email has the following 'From' header: From: Patrick.A.Guida@bakerbotts.com, Duffy.&.Sweeney@bakerbotts.com, LTD It appears they are not RFC-Compliant on the 'From' address since they did not have quotes around their display name. I have tested re-sending the email with the quotes around the 'display name' and the delivered email shows the correct display name: Patrick A. Guida, Duffy & Sweeney, LTD [ali-aba@ali-aba.org] Versus the same email without the quotes around the display name: Patrick.A.Guida@bakerbotts.com Do I need to go back to the list serve to get them to correct the format of their 'From' email header, or is there an option in MailScanner that should assume text before the is a display name? Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110415/dadeb5d2/attachment.html From mejaz at cyberia.net.sa Sat Apr 16 10:50:06 2011 From: mejaz at cyberia.net.sa (Ejaz) Date: Sat Apr 16 10:53:05 2011 Subject: mailscanner-disarmed Message-ID: <221EFFB3A7E64AC79EE618B18102DCAB@EJAZ> Hello, How can we stop the "disarmed" tag in the subject line from the MailScanner? One more thing if stop this will allow spam messages ?? Thanks in advance for the kind co-operation. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/fc3e4d4b/attachment.html From glenn.steen at gmail.com Sat Apr 16 11:31:28 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 16 11:31:38 2011 Subject: New domains sending spam In-Reply-To: <89BF87FCFFEEB64A89903D6E9CD8E82C0111B1@Exchange2010.ISD273.ORG> References: <87977233ECC1CD4381FB63BE565D447903B12E34DD@SERVER.techquility.local> <89BF87FCFFEEB64A89903D6E9CD8E82C0111B1@Exchange2010.ISD273.ORG> Message-ID: Probably would give a few FPs to extend it to week old bread...but you could copy the definition to day old bread, rename accordingly and score it low... Then do some log analysis to see the FP rate etc before uping the score. Cheers! Den 15 apr 2011 15.49, "Johnson, SE" skrev: It looks like day old bread is for 5 days. Many of these sites I'm seeing now are 14-21 days old and when I google them it looks like there's numerous sites being registered by the same person at the same time. Perhaps they are holding onto them now for a couple of weeks before using them? Anyway to go higher on the date than 5 days? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bou... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/9c4622cc/attachment.html From glenn.steen at gmail.com Sat Apr 16 11:47:54 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 16 11:48:05 2011 Subject: Issue with sender's 'From' address where display name is not quoted In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> Message-ID: The reformatting is done in MilScanner? Truly? Not your MTA? And, apart from the looks, what detrimental effects does it have? Anyway, if they aren't RFC compliant, why should you fix it for them? Inform them if you like, then just ... Forget them;-) Cheers! Den 15 apr 2011 22.46, skrev: We have received email from a reputable list serve that has the following format of 'From' address in the unmodified email header: H??From: Patrick A. Guida, Duffy & Sweeney, LTD The internally delivered email has the following 'From' header: From: Patrick.A.Guida@bakerbotts.com, Duffy.&.Sweeney@bakerbotts.com, LTD It appears they are not RFC-Compliant on the 'From' address since they did not have quotes around their display name. I have tested re-sending the email with the quotes around the 'display name' and the delivered email shows the correct display name: Patrick A. Guida, Duffy & Sweeney, LTD [ali-aba@ali-aba.org] Versus the same email without the quotes around the display name: Patrick.A.Guida@bakerbotts.com Do I need to go back to the list serve to get them to correct the format of their 'From' email header, or is there an option in MailScanner that should assume text before the is a display name? Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 *Confidentiality Notice:* The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/8a61a706/attachment.html From glenn.steen at gmail.com Sat Apr 16 11:58:25 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 16 11:58:35 2011 Subject: Issue with sender's 'From' address where display name is not quoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> Message-ID: Wait, I see the problem, your MTA is adding your domain to all unqualified recipients. This is something you need fix, since it is a slightly exploitable flaw (makes it easy for a scammer to look legit). I suppose you're using postfix, right? In PF, IIRC, there are a few ?ettings affecting this, so try vary those! Cheers Den 16 apr 2011 12.47, "Glenn Steen" skrev: The reformatting is done in MilScanner? Truly? Not your MTA? And, apart from the looks, what detrimental effects does it have? Anyway, if they aren't RFC compliant, why should you fix it for them? Inform them if you like, then just ... Forget them;-) Cheers! Den 15 apr 2011 22.46, skrev: > > We have received email from a reputable list serve that has the following format of 'From' addr... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/d6c5adcd/attachment.html From glenn.steen at gmail.com Sat Apr 16 12:03:25 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 16 12:03:35 2011 Subject: mailscanner-disarmed In-Reply-To: <221EFFB3A7E64AC79EE618B18102DCAB@EJAZ> References: <221EFFB3A7E64AC79EE618B18102DCAB@EJAZ> Message-ID: Either you don't disarm things, and that will affect things getting through (scripts and such) untouched... Or you can simply avoid tagging the subject line, but still do the disarmament.... Delve into MailScanner.conf and you shall find...;-) Cheers! Den 16 apr 2011 11.59, "Ejaz" skrev: Hello, How can we stop the ?disarmed? tag in the subject line from the MailScanner? One more thing if stop this will allow spam messages ?? Thanks in advance for the kind co-operation. Regards, __________________ Mohammed Ejaz Sr,Systems Administrator -- This message has been scanned for viruses and dangerous content by *MailScanner* , and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/2c99c9bd/attachment.html From steve at fsl.com Sat Apr 16 12:17:42 2011 From: steve at fsl.com (Stephen Swaney) Date: Sat Apr 16 12:17:53 2011 Subject: mailscanner-disarmed In-Reply-To: <221EFFB3A7E64AC79EE618B18102DCAB@EJAZ> References: <221EFFB3A7E64AC79EE618B18102DCAB@EJAZ> Message-ID: <27E9A85A-62CA-4903-9E35-3E200642CAE6@fsl.com> On Apr 16, 2011, at 5:50 AM, Ejaz wrote: > Hello, > > How can we stop the ?disarmed? tag in the subject line from the MailScanner? One more thing if stop this will allow spam messages ?? > > Thanks in advance for the kind co-operation. > > > Regards, > __________________ > Mohammed Ejaz > Sr,Systems Administrator > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! This one can be a little convoluted :) If "Dangerous Content Scanning" is set to yes or a ruleset, additional checks can be configired for several type of ?Dangerous Content? including: Allow IFrame Tags = Allow Form Tags = Allow Script Tags = Allow WebBugs = These configuration items may be set to various Values including: Value: yes => Allow these tags to be in the message no => Ban messages containing these tags disarm => Allow these tags, but stop these tags from working <<<<<<< If the Value ?disarmed? is set for any Dangerous Content Checks - and MailScanner detects that condition in a message - and disarms the message - and The "Disarmed Modify Subject? is set to ?start?, ?end" or ?yes" (anything but ?no") Then the Subject of that message will be modified by adding the content of configuration setting for Disarmed Subject Text. And (finally) the default setting for Disarmed Subject Text = {Disarmed} Nothing to with spam. Best regards, Steve -- Steve Swaney steve@fsl.com www.fsl.com The most accurate and cost effective anti-spam solutions available and any of the Dangeroud Content checks aare found ins Best regards, Steve -- Steve Swaney steve@fsl.com 202 595-7760 ext: 601 www.fsl.com The most accurate and cost effective anti-spam solutions available From MailScanner at ecs.soton.ac.uk Sat Apr 16 15:52:26 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sat Apr 16 15:52:40 2011 Subject: ZendTo ANNOUNCE: New version 4.00 released References: <4DA9AD2A.1050203@ecs.soton.ac.uk> Message-ID: Okay, this is a shameless plug for my other little project, ZendTo. But keep reading, it might interest you! ZendTo is the safe, secure and completely free way to transfer large files around the web. If your MailScanner deployment has left your users unable to transfer some files (and large files!) by email, this is the solution. It is a totally free web-based package that provides this service in a safe and secure way. No longer do people have to mess with FTP sites and arcane settings, and you don't need to give them secret usernames or passwords either! All they need is the email address of the person they are sending files to. So head over to http://zend.to and take a look. You might be surprised! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From pparsons at techeez.com Sat Apr 16 16:21:06 2011 From: pparsons at techeez.com (Philip Parsons) Date: Sat Apr 16 16:23:55 2011 Subject: All tags in Mailscanner that have the {***} brackets around them Message-ID: <11D8E491D9562549A61FD3186F363420D6CF3399@exchange.techeez.com> Here is a good one that I thought I would pass on to everyone. 3 Different servers and domains 1 exchange 2003, 1 exchange 2007 and 1 exchange 2010. All set to allow IMAP, with MailScanner on the front of them. IMAP would just start to hang and not retrieve any messages and no matter what you did it would not pull the messages after some time I noticed that when I cleaned out my inbox it would work for that folder but not the deleted items etc. etc. SO long story short and a bunch of testing. It seems that IMAP does not like {} brackets. I removed the {}brackets from all of the tags is Mailscanner.conf on all 3 Mailscanner box's and have not had a problem for the last week. Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/4b796de5/attachment.html From glenn.steen at gmail.com Sat Apr 16 17:26:53 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 16 17:27:04 2011 Subject: All tags in Mailscanner that have the {***} brackets around them In-Reply-To: <11D8E491D9562549A61FD3186F363420D6CF3399@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F363420D6CF3399@exchange.techeez.com> Message-ID: Was it the same on all different exchange versions, or was it specific to some? M$ has put in some rather stupid limitations in some versions (if not all:-) ... Like the 32KiB rule space/user... So this isn't surprising:-D Thanks for sharing... ISTR this being discussed before, with some alternatives for fixing, so a search of the list archives might be in order. Cheers! Den 16 apr 2011 17.28, "Philip Parsons" skrev: Here is a good one that I thought I would pass on to everyone. 3 Different servers and domains 1 exchange 2003, 1 exchange 2007 and 1 exchange 2010. All set to allow IMAP, with MailScanner on the front of them. IMAP would just start to hang and not retrieve any messages and no matter what you did it would not pull the messages after some time I noticed that when I cleaned out my inbox it would work for that folder but not the deleted items etc. etc. SO long story short and a bunch of testing. It seems that IMAP does not like {} brackets. I removed the {}brackets from all of the tags is Mailscanner.conf on all 3 Mailscanner box?s and have not had a problem for the last week. Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/09418e74/attachment.html From pparsons at techeez.com Sat Apr 16 17:48:33 2011 From: pparsons at techeez.com (Philip Parsons) Date: Sat Apr 16 17:51:22 2011 Subject: All tags in Mailscanner that have the {***} brackets around them In-Reply-To: References: <11D8E491D9562549A61FD3186F363420D6CF3399@exchange.techeez.com> Message-ID: <11D8E491D9562549A61FD3186F363420D6CF33E4@exchange.techeez.com> I did not dig too deep except for dumping and e-mail to each exchange server that had the tags and then connecting via IMAP and not being able to pull the e-mails until I removed the 1 with the tag. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: April-16-11 9:27 AM To: MailScanner discussion Subject: Re: All tags in Mailscanner that have the {***} brackets around them Was it the same on all different exchange versions, or was it specific to some? M$ has put in some rather stupid limitations in some versions (if not all:-) ... Like the 32KiB rule space/user... So this isn't surprising:-D Thanks for sharing... ISTR this being discussed before, with some alternatives for fixing, so a search of the list archives might be in order. Cheers! Den 16 apr 2011 17.28, "Philip Parsons" > skrev: Here is a good one that I thought I would pass on to everyone. 3 Different servers and domains 1 exchange 2003, 1 exchange 2007 and 1 exchange 2010. All set to allow IMAP, with MailScanner on the front of them. IMAP would just start to hang and not retrieve any messages and no matter what you did it would not pull the messages after some time I noticed that when I cleaned out my inbox it would work for that folder but not the deleted items etc. etc. SO long story short and a bunch of testing. It seems that IMAP does not like {} brackets. I removed the {}brackets from all of the tags is Mailscanner.conf on all 3 Mailscanner box's and have not had a problem for the last week. Thank you. Philip Parsons IT and Telecommunication Specialist Techeez IT Consulting 250-818-2879 www.techeez.com "Making IT easy" IMPORTANT NOTICE This e-mail is confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying and distribution or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and e-mail confirmation to the sender. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by Techeez, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/a9758935/attachment.html From donald.dawson at bakerbotts.com Sun Apr 17 01:03:39 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Sun Apr 17 01:03:56 2011 Subject: Issue with sender's 'From' address where display name is notquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> We use sendmail, and yes, the issue is with the unquoted display name, our MTA adds our domain to the from address. I will search to see if I can find the appropriate settings. Thanks ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Saturday, April 16, 2011 5:58 AM To: MailScanner discussion Subject: Re: Issue with sender's 'From' address where display name is notquoted Wait, I see the problem, your MTA is adding your domain to all unqualified recipients. This is something you need fix, since it is a slightly exploitable flaw (makes it easy for a scammer to look legit). I suppose you're using postfix, right? In PF, IIRC, there are a few ?ettings affecting this, so try vary those! Cheers Den 16 apr 2011 12.47, "Glenn Steen" skrev: The reformatting is done in MilScanner? Truly? Not your MTA? And, apart from the looks, what detrimental effects does it have? Anyway, if they aren't RFC compliant, why should you fix it for them? Inform them if you like, then just ... Forget them;-) Cheers! Den 15 apr 2011 22.46, skrev: > > We have received email from a reputable list serve that has the following format of 'From' addr... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110416/e6583884/attachment.html From alex at skynet-srl.com Sun Apr 17 19:05:22 2011 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Sun Apr 17 19:05:34 2011 Subject: Rules problems with MS In-Reply-To: <201104171102.p3HB2axh000823@safir.blacknight.ie> References: <201104171102.p3HB2axh000823@safir.blacknight.ie> Message-ID: <4DAB2BE2.6020705@skynet-srl.com> Hi everyone I've been using MS for some time and I thought that rules precedence was a clear fact to me. I've just discovered this is not true. I'm using a scanDomain.rules files in the following form: From: noscan@mydomain no From: foo@foodomain and To: *@foodomain no To: *@foodomain yes Default: no It has always worked like a charm, email from noscan@mydomain are not processed by MailScanner, but suddenly rule 2 stopped working. It says "unable to analyze message" They are sending from address foo@foodomain to addresses in *@foodomain so it seems that the rule "To: *@foodomain yes" takes over. I tried placing the exception before or after the scan domain rule but it seems to have no effect at all. This client is using some sort of automatic processing that sends an empty email (no body) with a funny capitalized subject like "#FOCUS2106##ASKFILE# A_C_1407.sdr" and it seems there is no way to unlock this emails that the customer badly needs. I need to bypass MailScanner completely when user foo@foodomain sends email to *@foodomain . I know thisi is no good for security, but the customer's asks this! I also tried to set up a header_check rule in postfix to unqueue the email with no luck. I looked in the archives with no luck, and I'm pretty sure I'm missing the simple... In addiction in the last month I am seeing many "Attachment too small" errors in the logs but they are not related to the above (they are two totally different problems). Any idea? Thank you in advance Alessandro Bianchi -- SkyNet SRL Via Maggiate 67 - 28021 Borgomanero (NO) - tel. +39 0322-836487/834765 - fax +39 0322-836608 http://www.skynet-srl.com Autorizzazione Ministeriale n.197 Le informazioni contenute in questo messaggio sono riservate e confidenziali ed e` vietata la diffusione in qualunque modo eseguita. Qualora Lei non fosse la persona a cui il presente messaggio e` destinato, La invitiamo ad eliminarlo ed a distruggerlo non divulgandolo, dandocene gentilmente comunicazione. Per qualsiasi informazione si prega di contattare info@skynet-srl.com (e-mail dell'azienda). Rif. D.L. 196/2003 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110417/ab5b4fe6/attachment.html From maxsec at gmail.com Sun Apr 17 19:17:40 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Sun Apr 17 19:17:48 2011 Subject: Rules problems with MS In-Reply-To: <4DAB2BE2.6020705@skynet-srl.com> References: <201104171102.p3HB2axh000823@safir.blacknight.ie> <4DAB2BE2.6020705@skynet-srl.com> Message-ID: make sure that there is only 1 recipient in the email as MS will only checked the recipient based on the envelope-to. (if necessary split multiple recipient emails into individual emails as in the wiki pages) -- Martin Hepworth Oxford, UK 2011/4/17 Alessandro Bianchi > Hi everyone > > I've been using MS for some time and I thought that rules precedence was a > clear fact to me. > > I've just discovered this is not true. > > I'm using a scanDomain.rules files in the following form: > > From: noscan@mydomain no > From: foo@foodomain and To: *@foodomain no > To: *@foodomain yes > Default: no > > It has always worked like a charm, email from noscan@mydomain are not > processed by MailScanner, but suddenly rule 2 stopped working. > > It says "unable to analyze message" > > They are sending from address foo@foodomain to addresses in *@foodomain > so it seems that the rule "To: *@foodomain yes" takes over. > > I tried placing the exception before or after the scan domain rule but it > seems to have no effect at all. > > This client is using some sort of automatic processing that sends an empty > email (no body) with a funny capitalized subject like "#FOCUS2106##ASKFILE# > A_C_1407.sdr" and it seems there is no way to unlock this emails that the > customer badly needs. > > I need to bypass MailScanner completely when user foo@foodomain sends > email to *@foodomain . > > I know thisi is no good for security, but the customer's asks this! > > I also tried to set up a header_check rule in postfix to unqueue the email > with no luck. > > I looked in the archives with no luck, and I'm pretty sure I'm missing the > simple... > > In addiction in the last month I am seeing many "Attachment too small" > errors in the logs but they are not related to the above (they are two > totally different problems). > > Any idea? > > Thank you in advance > > Alessandro Bianchi > -- > > SkyNet SRL > > Via Maggiate 67 - 28021 Borgomanero (NO) - tel. +39 0322-836487/834765 - > fax +39 0322-836608 > > http://www.skynet-srl.com > > Autorizzazione Ministeriale n.197 > > Le informazioni contenute in questo messaggio sono riservate e > confidenziali ed ? vietata la diffusione in qualunque modo eseguita. > Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, > La invitiamo ad eliminarlo ed a distruggerlo non divulgandolo, dandocene > gentilmente comunicazione. > Per qualsiasi informazione si prega di contattare info@skynet-srl.com(e-mail dell'azienda). Rif. D.L. 196/2003 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110417/baf19454/attachment.html From alex at skynet-srl.com Mon Apr 18 12:25:09 2011 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Mon Apr 18 12:25:27 2011 Subject: Rules problems with MS In-Reply-To: <201104181100.p3IB03Ks017300@safir.blacknight.ie> References: <201104181100.p3IB03Ks017300@safir.blacknight.ie> Message-ID: <4DAC1F95.4000607@skynet-srl.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110418/cfb0a18a/attachment.html From ssilva at sgvwater.com Mon Apr 18 16:49:59 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 18 16:50:20 2011 Subject: Issue with sender's 'From' address where display name is notquoted In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> Message-ID: on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com spake the following: > We use sendmail, and yes, the issue is with the unquoted display name, our MTA > adds our domain to the from address. I will search to see if I can find the > appropriate settings. > > Thanks It should be somewhere in the "masquerade" settings... From ssilva at sgvwater.com Mon Apr 18 16:59:31 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 18 16:59:50 2011 Subject: All tags in Mailscanner that have the {***} brackets around them In-Reply-To: <11D8E491D9562549A61FD3186F363420D6CF33E4@exchange.techeez.com> References: <11D8E491D9562549A61FD3186F363420D6CF3399@exchange.techeez.com> <11D8E491D9562549A61FD3186F363420D6CF33E4@exchange.techeez.com> Message-ID: on 4/16/2011 9:48 AM Philip Parsons spake the following: > I did not dig too deep except for dumping and e-mail to each exchange server > that had the tags and then connecting via IMAP and not being able to pull the > e-mails until I removed the 1 with the tag. > > > I wonder if it is a language/codepage problem in the DB... I will be forced to move to Exchange soon, and I will need to know these new problems... From donald.dawson at bakerbotts.com Mon Apr 18 17:49:47 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Apr 18 17:50:02 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com spake the following: > We use sendmail, and yes, the issue is with the unquoted display name, our MTA > adds our domain to the from address. I will search to see if I can find the > appropriate settings. It should be somewhere in the "masquerade" settings... Here are my sendmail settings: FEATURE(`virtusertable')dnl FEATURE(`mailertable')dnl FEATURE(`domaintable')dnl FEATURE(`always_add_domain')dnl FEATURE(`use_cw_file')dnl FEATURE(`access_db')dnl FEATURE(`blacklist_recipients')dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`delay_checks')dnl MASQUERADE_AS(`bakerbotts.com')dnl MASQUERADE_DOMAIN(`bakerbotts.com')dnl FEATURE(`no_default_msa')dnl FEATURE(`greet_pause',`7000')dnl dnl After every X User unknowns, add a second delay define(`confBAD_RCPT_THROTTLE',`3')dnl FEATURE(`conncontrol',`nodelay',`terminate')dnl FEATURE(`ratecontrol',`nodelay',`terminate')dnl define(`confPRIVACY_FLAGS', `noexpn,novrfy,noverb,noetrn')dnl define(`confMAX_RCPTS_PER_MESSAGE',`300')dnl dnl Limit up to X connections per second # 08/27/09 DLD/JBC Change RATE_THROTTLE from 5 to 1 define(`confCONNECTION_RATE_THROTTLE',`1')dnl define(`confTO_IDENT', `0') define(`confTO_ICONNECT', `15s')dnl define(`confREFUSE_LA',`7')dnl define(`confDELAY_LA',`3')dnl define(`confMAX_MESSAGE_SIZE',`20971520')dnl define(`confXF_BUFFER_SIZE',`16384')dnl define(`confDF_BUFFER_SIZE',`102400')dnl define(`confCACERT_PATH',`/etc/mail/certs') define(`confCACERT',`/etc/mail/certs/cacert.pem') define(`confSERVER_CERT',`/etc/mail/certs/cert.pem') define(`confSERVER_KEY',`/etc/mail/certs/cert.pem') define(`confCLIENT_CERT',`/etc/mail/certs/cert.pem') define(`confCLIENT_KEY',`/etc/mail/certs/cert.pem') DOMAIN(generic)dnl LOCAL_CONFIG H?l?X-Envelope-From: $f MAILER(local)dnl MAILER(smtp)dnl INPUT_MAIL_FILTER(`scam-back', `S=unix:/var/spool/scam/scam-back.sock, F=T, T=S:240s;R:240s;E:5m')dnl INPUT_MAIL_FILTER(`scam-back2', `S=unix:/var/spool/scam/scam-back2.sock, F=T, T=S:240s;R:240s;E:5m')dnl Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. From ssilva at sgvwater.com Mon Apr 18 18:13:17 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 18 18:13:38 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: on 4/18/2011 9:49 AM donald.dawson@bakerbotts.com spake the following: > > on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com spake the following: >> We use sendmail, and yes, the issue is with the unquoted display name, > our MTA >> adds our domain to the from address. I will search to see if I can > find the >> appropriate settings. > > It should be somewhere in the "masquerade" settings... > > Here are my sendmail settings: > > FEATURE(`virtusertable')dnl > FEATURE(`mailertable')dnl > FEATURE(`domaintable')dnl > FEATURE(`always_add_domain')dnl > FEATURE(`use_cw_file')dnl > FEATURE(`access_db')dnl > FEATURE(`blacklist_recipients')dnl > FEATURE(`masquerade_entire_domain')dnl > FEATURE(`delay_checks')dnl > MASQUERADE_AS(`bakerbotts.com')dnl > MASQUERADE_DOMAIN(`bakerbotts.com')dnl > FEATURE(`no_default_msa')dnl > FEATURE(`greet_pause',`7000')dnl > dnl After every X User unknowns, add a second delay > define(`confBAD_RCPT_THROTTLE',`3')dnl > FEATURE(`conncontrol',`nodelay',`terminate')dnl > FEATURE(`ratecontrol',`nodelay',`terminate')dnl > define(`confPRIVACY_FLAGS', `noexpn,novrfy,noverb,noetrn')dnl > define(`confMAX_RCPTS_PER_MESSAGE',`300')dnl > dnl Limit up to X connections per second > # 08/27/09 DLD/JBC Change RATE_THROTTLE from 5 to 1 > define(`confCONNECTION_RATE_THROTTLE',`1')dnl > define(`confTO_IDENT', `0') > define(`confTO_ICONNECT', `15s')dnl > define(`confREFUSE_LA',`7')dnl > define(`confDELAY_LA',`3')dnl > define(`confMAX_MESSAGE_SIZE',`20971520')dnl > define(`confXF_BUFFER_SIZE',`16384')dnl > define(`confDF_BUFFER_SIZE',`102400')dnl > define(`confCACERT_PATH',`/etc/mail/certs') > define(`confCACERT',`/etc/mail/certs/cacert.pem') > define(`confSERVER_CERT',`/etc/mail/certs/cert.pem') > define(`confSERVER_KEY',`/etc/mail/certs/cert.pem') > define(`confCLIENT_CERT',`/etc/mail/certs/cert.pem') > define(`confCLIENT_KEY',`/etc/mail/certs/cert.pem') > DOMAIN(generic)dnl > LOCAL_CONFIG > H?l?X-Envelope-From: $f > MAILER(local)dnl > MAILER(smtp)dnl > INPUT_MAIL_FILTER(`scam-back', `S=unix:/var/spool/scam/scam-back.sock, > F=T, T=S:240s;R:240s;E:5m')dnl > INPUT_MAIL_FILTER(`scam-back2', `S=unix:/var/spool/scam/scam-back2.sock, > F=T, T=S:240s;R:240s;E:5m')dnl > > Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. > http://www.sendmail.org/m4/masquerading.html With your settings, any thing coming in that sendmail 'thinks" is unqualified will get changed. Do you really need to masquerade everything? Or are you just trying to get subdomains to be uniform? From glenn.steen at gmail.com Mon Apr 18 18:25:36 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 18 18:25:47 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: Is that always_add_domain thing necessary? I realise there is next to no simple mappung between MTA settings, but...:-) Cheers Den 18 apr 2011 19.17, "Scott Silva" skrev: on 4/18/2011 9:49 AM donald.dawson@bakerbotts.com spake the following: > > on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com spake the following: >> We use sendmail, and... http://www.sendmail.org/m4/masquerading.html With your settings, any thing coming in that sendmail 'thinks" is unqualified will get changed. Do you really need to masquerade everything? Or are you just trying to get subdomains to be uniform? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailm... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110418/78e59e94/attachment.html From ssilva at sgvwater.com Mon Apr 18 19:17:45 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 18 19:18:05 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: on 4/18/2011 10:25 AM Glenn Steen spake the following: > Is that always_add_domain thing necessary? I realise there is next to no > simple mappung between MTA settings, but...:-) > > Cheers > >> Den 18 apr 2011 19.17, "Scott Silva" > > skrev: >> >> on 4/18/2011 9:49 AM donald.dawson@bakerbotts.com >> spake the following: >> >> > >> > on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com >> spake the following: >> >> We use sendmail, and... >> >> http://www.sendmail.org/m4/masquerading.html >> With your settings, any thing coming in that sendmail 'thinks" is unqualified >> will get changed. Do you really need to masquerade everything? Or are you just >> trying to get subdomains to be uniform? >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailm... >> I only use it on one sub domain in my Engineering department, and only because they wanted a physical mail server local for speed. From dm.gouveia at gmail.com Mon Apr 18 21:01:07 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Mon Apr 18 21:01:17 2011 Subject: False Positive - txt Message-ID: List, I'm getting a weird problem, some messages from gmail (an example) arrives in my domain as a .txt message, the problem is the MailScanner detected some of those messages as executable files. Is there anything that can be done with this? Thanks in advance. -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110418/2edc3913/attachment.html From glenn.steen at gmail.com Mon Apr 18 21:38:39 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 18 21:38:49 2011 Subject: False Positive - txt In-Reply-To: References: Message-ID: If you search the list you'll find that this is due to the file command, mostly... Try running file on the body element of the message, and you'll see what is firing. How to handle it has been covered numerous times on this list, so do search the list archives. Cheers! Den 18 apr 2011 22.05, "Danilo Marques de Gouveia" skrev: List, I'm getting a weird problem, some messages from gmail (an example) arrives in my domain as a .txt message, the problem is the MailScanner detected some of those messages as executable files. Is there anything that can be done with this? Thanks in advance. -- Danilo Marques de Gouveia -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110418/e5cf0a5d/attachment.html From glenn.steen at gmail.com Mon Apr 18 22:26:43 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 18 22:26:52 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: So it should basically be ... removed...? Den 18 apr 2011 20.23, "Scott Silva" skrev: on 4/18/2011 10:25 AM Glenn Steen spake the following: > Is that always_add_domain thing necessary? I realise there is next to no > simple mappung between ... >> > skrev: >> >> on 4/18/2011 9:49 AM donald.dawson@bakerbotts.com >> spake the following: >> >> > >> > on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com >> spake the following: >> >> We use sendmail, and... >> >> http://www.sendmail.org/m4/masquerading.html >> With your settin... >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailm... >> I only use it on one sub domain in my Engineering department, and only because they wanted a physical mail server local for speed. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailsca... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110418/eea897df/attachment.html From ssilva at sgvwater.com Mon Apr 18 23:23:53 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 18 23:24:16 2011 Subject: Issue with sender's 'From' address where display name isnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: on 4/18/2011 2:26 PM Glenn Steen spake the following: >> Den 18 apr 2011 20.23, "Scott Silva" > > skrev: >> >> on 4/18/2011 10:25 AM Glenn Steen spake the following: >> >> > Is that always_add_domain thing necessary? I realise there is next to no >> > simple mappung between ... >> >> >> >> skrev: >> >> >> >> >> on 4/18/2011 9:49 AM donald.dawson@bakerbotts.com >> >> >> >> > > spake the following: >> >> >> >> >> > >> >> > on 4/16/2011 5:03 PM donald.dawson@bakerbotts.com >> >> >> >> > > spake the following: >> >> >> >> We use sendmail, and... >> >> >> >> http://www.sendmail.org/m4/masquerading.html >> >> With your settin... >> >> >> mailscanner@lists.mailscanner.info >> >> > > >> >> >> http://lists.mailscanner.info/mailm... >> >> >> >> I only use it on one sub domain in my Engineering department, and only because >> they wanted a physical mail server local for speed. >> > So it should basically be ... removed...? > If the mail is sent VIA that server, then it should be unnecessary. It is only used when mail going via that server may come from other domains that need to be renamed. I need to know why the OP thought it necessary. From Kevin_Miller at ci.juneau.ak.us Tue Apr 19 21:13:15 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Apr 19 21:13:28 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4DA4569B.7000109@tradoc.fr> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> <4DA4569B.7000109@tradoc.fr> Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC27B0@city-exchange07> John Wilcock wrote: > Le 12/04/2011 15:22, James Pattinson a ?crit : >>> >> OK, done. This will be my test email :) >> >> Does this mean I'm not doing any RBL checking at all now? Or will SA >> still do that? > > Yes, SA will still do those checks. > > That's the current recommended practice - using MailScanner to check > RBLs is only advised in cases where you don't wish to use > SpamAssassin but do wish to check multiple RBLs. I've always done it the other way (MailScanner does the checks) but times change. To reverse it, is it as simple as changing these from MailScanner.conf Spam Lists To Be Spam = 1 Spam List = spamhaus-ZEN (or whatever one has in there) and in the spam.assassin.prefs.conf setting skip_rbl_checks to 0 (zero)? Will the "Spam Lists To Be Spam" setting matter if spamassassin is doing the checks instead of MailScanner? If so, should that become zero as well? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Tue Apr 19 21:20:39 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 19 21:20:59 2011 Subject: {Spam?} Re: Authenticated senders In-Reply-To: <4A09477D575C2C4B86497161427DD94C15C2BC27B0@city-exchange07> References: <16281439.125.1302610367393.JavaMail.markus@cronlabworkstation0> <4DA44E22.3030600@pattinson.org> <4DA4500B.2080908@tradoc.fr> <4DA45203.1030204@pattinson.org> <4DA4569B.7000109@tradoc.fr> <4A09477D575C2C4B86497161427DD94C15C2BC27B0@city-exchange07> Message-ID: on 4/19/2011 1:13 PM Kevin Miller spake the following: > John Wilcock wrote: >> Le 12/04/2011 15:22, James Pattinson a ?crit : >>>> >>> OK, done. This will be my test email :) >>> >>> Does this mean I'm not doing any RBL checking at all now? Or will SA >>> still do that? >> >> Yes, SA will still do those checks. >> >> That's the current recommended practice - using MailScanner to check >> RBLs is only advised in cases where you don't wish to use >> SpamAssassin but do wish to check multiple RBLs. > > I've always done it the other way (MailScanner does the checks) but times change. To reverse it, is it as simple as changing these from MailScanner.conf > Spam Lists To Be Spam = 1 > Spam List = spamhaus-ZEN (or whatever one has in there) > and in the spam.assassin.prefs.conf setting skip_rbl_checks to 0 (zero)? > > Will the "Spam Lists To Be Spam" setting matter if spamassassin is doing the checks instead of MailScanner? If so, should that become zero as well? > > Thanks... > > ...Kevin If mailscanner isn't doing the checks, the "Spam Lists To Be Spam" setting will never fire no matter what it is set at. From donald.dawson at bakerbotts.com Tue Apr 19 22:08:58 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Apr 19 22:09:14 2011 Subject: Issue with sender's 'From' address where display nameisnotquoted In-Reply-To: References: <8FB531F78038DC4497B80CBAE8E927E20831DAED@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DAFD@BBEXVS04.bakerbotts.net> <8FB531F78038DC4497B80CBAE8E927E20831DB18@BBEXVS04.bakerbotts.net> Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831DB54@BBEXVS04.bakerbotts.net> > So it should basically be ... removed...? > -- The sendmail configuration that masquerades emails with no domain was setup before I took over these systems. I am going to research and consider removing these options. Thank you, Donald Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. From alex at skynet-srl.com Tue Apr 19 22:21:46 2011 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Wed Apr 20 06:03:08 2011 Subject: Suddenly taint error In-Reply-To: <201104191100.p3JB02LK010305@safir.blacknight.ie> References: <201104191100.p3JB02LK010305@safir.blacknight.ie> Message-ID: <4DADFCEA.20702@skynet-srl.com> Suddenly Mailscanner stopped working at all I discovered this Insecure dependency in open while running with -T switch at /usr/lib/MailScanner/MailScanner/Lock.pm line 358 The quick (thus VERY insecure fix) is to set Run As User= root Anyone else with a better idea? Jules? I'm running the very latest version Thank you Alessandro From maxsec at gmail.com Wed Apr 20 06:36:44 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Apr 20 06:36:54 2011 Subject: Suddenly taint error In-Reply-To: <4DADFCEA.20702@skynet-srl.com> References: <201104191100.p3JB02LK010305@safir.blacknight.ie> <4DADFCEA.20702@skynet-srl.com> Message-ID: Sound like something upgraded on you What perl modules have you got? Mailscanner -v Martin On Tuesday, 19 April 2011, Alessandro Bianchi wrote: > Suddenly Mailscanner stopped working at all > > I discovered this > > Insecure dependency in open while running with -T switch at /usr/lib/MailScanner/MailScanner/Lock.pm line 358 > > The quick (thus VERY insecure fix) is to set Run As User= root > > Anyone else with a better idea? > > Jules? > > I'm running the very latest version > > Thank you > > Alessandro > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Martin Hepworth Oxford, UK From alex at skynet-srl.com Wed Apr 20 11:48:28 2011 From: alex at skynet-srl.com (Alessandro Bianchi) Date: Wed Apr 20 11:48:39 2011 Subject: Taint problems In-Reply-To: <201104191100.p3JB02LK010305@safir.blacknight.ie> References: <201104191100.p3JB02LK010305@safir.blacknight.ie> Message-ID: <4DAEB9FC.8060004@skynet-srl.com> Hi folks I discovered that the problems that forced me to run MS as root were originated by taint mode errors. Something has happened on my Fedora 14 Systems so that MS spits a load of taint errors and dies. Here there are some of them: /usr/lib/MailScanner/MailScanner/Lock.pm line 358 /usr/lib/MailScanner/MailScanner/Message.pm line 538 Insecure dependency in chown while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 1381. /usr/lib/MailScanner/MailScanner/Message.pm line 2418 /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 173 /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 176. /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 379 /usr/lib/MailScanner/MailScanner/Quarantine.pm line 189 Can't call method "print" on an undefined value at /usr/lib/MailScanner/MailScanner/PFDiskStore.pm line 752. Can't call method "CombineReports" on unblessed reference at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 736. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in mkdir while running with -T switch at /usr/lib/MailScanner/MailScanner/TNEF.pm line 233. Insecure dependency in mkdir while running with -T switch at /usr/lib/MailScanner/MailScanner/TNEF.pm line 236. Insecure dependency in open while running with -T switch at /usr/share/perl5/File/Copy.pm line 246. The synptom is MS starting and restarting over and over again in the logs. I begun to follow the errors using the --debug switch, and fixed some of them, until I came to errors in files that appear to be System libraries (p.e. /usr/share/perl5/File/Copy.pm ). Furthermore running as root prevented Postfix from picking up files from the incoming directory and that leaded me to a non functional mail system: so I had to go back to running MS as postfix user and avoinding fatal taint errors. Till now, after several hours, the only way I found to run MS , is adding the -U switch in the showbang line in /usr/sbin/MailScanner. This switch, to my understanding, turns fatal taint errors in warning, but I'm still looking for a definitive fix. Hope to save some night work hours to someone else with this info. Best regards Alessandro Bianchi -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da SkyNet SRL, ed e' risultato non infetto. From glenn.steen at gmail.com Wed Apr 20 13:47:27 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 20 13:47:37 2011 Subject: Taint problems In-Reply-To: <4DAEB9FC.8060004@skynet-srl.com> References: <201104191100.p3JB02LK010305@safir.blacknight.ie> <4DAEB9FC.8060004@skynet-srl.com> Message-ID: On 20 April 2011 12:48, Alessandro Bianchi wrote: > Hi folks > > I discovered that the problems that forced me to run MS as root were > originated by taint mode errors. > > Something has happened on my Fedora 14 Systems so that MS spits a load of > taint errors and dies. > > Here there are some of them: > > /usr/lib/MailScanner/MailScanner/Lock.pm line 358 > /usr/lib/MailScanner/MailScanner/Message.pm line 538 > Insecure dependency in chown while running with -T switch at > /usr/lib/MailScanner/MailScanner/Message.pm line 1381. > /usr/lib/MailScanner/MailScanner/Message.pm line 2418 (snip) So... What updates did you do? Do you install perl via yum and the MailScanner modules via Jules packaging? That is, expecially on such a volatile distro as Fedora, a recipe for failure... as you've noticed. There's been a few messages along these lines on the list recently (perhaps not to do with Fedora specifically, but with systems where the perl updates presume that all perl modules (like File::Copy) is installed from the same repo)... So I suggest you spend some of your nightly travails on searching the list for possibly more sane solutions and stratagems. A very common strategy (since Jules develops MS for it:-) is to use something very stable, like CentOS, and perhaps see to it that one only shop for perl modules from one source (or as few as possible, at least). Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gelgin at yahoo.com Wed Apr 20 15:49:03 2011 From: gelgin at yahoo.com (George Elgin) Date: Wed Apr 20 15:49:15 2011 Subject: MailScanner does rbl checks In-Reply-To: <201104201101.p3KB0NuL032213@safir.blacknight.ie> Message-ID: <537283.33206.qm@web30602.mail.mud.yahoo.com> >> Does this mean I'm not doing any RBL checking at all now? Or will SA so with ? Spam List = SPAMEATINGMONKEY,CBL,MANITU,spamhaus-ZEN and obviously set up rules here spam.lists.conf:SPAMEATINGMONKEY??????????????? bl.spameatingmonkey.net my objective is i don't want mails scanned that are clearly spam say FAIL more than one GOOD rbl ie. Spam Lists To Reach High Score = 2,, in other words i thought the defaults are way too conservative// my question though is "does this in fact cause MailScanner to NOT let SA spend time analysing these Mails ?". OR "would it be preferable to let postfix itself reject RBL'ed mails ?" also for [gelgin@gfee MailScanner]$ grep skip_rbl_checks * spam.assassin.prefs.conf:# skip_rbl_checks????? 1 is 1 the default or do i uncomment if i don't want checks ? unlike amavis i am not getting a good feel that RBL checks are really happening... >> still do that? > > Yes, SA will still do those checks. > > That's the current recommended practice - using MailScanner to check > RBLs is only advised in cases where you don't wish to use > SpamAssassin but do wish to check multiple RBLs.? I've always done it the other way (MailScanner does the checks) but times change.? To reverse it, is it as simple as changing these from MailScanner.conf ??? Spam Lists To Be Spam = 1 ??? Spam List = spamhaus-ZEN (or whatever one has in there) and in the spam.assassin.prefs.conf setting skip_rbl_checks to 0 (zero)? Will the "Spam Lists To Be Spam" setting matter if spamassassin is doing the checks instead of MailScanner?? If so, should that become zero as well? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110420/1f53ddb6/attachment.html From ssilva at sgvwater.com Wed Apr 20 18:23:07 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 20 18:23:34 2011 Subject: MailScanner does rbl checks In-Reply-To: <537283.33206.qm@web30602.mail.mud.yahoo.com> References: <201104201101.p3KB0NuL032213@safir.blacknight.ie> <537283.33206.qm@web30602.mail.mud.yahoo.com> Message-ID: on 4/20/2011 7:49 AM George Elgin spake the following: >>> Does this mean I'm not doing any RBL checking at all now? Or will SA > > so with > > Spam List = SPAMEATINGMONKEY,CBL,MANITU,spamhaus-ZEN > and obviously set up rules here > > spam.lists.conf:SPAMEATINGMONKEY bl.spameatingmonkey.net > > my objective is i don't want mails scanned that are clearly spam say FAIL more > than one GOOD rbl ie. > > Spam Lists To Reach High Score = 2,, in other words i thought the defaults are > way too conservative// > > my question though is "does this in fact cause MailScanner to NOT let SA spend > time analysing these Mails ?". > > OR > > "would it be preferable to let postfix itself reject RBL'ed mails ?" > > also for > [gelgin@gfee MailScanner]$ grep skip_rbl_checks * > spam.assassin.prefs.conf:# skip_rbl_checks 1 > > is 1 the default or do i uncomment if i don't want checks ? unlike amavis i am > not getting a good feel that RBL checks are really happening... > > >> still do that? > > > > Yes, SA will still do those checks. > > > > That's the current recommended practice - using MailScanner to check > > RBLs is only advised in cases where you don't wish to use > > SpamAssassin but do wish to check multiple RBLs. > > I've always done it the other way (MailScanner does the checks) but times > change. To reverse it, is it as simple as changing these from > MailScanner.conf > Spam Lists To Be Spam = 1 > Spam List = spamhaus-ZEN (or whatever one has in there) > and in the spam.assassin.prefs.conf setting skip_rbl_checks to 0 (zero)? > > Will the "Spam Lists To Be Spam" setting matter if spamassassin is doing > the checks instead of MailScanner? If so, should that become zero as well? > > If you trust the RBL, let the MTA or a milter reject. Once you receive and close the connection, all you can safely do is discard, as any rejects after this point can go to any innocent spoofed domains. From martelm at quark.vsc.edu Wed Apr 20 18:56:01 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Apr 20 18:56:36 2011 Subject: Using a Rule with 'use tnef contents' Message-ID: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> Ok, so I'm doing something stupid here and I can't figure it out. Using the latest version of MailScanner on centos. (Installed from the RPM). In the /etc/MailScanner/MailScanner.conf I have this Expand TNEF = yes Then I set the "Use TNEF Contents" to a rule, which I think is done right. Use TNEF Contents = /opt/VSC-MailScanner/rules/expand-tnef.rules My rules file looks like this : From: michael.martel@vsc.edu replace FromOrTo: default no Now, I think it's my rules file that's wrong, because I still see winmail.dat files getting through. I looked in my physical copy of the book, but didn't see a section on "Use TNEF contents" (time for a new book!). Can anyone point out my very obvious mistake ? Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From maxsec at gmail.com Wed Apr 20 19:05:50 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Apr 20 19:06:00 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> Message-ID: and these emails that are getting are only to you and not multiple people? -- Martin Hepworth Oxford, UK On 20 April 2011 18:56, Michael H. Martel wrote: > > Ok, so I'm doing something stupid here and I can't figure it out. Using > the latest version of MailScanner on centos. (Installed from the RPM). > > In the /etc/MailScanner/MailScanner.conf I have this > > Expand TNEF = yes > > Then I set the "Use TNEF Contents" to a rule, which I think is done right. > > Use TNEF Contents = /opt/VSC-MailScanner/rules/expand-tnef.rules > > My rules file looks like this : > > From: michael.martel@vsc.edu replace > FromOrTo: default no > > Now, I think it's my rules file that's wrong, because I still see > winmail.dat files getting through. I looked in my physical copy of the > book, but didn't see a section on "Use TNEF contents" (time for a new > book!). > > Can anyone point out my very obvious mistake ? > > Thanks! > > > > Michael > > -- > > --------------------------------o--------------------------------- > Michael H. Martel | Systems Administrator > michael.martel@vsc.edu | Vermont State Colleges > http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110420/d8f31b8a/attachment.html From martelm at quark.vsc.edu Wed Apr 20 19:40:26 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Apr 20 19:41:03 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> Message-ID: <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> --On April 20, 2011 7:05:50 PM +0100 Martin Hepworth wrote: > and these emails that are getting are only to you and not multiple people? Yep. I'm using this on an outgoing mailserver and they are from me to other people yes. I'm using similair rules with the Spamassassin Actions and they work. But with these, I'm not seeing anything happen. I see the log entries saying it's expanding the TNEF, but nothing about it adding the attachments, and then when I look at what was received by the recipient, they still have the winmail.dat. > From: ? ? ? ? ? michael.martel@vsc.edu ? ? ? ? ?replace > FromOrTo: ? ? ? default ? ? ? ? ? ? ? ? ? ? ? ? no Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From maxsec at gmail.com Wed Apr 20 19:48:18 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Apr 20 19:48:27 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> Message-ID: Which tnef program are u using, if internal use an external one and vice versa, always fun trying to this tnef stuff going On Wednesday, 20 April 2011, Michael H. Martel wrote: > --On April 20, 2011 7:05:50 PM +0100 Martin Hepworth wrote: > > > and these emails that are getting are only to you and not multiple people? > > > Yep. > > I'm using this on an outgoing mailserver and they are from me to other people yes. ?I'm using similair rules with the Spamassassin Actions and they work. ?But with these, I'm not seeing anything happen. ?I see the log entries saying it's expanding the TNEF, but nothing about it adding the attachments, and then when I look at what was received by the recipient, they still have the winmail.dat. > > > > From: ? ? ? ? ? michael.martel@vsc.edu ? ? ? ? ?replace > FromOrTo: ? ? ? default ? ? ? ? ? ? ? ? ? ? ? ? no > > > > > > > Michael > > -- > > ?--------------------------------o--------------------------------- > ?Michael H. Martel ? ? ? ? ? ? ?| Systems Administrator > ?michael.martel@vsc.edu ? ? ? ? | Vermont State Colleges > ?http://www.vsc.edu/~michael ? ?| PH:802-241-2544 FX:802-241-3363 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Martin Hepworth Oxford, UK From martelm at quark.vsc.edu Wed Apr 20 19:55:39 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Apr 20 19:56:17 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> Message-ID: <0211D8FEF9C0CAA96CF04940@sherlockholmes.vsc.edu> --On April 20, 2011 7:48:18 PM +0100 Martin Hepworth wrote: > Which tnef program are u using, if internal use an external one and > vice versa, always fun trying to this tnef stuff going Too true! What I have NOT done yet is put it in debug and tried to send a single message through it. So the TNEF Settings are ... (comments removed to save trees ... ) Expand TNEF = yes Use TNEF Contents = /opt/VSC-MailScanner/rules/expand-tnef.rules Deliver Unparsable TNEF = yes #TNEF Expander = internal TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 The TNEF command was installed from the RPM package. [root@guardian MailScanner]# rpm -qa | grep tnef tnef-1.4.5-1 [root@guardian MailScanner]# /usr/bin/tnef --version tnef 1.4.5 Copyright (C) 1999-2008 by Mark Simpson Copyright (C) 1997 by Thomas Boll (original code) tnef comes with ABSOLUTELY NO WARRANTY. You may redistribute copies of tnef under the terms of the GNU General Public License. For more information about these matters, see the file named COPYING. Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From maxsec at gmail.com Wed Apr 20 20:02:22 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Apr 20 20:02:32 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <0211D8FEF9C0CAA96CF04940@sherlockholmes.vsc.edu> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> <0211D8FEF9C0CAA96CF04940@sherlockholmes.vsc.edu> Message-ID: try using the internal tnef expander -- Martin Hepworth Oxford, UK On 20 April 2011 19:55, Michael H. Martel wrote: > --On April 20, 2011 7:48:18 PM +0100 Martin Hepworth > wrote: > > Which tnef program are u using, if internal use an external one and >> vice versa, always fun trying to this tnef stuff going >> > > Too true! What I have NOT done yet is put it in debug and tried to send a > single message through it. > > So the TNEF Settings are ... (comments removed to save trees ... ) > > Expand TNEF = yes > > Use TNEF Contents = /opt/VSC-MailScanner/rules/expand-tnef.rules > Deliver Unparsable TNEF = yes > > #TNEF Expander = internal > TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > TNEF Timeout = 120 > > The TNEF command was installed from the RPM package. > > [root@guardian MailScanner]# rpm -qa | grep tnef > tnef-1.4.5-1 > > > [root@guardian MailScanner]# /usr/bin/tnef --version > tnef 1.4.5 > Copyright (C) 1999-2008 by Mark Simpson > Copyright (C) 1997 by Thomas Boll (original code) > tnef comes with ABSOLUTELY NO WARRANTY. > You may redistribute copies of tnef under the terms of the GNU General > Public License. For more information about these matters, see the file > named COPYING. > > > > > > > > Michael > > -- > > --------------------------------o--------------------------------- > Michael H. Martel | Systems Administrator > michael.martel@vsc.edu | Vermont State Colleges > http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110420/b9a3063a/attachment.html From martelm at quark.vsc.edu Wed Apr 20 21:17:58 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Wed Apr 20 21:18:31 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> <0211D8FEF9C0CAA96CF04940@sherlockholmes.vsc.edu> Message-ID: <34280D14E8E5746E2B72EAC1@sherlockholmes.vsc.edu> --On April 20, 2011 8:02:22 PM +0100 Martin Hepworth wrote: > try using the internal tnef expander With it set to internal I'm not seeing it work. With it set to internal and the rules removed, it works. Apr 20 16:02:57 guardian MailScanner[15642]: New Batch: Scanning 1 messages, 722350 bytes Apr 20 16:02:57 guardian MailScanner[15642]: Expanding TNEF archive at /var/spool/MailScanner/incoming/15642/p3KK2vdo015795/winmail.dat Apr 20 16:02:58 guardian MailScanner[15642]: Message p3KK2vdo015795 added TNEF contents 200897_1919919.jpg,201303_1919983.jpg,218460_1919985.jpg,219373_1919921.jpg Apr 20 16:02:58 guardian MailScanner[15642]: Message p3KK2vdo015795 has had TNEF winmail.dat removed So it's something with my rules file that it doesn't like, Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From steve.freegard at fsl.com Wed Apr 20 23:08:46 2011 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Apr 20 23:09:08 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> Message-ID: <4DAF596E.9030508@fsl.com> On 20/04/11 18:56, Michael H. Martel wrote: > > Ok, so I'm doing something stupid here and I can't figure it out. Using > the latest version of MailScanner on centos. (Installed from the RPM). > > In the /etc/MailScanner/MailScanner.conf I have this > > Expand TNEF = yes > > Then I set the "Use TNEF Contents" to a rule, which I think is done right. > > Use TNEF Contents = /opt/VSC-MailScanner/rules/expand-tnef.rules > > My rules file looks like this : > > From: michael.martel@vsc.edu replace > FromOrTo: default no > > Now, I think it's my rules file that's wrong, because I still see > winmail.dat files getting through. I looked in my physical copy of the > book, but didn't see a section on "Use TNEF contents" (time for a new > book!). > > Can anyone point out my very obvious mistake ? > Why the ruleset on 'Use TNEF Contents'? - what exactly are you trying to achieve? MailScanner.conf tells you what 'Use TNEF Contents' is for - you set it to 'no', 'add' or 'replace'; when set to 'No' the winmail.dat file is passed without alteration (which is what you are seeing), so any messages containing TNEF will only be readable by Outlook clients and will contain winmail.dat files. 'Add' will expand the TNEF and add each attachment to the message and will leave the winmail.dat file attached (don't really know why you'd want to do that - the resulting mail will be almost double the size) or 'replace' which turns the TNEF into properly formatted MIME attachments readable by all clients. The 'Expand TNEF' setting is merely to unpack the TNEF attachments so that a virus scanner that does have a native TNEF expander can 'see' the individual file attachments and scan them for viruses (very few virus scanners don't already include this today) but it's a 'safe' default to catch those that don't. Most people will want to default the 'Use TNEF Contents' to 'replace' unless you are an all Outlook shop. If you are running Exchange yourself; then follow the numerous Technet articles to disable Rich Text format messages from leaving your organization and send messages in multipart MIME so that you're compatible with the rest of the internet. Don't rely on sending all your outbound mail via MailScanner and having it convert the TNEF into MIME for you - it's simply slower and error prone due to the lack of documentation of the TNEF format; it should be 'fixed' at the Exchange end. Hope that helps. Kind regards, Steve. From martelm at quark.vsc.edu Thu Apr 21 00:30:00 2011 From: martelm at quark.vsc.edu (martelm@quark.vsc.edu) Date: Thu Apr 21 00:30:45 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <4DAF596E.9030508@fsl.com> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> Message-ID: On Apr 20, 2011, at 6:08 PM, Steve Freegard wrote: >> > Why the ruleset on 'Use TNEF Contents'? - what exactly are you trying to achieve? I was hoping to use the replace capabilities for two users. Me for testing and one other. This one user sends to a number of people who don't use outlook, and for some reason the email generated by Outlook for Mac 2011 periodically contains winmail.dat attachments for some reason. I don't want to do anything for 99% of the users emails, so hence the rule. > If you are running Exchange yourself; then follow the numerous Technet articles to disable Rich Text format messages from leaving your organization and send messages in multipart MIME so that you're compatible with the rest of the internet. Don't rely on sending all your outbound mail via MailScanner and having it convert the TNEF into MIME for you - it's simply slower and error prone due to the lack of documentation of the TNEF format; it should be 'fixed' at the Exchange end. I know, but since I only needed to do it for one user, I thought it would be easier to do it on the MailScanner side than affecting all users with the MIcrosoft settings. Michael From martelm at quark.vsc.edu Thu Apr 21 10:35:12 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Thu Apr 21 10:35:50 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <3A472F3014A699AE328C5730@sherlockholmes.vsc.edu> <0211D8FEF9C0CAA96CF04940@sherlockholmes.vsc.edu> Message-ID: --On Wednesday, April 20, 2011 8:02 PM +0100 Martin Hepworth wrote: > try using the internal tnef expander Switching to the internal expander appears to have worked. I'm not sure what I missed yesterday when I was testing it. Thanks! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From ssilva at sgvwater.com Thu Apr 21 16:31:16 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Apr 21 16:31:42 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> Message-ID: on 4/20/2011 4:30 PM martelm@quark.vsc.edu spake the following: > > > On Apr 20, 2011, at 6:08 PM, Steve Freegard wrote: > >>> >> Why the ruleset on 'Use TNEF Contents'? - what exactly are you trying to achieve? > > I was hoping to use the replace capabilities for two users. Me for testing and one other. This one user sends to a number of people who don't use outlook, and for some reason the email generated by Outlook for Mac 2011 periodically contains winmail.dat attachments for some reason. I don't want to do anything for 99% of the users emails, so hence the rule. > >> If you are running Exchange yourself; then follow the numerous Technet articles to disable Rich Text format messages from leaving your organization and send messages in multipart MIME so that you're compatible with the rest of the internet. Don't rely on sending all your outbound mail via MailScanner and having it convert the TNEF into MIME for you - it's simply slower and error prone due to the lack of documentation of the TNEF format; it should be 'fixed' at the Exchange end. > > I know, but since I only needed to do it for one user, I thought it would be easier to do it on the MailScanner side than affecting all users with the MIcrosoft settings. > Can't you set that user to use html instead of rich text? Or doesn't the Mac version have that setting? From stu at spacehopper.org Thu Apr 21 18:56:25 2011 From: stu at spacehopper.org (Stuart Henderson) Date: Thu Apr 21 18:56:37 2011 Subject: Taint problems In-Reply-To: Message-ID: <20110421175625.GA9692@symphytum.spacehopper.org> On 2011-04-20, Glenn Steen wrote: > So... What updates did you do? Do you install perl via yum and the > MailScanner modules via Jules packaging? That is, expecially on such a > volatile distro as Fedora, a recipe for failure... as you've noticed. This is almost certainly fallout from CVE-2011-1487 fixes. "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string." From rcooper at dwford.com Thu Apr 21 19:25:53 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Apr 21 19:26:08 2011 Subject: Taint problems In-Reply-To: <20110421175625.GA9692@symphytum.spacehopper.org> References: <20110421175625.GA9692@symphytum.spacehopper.org> Message-ID: <61E6D7A087BF46D48F0657F307D34932@SAHOMELT> Stuart Henderson wrote: > On 2011-04-20, Glenn Steen wrote: >> So... What updates did you do? Do you install perl via yum and the >> MailScanner modules via Jules packaging? That is, expecially on such >> a volatile distro as Fedora, a recipe for failure... as you've >> noticed. > > This is almost certainly fallout from CVE-2011-1487 fixes. > > "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl > 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, > do not apply the taint attribute to the return value upon processing > tainted input, which might allow context-dependent attackers to bypass > the taint protection mechanism via a crafted string." > I agree, I do not see where the value of $fh is untainted at any point. The OP could try $fh =~ m/(.*)/; $fh = $1; Above the offending line and see if that resolves it. Of course that is not a proper way to untaint the variable but I do not know off the top of my head what constraints mailscanner really places on the lock file name. It looks to Me that the mode should not be tainted so it must be the name, This might be something Julian wants to revisit with so many people using perl 5.10+ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Apr 22 00:05:48 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 22 00:06:00 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> Message-ID: Mike, Unless your users only send mail between themselves, or exclusively to OutLook users... They are in beed of those exchange fixes. Sending rtf Den 21 apr 2011 01.36, "martelm@quark.vsc.edu" skrev: On Apr 20, 2011, at 6:08 PM, Steve Freegard wrote: >> > Why the ruleset... I was hoping to use the replace capabilities for two users. Me for testing and one other. This one user sends to a number of people who don't use outlook, and for some reason the email generated by Outlook for Mac 2011 periodically contains winmail.dat attachments for some reason. I don't want to do anything for 99% of the users emails, so hence the rule. > If you are running Exchange yourself; then follow the numerous Technet articles to disable Rich T... I know, but since I only needed to do it for one user, I thought it would be easier to do it on the MailScanner side than affecting all users with the MIcrosoft settings. Michael-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110422/aa10919d/attachment.html From glenn.steen at gmail.com Fri Apr 22 00:11:05 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 22 00:11:14 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> Message-ID: ... is almost never a good idea. The users hardly notice the change... Well, most of 'em didn't understand the problem, so ... that might be as expected. (yeah, weird formatting on this email... Sorry for the accidental send) Cheers! Den 22 apr 2011 01.05, "Glenn Steen" skrev: Mike, Unless your users only send mail between themselves, or exclusively to OutLook users... They are in beed of those exchange fixes. Sending rtf Den 21 apr 2011 01.36, "martelm@quark.vsc.edu" skrev: > > > On Apr 20, 2011, at 6:08 PM, Steve Freegard wrote: > > >> > Why the ruleset... > > I was hoping to use the replace capabilities for two users. Me for testing and one other. This ... > If you are running Exchange yourself; then follow the numerous Technet articles to disable Rich T... > > I know, but since I only needed to do it for one user, I thought it would be easier to do it on... > > MailScanner mailing list > mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110422/bfdea4e0/attachment.html From martelm at quark.vsc.edu Fri Apr 22 00:32:30 2011 From: martelm at quark.vsc.edu (martelm@quark.vsc.edu) Date: Fri Apr 22 00:33:02 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> Message-ID: <815A97EC-8440-4AC4-BE31-DA8D7718456E@quark.vsc.edu> On Apr 21, 2011, at 11:31 AM, Scott Silva wrote: > Can't you set that user to use html instead of rich text? Or doesn't the Mac > version have that setting? He already is. Outlook 2011 for the Mac supports plain text and HTML. Microsoft tells me that itis not possible for what I'm seeing to happen. However, they also agree that it is happening and don't know why. ;) Thanks for the idea though! From glenn.steen at gmail.com Fri Apr 22 09:42:23 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 22 09:42:34 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: <815A97EC-8440-4AC4-BE31-DA8D7718456E@quark.vsc.edu> References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> <815A97EC-8440-4AC4-BE31-DA8D7718456E@quark.vsc.edu> Message-ID: Perhaps happens when replting to rtf encoded email? It shouldn't be impossible finding the circumstances...:-) And if that is the case, going for replace in ms would be a marvelous thing... I actually always saw that setting from that perspective... Cleaning up other peoples BS...;-) Cheers! Den 22 apr 2011 01.36, "martelm@quark.vsc.edu" skrev: On Apr 21, 2011, at 11:31 AM, Scott Silva wrote: > Can't you set that user ... He already is. Outlook 2011 for the Mac supports plain text and HTML. Microsoft tells me that itis not possible for what I'm seeing to happen. However, they also agree that it is happening and don't know why. ;) Thanks for the idea though!-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/li... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110422/77fd5017/attachment.html From martelm at quark.vsc.edu Fri Apr 22 10:04:58 2011 From: martelm at quark.vsc.edu (Michael H. Martel) Date: Fri Apr 22 10:05:32 2011 Subject: Using a Rule with 'use tnef contents' In-Reply-To: References: <1192416528ABACB0ADD57454@sherlockholmes.vsc.edu> <4DAF596E.9030508@fsl.com> <815A97EC-8440-4AC4-BE31-DA8D7718456E@quark.vsc.edu> Message-ID: --On Friday, April 22, 2011 10:42 AM +0200 Glenn Steen wrote: > Perhaps happens when replting to rtf encoded email? It shouldn't be > impossible finding the circumstances...:-) I know it shouldn't be hard to find it, but it is. :-) It happens with new email messages, replies, with signature, without. Composing new mail set to Plain Text or HTML. And it doesn't happen all the time. If I send the same message 6 times, using the same settings, in the same manner usually 2 out of the 6 will have a winmail.dat attachment. The other 4 are fine. Weird. > And if that is the case, going for replace in ms would be a marvelous > thing... I actually always saw that setting from that perspective... > Cleaning up other peoples BS...;-) I am always looking for ways to replace Exchange/Outlook, and I'm using this one as a very big stick. The person who is having the problems is our Chancellor sending emails to our Board of Trustees. So he's not real happy that it's happening. He is however very happy now since I got the ruleset working, and the Board can read his emails again. Thansk for everyone's help! Michael -- --------------------------------o--------------------------------- Michael H. Martel | Systems Administrator michael.martel@vsc.edu | Vermont State Colleges http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 From dyioulos at firstbhph.com Fri Apr 22 12:44:54 2011 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Fri Apr 22 12:45:29 2011 Subject: I messed up Bayes Message-ID: <201104220744.54848.dyioulos@firstbhph.com> Greetz, all. I hope it's appropriate to ask this here. It may have been answered in the past, but I wouldn't even know what search terms to use: Over the past few days, I've had some spam leaking through what has been an old, but reliable system (consisting of the latest Sendmail, MailScanner, clamav, MailWatch, and an older Spamassassin, all running on a CentOS box). Up to this point, most spam was easily tagged and dealt with. So, I figured I'd upgrade to the latest SA, thereby using the most recent rules. Good in theory, bad in practice, because it messed up Bayes. Regardless of whether I tried to do it manually, or via MailWatch, when I did an sa-learn, I got the following: SA Learn: config: configuration file "/etc/mail/spamassassin/20_advance_fee.cf" requires version 3.003001 of SpamAssassin, but this is code version 3.002005. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm line 372. That's just a snippet; every rule does the same. So, I figured I'd role back to the previous version of SA. Trying sa-learn again, I now get the following: SA Learn: config: configuration file "/etc/mail/spamassassin/20_advance_fee.cf" requires version 3.002005 of SpamAssassin, but this is code version 3.002004. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm line 372. In other words, Bayes (or something) seems to be looking at a previous configuration, or something. I think (the operative word, here) that I made a good backup copy of the Bayes DB. That having been said, how do I correct this problem? As ever, many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Fri Apr 22 20:58:04 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Apr 22 20:58:20 2011 Subject: watermark ruleset not firing Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831DBC5@BBEXVS04.bakerbotts.net> I have created a watermark ruleset to do 'nothing' for specific mail servers. The entries are not matching. I created watermark.rules in /etc/MailScanner/rules: From: copweed01.morganlewis.com nothing From: copweed02.morganlewis.com nothing From: cppweed01.morganlewis.com nothing From: 12.53.161.110 nothing From: 12.53.161.111 nothing From: 12.155.22.28 nothing FromOrTo: default 3 Here are my watermark rules in my custom configuration file in /etc/MailScanner/conf.d: Use Watermarking = yes Treat Invalid Watermarks With No Sender as Spam = %rules-dir%/watermark.rules What am I missing? An example email that should have been excluded from the watermark check: Received: from copweed01.morganlewis.com (copweed01.morganlewis.com [12.53.161.110]) by alnmx01.bakerbotts.com (8.14.2/8.14.2) with ESMTP id p3MFaCwj012804; Fri, 22 Apr 2011 10:36:19 -0500 Resent-Date: Fri, 22 Apr 2011 10:36:12 -0500 Resent-Message-Id: <201104221536.p3MFaCwj012804@alnmx01.bakerbotts.com> Received: from [10.242.132.22] by copweed01.morganlewis.com with ESMTP ( SMTP Relay (Email Firewall v6.5)); Fri, 22 Apr 2011 11:44:04 -0400 X-Server-Uuid: D6191EAF-0F04-49FC-A864-79434BF09F09 Resent-From: FractusJointDefenseGroup@morganlewis.com Received: from copweed02.morganlewis.com (12.53.161.111) by copexht02.morganlewis.net (10.242.132.22) with Microsoft SMTP Server id 8.2.254.0; Fri, 22 Apr 2011 11:36:05 -0400 Received: from [64.18.3.44] by copweed02.morganlewis.com over TLS secured channel with ESMTP (SMTP Relay (Email Firewall v6.5)); Fri, 22 Apr 2011 11:46:52 -0400 X-Server-Uuid: D70207A0-A86D-4D47-8AAC-CD3A36FFCB7C Received: from smtp1.atlantech.net ([209.183.192.110]) (using TLSv1) by exprod8mx253.postini.com ([64.18.7.10]) with SMTP; Fri, 22 Apr 2011 08:35:59 PDT X-IronPort-AV: E=Sophos;i="4.64,254,1301889600"; d="scan'208,217";a="71729624" Received: from ea.c3bccf.client.atlantech.net (HELO park-law.com) ( [207.188.195.234]) by smtp1.atlantech.net with ESMTP/TLS/RC4-MD5; 22 Apr 2011 11:35:57 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-Class: urn:content-classes:message MIME-Version: 1.0 Subject: RE: Fractus v. Samsung et al. Date: Fri, 22 Apr 2011 11:36:02 -0400 Message-ID: In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Fractus v. Samsung et al. thread-index: AcwAWNpB/cHvfz5ZSP+zULMZz2qU/QApx4ZAAAC+Y7A= From: "Nathan H. Cristler" To: "Busby, Robert W." , "Fractus Joint Defense Group" , "fractus-mofo.com" X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.90000/99.90000 CV:99.9000 FC:95.5390 LC: 0.1839 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-WSS-ID: 61AF7D612YK55634622-01-01 X-EMS-Proccessed: Q/C4TKuMQud1ZsPcuJv0Lg== X-EMS-STAMP: oGRTyRFNCl8T0TguFL2xvw== X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-WSS-ID: 61AF7DCE2X07647132-02-01 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC0102.F8A39818" X-BakerBotts-MailScanner-Information: Please contact Baker Botts IT Help Desk for more information X-BakerBotts-MailScanner-ID: p3MFaCwj012804 X-BakerBotts-MailScanner: Found to be clean X-BakerBotts-MailScanner-SpamCheck: spam (no watermark or sender address), SpamAssassin (not cached, score=-1.099, required 5, autolearn=not spam, BAYES_00 -0.40, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_LOW -0.70) X-BakerBotts-MailScanner-SpamScore: sssssss X-BakerBotts-MailScanner-From: X-BakerBotts-MailScanner-Watermark: 1304091382.4845@Or22gDB9+IlOGwIUABHy9g X-Spam-Status: Yes Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110422/4a3e142f/attachment.html From mark at msapiro.net Sat Apr 23 16:51:02 2011 From: mark at msapiro.net (Mark Sapiro) Date: Sat Apr 23 16:51:20 2011 Subject: I messed up Bayes In-Reply-To: <201104220744.54848.dyioulos@firstbhph.com> References: <201104220744.54848.dyioulos@firstbhph.com> Message-ID: <4DB2F566.6060400@msapiro.net> On 11:59 AM, Dimitri Yioulos wrote: > > SA Learn: config: configuration > file "/etc/mail/spamassassin/20_advance_fee.cf" > requires version 3.003001 of SpamAssassin, but > this is code version 3.002005. Maybe you need to > use the -C switch, or remove the old config > files? Skipping this file > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm > line 372. It looks like you are using version 3.3.1 rules with version 3.2.5. > That's just a snippet; every rule does the same. > So, I figured I'd role back to the previous > version of SA. Trying sa-learn again, I now get > the following: > > SA Learn: config: configuration > file "/etc/mail/spamassassin/20_advance_fee.cf" > requires version 3.002005 of SpamAssassin, but > this is code version 3.002004. Maybe you need to > use the -C switch, or remove the old config > files? Skipping this file > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm > line 372. And here you have version 3.2.5 rules with version 3.2.4. How are you doing these installs and rollbacks? Did you think you were installing version 3.3.1? > In other words, Bayes (or something) seems to be > looking at a previous configuration, or > something. It's not Bayes. It's spamassassin itself. The rules files have things like require_version 3.003001 and the spamassassin version doesn't match. > I think (the operative word, here) that I made a > good backup copy of the Bayes DB. That having > been said, how do I correct this problem? Install rules that match your SA version -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From lev.fpt at gmail.com Sun Apr 24 04:26:52 2011 From: lev.fpt at gmail.com (Le Vu) Date: Sun Apr 24 04:27:04 2011 Subject: Avira antivir v3 new output format Message-ID: Hi all, Recently I installed AntiVir free version from Avira website: http://www.avira.com/en/support-download-free-antivirus The scanner name and output format has been changed so I tried to modify the wrapper and SweepViruses.pm to process the new format. Unfortunately the format has changed to multi-line report and I am not so familiar with Perl script to get this done :-( I post the new output format here to see if anyone is interested in updating MailScanner to support new antivir version. Regards, Le. [root@RHEL6 ~]# avscan --batch tmp/ scan progress: directory "/root/tmp/" file: /root/tmp/Trojan.Win32.DNSChanger.dlr.zip last modified on date: 2011-04-24 time: 09:52:53, size: 51359 bytes ALERT: Trojan.Win32.DNSChanger.dlr <<< TR/Vundo.Gen ; trojan ; Is the Trojan horse TR/Vundo.Gen ALERT-URL: http://www.avira.com/en/threats?q=TR%2FVundo%2EGen no action taken file: /root/tmp/eicar.com last modified on date: 2006-11-01 time: 06:21:26, size: 68 bytes ALERT: Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no action taken file: /root/tmp/eicarcom2.zip last modified on date: 2006-11-01 time: 06:21:27, size: 308 bytes ALERT: eicar_com.zip --> eicar.com <<< Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus ALERT-URL: http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature no action taken file: /root/tmp/Email-Worm.Win32.Combra.o.zip last modified on date: 2011-04-24 time: 09:57:55, size: 137327 bytes ALERT: Email-Worm.Win32.Combra.o <<< WORM/Combra.O.2 ; worm ; Contains detection pattern of the worm WORM/Combra.O.2 ALERT-URL: http://www.avira.com/en/threats?q=WORM%2FCombra%2EO%2E2 no action taken From ryan at mymegabyte.com Sun Apr 24 16:38:43 2011 From: ryan at mymegabyte.com (Ryan Burchfield) Date: Sun Apr 24 16:39:13 2011 Subject: Phishing detection not updating email subject Message-ID: <4DB44403.3070105@mymegabyte.com> New user of MailScanner here and so far I like it. Very flexible and powerful. As part of my installation (v 4.83.5-1) I tested the phishing filters by crafting a bad link. The filters detect the bad link, insert the warning into the email and log the detection in my syslog. However, the subject of the offending email is not updated per my configuration. I took a peak in Message.pm and it appears to me that it is just an oversight from a past revision. In many places previous if conditions pertaining to phishing detection events have been replaced with new ones. -Ryan Here is the syslog snippet. Apr 24 10:08:06 mail MailScanner[1079]: Virus and Content Scanning: Starting Apr 24 10:08:06 mail sendmail[1089]: p3OF85U7001089: from=<____>, size=940, class=0, nrcpts=1, msgid=<____>, proto=ESMTP, daemon=MTA, relay=____ Apr 24 10:08:06 mail dkim-filter[28250]: p3OF85U7001089: no signature data Apr 24 10:08:16 mail MailScanner[1100]: Found phishing fraud from http://somenewwebsite.com/ claiming to be www.google.com in p3OF803K001087 Apr 24 10:08:16 mail MailScanner[1079]: Content Checks: Detected and have disarmed phishing tags in HTML message in p3OF803K001087 from ____ Apr 24 10:08:16 mail MailScanner[1079]: Uninfected: Delivered 1 messages Apr 24 10:08:16 mail MailScanner[1079]: Deleted 1 messages from processing-database Here are the relevant conf sections. (Comments removed for brevity) Phishing Modify Subject = start Phishing Subject Text = {Phishing?} Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf From mrm at medicine.wisc.edu Mon Apr 25 15:05:08 2011 From: mrm at medicine.wisc.edu (Michael Masse) Date: Mon Apr 25 15:05:30 2011 Subject: Attachment file conversion Message-ID: <4DB539440200003E000156A6@gwmail.medicine.wisc.edu> We are in the process of changing voicemail vendors and this new vendor sends voicemail attachments in .wav format only. Our old vendor used mp3. I really don't like the idea of using 10x the disk space for the attachments which people tend to hang on to forever. Is there some way that MailScanner can call an external program to modify an attachment while it has an email disassembled, and then reassemble the email and foward on? Specifically I'd like to convert the wav attachments to mp3 via some external program, and then reassemble the email and forward it on so that the user really doesn't know the file is being converted? I started to look at procmail to see if it could do this, but I don't know how I would get it to reassemble the email back together again. Any clues would be greatly appreciated. -Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110425/ef34aca0/attachment.html From ssilva at sgvwater.com Mon Apr 25 16:35:18 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 25 16:35:42 2011 Subject: I messed up Bayes In-Reply-To: <201104220744.54848.dyioulos@firstbhph.com> References: <201104220744.54848.dyioulos@firstbhph.com> Message-ID: on 4/22/2011 4:44 AM Dimitri Yioulos spake the following: > Greetz, all. > > I hope it's appropriate to ask this here. It may > have been answered in the past, but I wouldn't > even know what search terms to use: > > Over the past few days, I've had some spam leaking > through what has been an old, but reliable system > (consisting of the latest Sendmail, MailScanner, > clamav, MailWatch, and an older Spamassassin, all > running on a CentOS box). Up to this point, most > spam was easily tagged and dealt with. So, I > figured I'd upgrade to the latest SA, thereby > using the most recent rules. Good in theory, bad > in practice, because it messed up Bayes. > Regardless of whether I tried to do it manually, > or via MailWatch, when I did an sa-learn, I got > the following: > > SA Learn: config: configuration > file "/etc/mail/spamassassin/20_advance_fee.cf" > requires version 3.003001 of SpamAssassin, but > this is code version 3.002005. Maybe you need to > use the -C switch, or remove the old config > files? Skipping this file > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm > line 372. > > That's just a snippet; every rule does the same. > So, I figured I'd role back to the previous > version of SA. Trying sa-learn again, I now get > the following: > > SA Learn: config: configuration > file "/etc/mail/spamassassin/20_advance_fee.cf" > requires version 3.002005 of SpamAssassin, but > this is code version 3.002004. Maybe you need to > use the -C switch, or remove the old config > files? Skipping this file > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Conf/Parser.pm > line 372. > > In other words, Bayes (or something) seems to be > looking at a previous configuration, or > something. > > I think (the operative word, here) that I made a > good backup copy of the Bayes DB. That having > been said, how do I correct this problem? > > As ever, many thanks. > > Dimitri > Did you install the new versions using a different method than the original installs? ( IE-- RPM VS source install) From glenn.steen at gmail.com Mon Apr 25 21:41:29 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 25 21:41:38 2011 Subject: Attachment file conversion In-Reply-To: <4DB539440200003E000156A6@gwmail.medicine.wisc.edu> References: <4DB539440200003E000156A6@gwmail.medicine.wisc.edu> Message-ID: On 25 April 2011 16:05, Michael Masse wrote: > We are in the process of changing voicemail vendors and this new vendor > sends voicemail attachments in .wav format only.?? Our old vendor used > mp3.??? I really don't like the idea of using 10x the disk space for the > attachments which people tend to hang on to forever.??? Is there some way > that MailScanner can call an external program to modify an attachment while > it has an email disassembled, and then reassemble the email and foward > on????Specifically I'd like to convert the wav attachments to mp3 via some > external program, and then reassemble the email and forward it on so that > the user really doesn't know the file is being converted???? I started to > look at procmail to see if it could do this, but I don't know how I would > get it to reassemble the email back together again.?? Any clues would be > greatly appreciated. > > -Mike > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Apr 25 22:00:11 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 25 22:00:33 2011 Subject: Attachment file conversion In-Reply-To: <4DB539440200003E000156A6@gwmail.medicine.wisc.edu> References: <4DB539440200003E000156A6@gwmail.medicine.wisc.edu> Message-ID: on 4/25/2011 7:05 AM Michael Masse spake the following: > We are in the process of changing voicemail vendors and this new vendor sends > voicemail attachments in .wav format only. Our old vendor used mp3. I > really don't like the idea of using 10x the disk space for the attachments > which people tend to hang on to forever. Is there some way that MailScanner > can call an external program to modify an attachment while it has an email > disassembled, and then reassemble the email and foward on? Specifically I'd > like to convert the wav attachments to mp3 via some external program, and then > reassemble the email and forward it on so that the user really doesn't know > the file is being converted? I started to look at procmail to see if it > could do this, but I don't know how I would get it to reassemble the email > back together again. Any clues would be greatly appreciated. > > -Mike > > There is the option to zip attachments. May not be what you want, but the size reduction might help. From bill at bfccomputing.com Wed Apr 27 01:58:19 2011 From: bill at bfccomputing.com (Bill McGonigle) Date: Wed Apr 27 01:58:40 2011 Subject: Taint problems In-Reply-To: <4DAEB9FC.8060004@skynet-srl.com> References: <201104191100.p3JB02LK010305@safir.blacknight.ie> <4DAEB9FC.8060004@skynet-srl.com> Message-ID: <4DB76A2B.5000508@bfccomputing.com> On 04/20/2011 06:48 AM, Alessandro Bianchi wrote: > Till now, after several hours, the only way I found to run MS , is > adding the -U switch in the showbang line in /usr/sbin/MailScanner. > > This switch, to my understanding, turns fatal taint errors in warning, > but I'm still looking for a definitive fix. > > Hope to save some night work hours to someone else with this info. You sure did, thanks, Alessandro! These are the ones I'm seeing: Insecure dependency in open while running with -T switch at /usr/lib/MailScanner/MailScanner/Lock.pm line 358. Insecure dependency in open while running with -T switch at /usr/lib/perl5/IO/File.pm line 185, <$fh> line 44. Insecure dependency in chdir while running with -T switch at /usr/lib/MailScanner/MailScanner/Message.pm line 2415. Insecure dependency in open while running with -T switch at /usr/lib/MailScanner/MailScanner/Lock.pm line 358. perl -v says: This is perl, v5.10.1 (*) built for i386-linux-thread-multi It came in: Apr 24 03:23:18 Updated: 4:perl-5.10.1-123.fc13.i686 This is on a Fedora 13 box. Others mentioned about what a disaster Fedora is for MailScanner, but from experience I can say this is the first system-related problem I've seen on a MailScanner box since Redhat 9 (having upgraded through ~12 Fedora releases since). Besides, this box is slated to migrate to the stable CentOS 6, which also carries perl-5.10. It looks like taint errors in some of the same places were fixed in 4.79.11-1. I haven't yet diffed the two source trees to see what was done. -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: bill@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle From ralf at bardoel.biz Fri Apr 29 15:15:52 2011 From: ralf at bardoel.biz (Ralf Bardoel) Date: Fri Apr 29 15:16:32 2011 Subject: Block unencrypted messages Message-ID: <4DBAC818.1010200@bardoel.biz> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5864 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110429/c196a2b5/smime.bin From maxsec at gmail.com Fri Apr 29 15:52:09 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Apr 29 15:52:17 2011 Subject: Block unencrypted messages In-Reply-To: <4DBAC818.1010200@bardoel.biz> References: <4DBAC818.1010200@bardoel.biz> Message-ID: How've you setup to detect and react to messages and what version of mailscanner ? Martin On Friday, 29 April 2011, Ralf Bardoel wrote: > > > > > > > > > Dear users of MailScanner, > First of all I want to say I love your product > and I hope > you?ll all keep up the good work! I have a small problem. I want > to block > unencrypted email messages passing my mail gateway, but instead of > blocking unencrypted > messages all the messages are blocked. The maillog shows the > following information: > Apr 29 14:39:03 AAA MailScanner[16925]: Content > Checks: > Detected and blocked unencrypted message in p3TFd2TS016946 > Apr 29 14:39:03 AAA MailScanner[16925]: Content Checks: > Found 1 problems > Apr 29 14:39:03 AAA MailScanner[16925]: Uninfected: Delivered > 1 messages > Apr 29 14:39:03 AAA MailScanner[16925]: Deleted 1 messages > from processing-database > These lines show the rejection of an encrypted > message. Is > this a known bug or can I debug this check somewhere? Thank you in > advance! > Kind regards, > Ralf Bardoel > > > -- -- Martin Hepworth Oxford, UK From ralf at bardoel.biz Fri Apr 29 16:32:40 2011 From: ralf at bardoel.biz (Ralf Bardoel) Date: Fri Apr 29 16:32:52 2011 Subject: Block unencrypted messages In-Reply-To: References: <4DBAC818.1010200@bardoel.biz> Message-ID: <4DBADA18.1070402@bardoel.biz> Dear Martin, Thank you for your quick answer. The version of MailScanner is 4.82.6-1, it runs on CentOS 5.4 and the MTA is sendmail. I've tested all the scenario's, when I block unencrypted messages MailScanner blocks also encrypted messages. Do you know any debug possibilities? Kind regards, Ralf Bardoel On 29-4-2011 16:52 uur, Martin Hepworth wrote: > How've you setup to detect and react to messages and what version of > mailscanner ? > > Martin > > On Friday, 29 April 2011, Ralf Bardoel wrote: >> >> >> >> >> >> >> >> Dear users of MailScanner, >> First of all I want to say I love your product >> and I hope >> you?ll all keep up the good work! I have a small problem. I want >> to block >> unencrypted email messages passing my mail gateway, but instead of >> blocking unencrypted >> messages all the messages are blocked. The maillog shows the >> following information: >> Apr 29 14:39:03 AAA MailScanner[16925]: Content >> Checks: >> Detected and blocked unencrypted message in p3TFd2TS016946 >> Apr 29 14:39:03 AAA MailScanner[16925]: Content Checks: >> Found 1 problems >> Apr 29 14:39:03 AAA MailScanner[16925]: Uninfected: Delivered >> 1 messages >> Apr 29 14:39:03 AAA MailScanner[16925]: Deleted 1 messages >> from processing-database >> These lines show the rejection of an encrypted >> message. Is >> this a known bug or can I debug this check somewhere? Thank you in >> advance! >> Kind regards, >> Ralf Bardoel >> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5864 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110429/ebcbff40/smime.bin From maxsec at gmail.com Fri Apr 29 22:25:10 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Apr 29 22:25:18 2011 Subject: Block unencrypted messages In-Reply-To: <4DBADA18.1070402@bardoel.biz> References: <4DBAC818.1010200@bardoel.biz> <4DBADA18.1070402@bardoel.biz> Message-ID: Like how are you trying to detect an unencryped message? For debug you can run ms with the --debug flag which will scan the incoming q once On Friday, 29 April 2011, Ralf Bardoel wrote: > Dear Martin, > > Thank you for your quick answer. The version of MailScanner is 4.82.6-1, it runs on CentOS 5.4 and the MTA is sendmail. I've tested all the scenario's, when I block unencrypted messages MailScanner blocks also encrypted messages. Do you know any debug possibilities? > > Kind regards, > > Ralf Bardoel > > On 29-4-2011 16:52 uur, Martin Hepworth wrote: > > How've you setup to detect and react to messages and what version of > mailscanner ? > > Martin > > On Friday, 29 April 2011, Ralf Bardoel ?wrote: > > > > > > > > > ? ? Dear users of MailScanner, > ? ? First of all I want to say I love your product > ? ? ? and I hope > ? ? ? you?ll all keep up the good work! I have a small problem. I want > ? ? ? to block > ? ? ? unencrypted email messages passing my mail gateway, but instead of > ? ? ? blocking unencrypted > ? ? ? messages all the messages are blocked. The maillog shows the > ? ? ? following information: > ? ? Apr 29 14:39:03 AAA MailScanner[16925]: Content > ? ? ? Checks: > ? ? ? Detected and blocked unencrypted message in p3TFd2TS016946 > ? ? ? Apr 29 14:39:03 AAA MailScanner[16925]: Content Checks: > ? ? ? Found 1 problems > ? ? ? Apr 29 14:39:03 AAA MailScanner[16925]: Uninfected: Delivered > ? ? ? 1 messages > ? ? ? Apr 29 14:39:03 AAA MailScanner[16925]: Deleted 1 messages > ? ? ? from processing-database > ? ? These lines show the rejection of an encrypted > ? ? ? message. Is > ? ? ? this a known bug or can I debug this check somewhere? Thank you in > ? ? ? advance! > ? ? Kind regards, > ? ? Ralf Bardoel > > > > > > -- -- Martin Hepworth Oxford, UK From mark at msapiro.net Sat Apr 30 16:54:57 2011 From: mark at msapiro.net (Mark Sapiro) Date: Sat Apr 30 16:55:12 2011 Subject: Block unencrypted messages In-Reply-To: <4DBAC818.1010200@bardoel.biz> References: <4DBAC818.1010200@bardoel.biz> Message-ID: <4DBC30D1.3020602@msapiro.net> On 11:59 AM, Ralf Bardoel wrote: > > First of all I want to say I love your product and I hope you?ll all > keep up the good work! I have a small problem. I want to block > unencrypted email messages passing my mail gateway, but instead of > blocking unencrypted messages all the messages are blocked. The maillog > shows the following information: > > Apr 29 14:39:03 AAA MailScanner[16925]: Content Checks: Detected and > blocked unencrypted message in p3TFd2TS016946 > Apr 29 14:39:03 AAA MailScanner[16925]: Content Checks: Found 1 problems > Apr 29 14:39:03 AAA MailScanner[16925]: Uninfected: Delivered 1 messages > Apr 29 14:39:03 AAA MailScanner[16925]: Deleted 1 messages from > processing-database > > These lines show the rejection of an encrypted message. Is this a known > bug or can I debug this check somewhere? Thank you in advance! Look at a raw "encrypted" message. The code (sub EncryptionStatus in module /usr/lib/MailScanner/MailScanner/SweepContent.pm) seems very straightforward. It looks at the Content-Type: of the message and all its sub-parts for a match on the pattern /\/encrypted/i. If any header matches, it says the message is encrypted, otherwise not. Thus, it seems that your encrypted messages do not contain any Content-Type: multipart/encrypted or similar headers. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan