From kkobb at skylinecorp.com Tue Mar 1 14:43:23 2011 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Tue Mar 1 14:43:54 2011 Subject: Archive Mail _HOUR_ string in MailScanner.conf In-Reply-To: <4D67B404.2080900@skylinecorp.com> References: <4D67B404.2080900@skylinecorp.com> Message-ID: <4D6D060B.9000907@skylinecorp.com> On 2/25/2011 8:52 AM, Kevin Kobb wrote: > Hi All, > > Recently turned on the archive mail option in MailScanner, and it is > working fine. The only question I have is that in the MailScanner.conf > comments, it says that _HOUR_ will be replaced with a two digit hour, > using padded "0" if needed. > > However, on my test box with a setting like: > > Archive Mail = /var/spool/MailScanner/archive/_DATE___HOUR_.mbox > > I get filenames like 20110225_3.mbox, 20110225_4.mbox, etc. Not a big > deal deal or anything, just wondered if I am doing something wrong or if > this is a bug? > > I am using MailScanner-4.82.6, with perl 5.10 on FreeBSD 7.4. OK, I modified Message.pm on a test box like so: --- Message.pm.orig 2011-02-19 05:56:36.000000000 -0500 +++ Message.pm 2011-02-28 09:15:50.000000000 -0500 @@ -381,8 +381,9 @@ my($hour, $day, $month, $year, $date); ($hour, $day, $month, $year) = (localtime)[2,3,4,5]; $date = sprintf("%04d%02d%02d", $year+1900, $month+1, $day); + $hour = sprintf("%02d", $hour); $this->{datenumber} = $date; - $this->{hournumber} = sprintf("%02d", $hour); + $this->{hournumber} = $hour; # Work out where to archive/copy this message. # Could do all the archiving in a different separate place. I don't know if this is the right way to do it, as my programming skills are fairly minimal and my perl knowledge is even less, but it looked reasonable, and the files come out with two digit hour names now. From ssilva at sgvwater.com Tue Mar 1 16:18:19 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 1 16:18:48 2011 Subject: Feature (?) Request In-Reply-To: <4D6037EB.5070301@vidadigital.com.pa> References: <4D6037EB.5070301@vidadigital.com.pa> Message-ID: on 2/19/2011 1:36 PM Alex Neuman van der Hans spake the following: > Julian, > > I was wondering if it would be useful for others to insert variables in > inline.sig.txt and inline.sig.html - specifically, something like the > Message-ID. Sometimes users aren't savvy enough to know how to extract > headers, and having that info might save some time looking for the message in > MailWatch or other similar tools. > > What do you think? > If a user needs that info on a clean message, maybe. But for anything that is disarmed or "fixed" there are already variables in the rest of the reports. I usually have the user forward the message to me and get the message ID myself. From alex at vidadigital.com.pa Tue Mar 1 18:10:45 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Tue Mar 1 18:10:56 2011 Subject: Feature (?) Request In-Reply-To: References: <4D6037EB.5070301@vidadigital.com.pa> Message-ID: True. I meant for the "clean" messages. On Tue, Mar 1, 2011 at 11:18 AM, Scott Silva wrote: > on 2/19/2011 1:36 PM Alex Neuman van der Hans spake the following: >> Julian, >> >> I was wondering if it would be useful for others to insert variables in >> inline.sig.txt and inline.sig.html - specifically, something like the >> Message-ID. Sometimes users aren't savvy enough to know how to extract >> headers, and having that info might save some time looking for the message in >> MailWatch or other similar tools. >> >> What do you think? >> > If a user needs that info on a clean message, maybe. But for anything that is > disarmed or "fixed" there are already variables in the rest of the reports. I > usually have the user forward the message to me and get the message ID myself. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From cplists at princeinternet.com Tue Mar 1 20:06:12 2011 From: cplists at princeinternet.com (Cameron B. Prince) Date: Tue Mar 1 20:06:30 2011 Subject: Source IP Address Ruleset / Allowing Mail From Specific Source Only In-Reply-To: Message-ID: >> Sounds like a job for SpamAssassin! (something like the below) >> >> header __TO To =~ /^address@domain$/ >> header __FROM Received =~ /\[1.2.3.4\]/ >> meta RULE (__TO - __FROM)>= 1 >> score RULE 10 >> describe RULE Mail coming from wrong IP > Don't use the data in the headers! That is totally irrelevant to the > destination and sender of the mail. Only ever use the recipient stated > in the envelope, never use the headers. Hi Julian, Does this mean that you agree that SpamAssassin is a valid way to provide the functionality I need, only that the example given was problematic? I did some searching for information about using SpamAssassin to test against the envelope. What I found indicates that the envelope data isn't available to SpamAssassin. Can you confirm that this is incorrect? Thanks, Cameron From ka at pacific.net Tue Mar 1 20:45:38 2011 From: ka at pacific.net (Ken A) Date: Tue Mar 1 20:45:50 2011 Subject: Source IP Address Ruleset / Allowing Mail From Specific Source Only In-Reply-To: References: Message-ID: <4D6D5AF2.4040202@pacific.net> If you can use a sendmail milter, milter-regex would work with something like this: mySafeIP = connect // /xxx\.xxx\.xxx\.xxx/ myDomain = envrcpt /example.com/ reject "please use the proper MX" $myDomain and not $mySafeIP The matches are just regular expressions, so you could leave off the last octet to match a /24, for example.. (not tested) Ken On 2/23/2011 8:43 AM, Cameron B. Prince wrote: > Hello fellow MailScanner users, > > I've been using MailScanner for over 6 years now and it continues to provide > a good service for my clients. I now have a few clients that want to pay for > what they hope is even better spam filtering services provided by external, > third-party filtering companies. This is okay with me because these domains > get an extremely high volume of spam and really tax the servers. > > We have configured one client's MX record to route all the mail for their > domain to one of these companies. There the mail is filtered and then clean > mail is routed back to our server to be stored in the client's mailboxes. > > This is working well, but we have spammers with cached MX records making an > end-run around the new filter by continuing to send mail directly to our > server. > > To solve this, I'm hoping it would it be possible to set up something like a > ruleset such as: > > To: domain.com xxx.xxx.xxx.xxx > > The idea being that the source address of the MX connection is checked and > compared with the ruleset. Then if the IP address matches mail is allowed > and if not, it's blocked. > > I'm certainly open to other suggestions, but this seems like an elegant > solution and a nice feature for MailScanner. > > There have been suggestions of using IP tables but since our mail servers > receive mail for many different domains, we can't simply block everything > except the filtering company. > > I look forward to your thoughts and ideas. > > Thanks, > Cameron > > -- Ken Anderson Pacific Internet - http://www.pacific.net From bonivart at opencsw.org Wed Mar 2 10:34:39 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed Mar 2 10:35:08 2011 Subject: Patch for ClamAV updates Message-ID: I noticed that MailScanner always logged an update for ClamAV. I think the Clam team have changed the exit codes since the script was written and they now use 0 for a successful update regardless if an actual update occured or not. This can be manipulated when calling freshclam, my patch below exits with 1 if an update occured and 0 if was already up to date, still exiting with higher codes for problems. Now I get the expected logs: Mar 1 21:45:08 localhost ClamAV-autoupdate[13564]: ClamAV did not need updating Mar 1 22:23:40 localhost ClamAV-autoupdate[15759]: ClamAV did not need updating Mar 1 22:54:44 localhost ClamAV-autoupdate[17316]: ClamAV updated Mar 1 23:24:39 localhost ClamAV-autoupdate[18822]: ClamAV did not need updating Mar 1 23:49:44 localhost ClamAV-autoupdate[19911]: ClamAV did not need updating /peter --- clamav-autoupdate.110301 Tue Mar 1 16:43:49 2011 +++ clamav-autoupdate Tue Mar 1 16:44:35 2011 @@ -35,7 +35,7 @@ eval { alarm 300; unlink $LogFile; - $Command = "$ClamUpdateCommand --quiet -l $LogFile"; + $Command = "$ClamUpdateCommand --on-update-execute=EXIT_1 --quiet -l $LogFile"; $Command .= " --http-proxy $HTTPproxy" if $HTTPproxy; $retval = &UpdateClam($Command); # system($Command)>>8; &UnlockClamAV(); @@ -51,9 +51,9 @@ } } else { alarm 0; - if ($retval == 0 ) { + if ($retval == 1 ) { Sys::Syslog::syslog('info', "ClamAV updated"); - } elsif ($retval == 1 ) { + } elsif ($retval == 0 ) { Sys::Syslog::syslog('info', "ClamAV did not need updating"); } else { Sys::Syslog::syslog('err', "ClamAV updater failed"); From bonivart at opencsw.org Wed Mar 2 15:02:21 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed Mar 2 15:02:52 2011 Subject: Patch for ClamAV updates In-Reply-To: References: Message-ID: On Wed, Mar 2, 2011 at 3:02 PM, Kai Schaetzl wrote: > The patch fails with > patch: **** malformed patch at line 12: ? ? ?&UnlockClamAV(); > and I wonder if this is just an effect of copy/paste/transportation via > text. > > md5sum: > 939eda0f3c7a4f7746105a0b134e0dbd ?/usr/lib/MailScanner/clamav-autoupdate > > Is this the one to patch? If so, can you provide a zipped version via mail > or at a URL, so there's a "clean" one? Yes, that's the file, I can't confirm the md5 hash since I replace the perl path in my Solaris packages but that file hasn't changed for a while. At least it's the same in 4.79.11 and 4.82.6. Here's a link to the patch: http://pastebin.com/XQVJdJyS /peter From maillists at conactive.com Wed Mar 2 16:49:56 2011 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Mar 2 16:50:13 2011 Subject: Patch for ClamAV updates In-Reply-To: References: Message-ID: Peter Bonivart wrote on Wed, 2 Mar 2011 16:02:21 +0100: > Here's a link to the patch: http://pastebin.com/XQVJdJyS Hey, this one works, thanks! There was a difference of 8 bytes between the version I copied from the mail and this one, whatever the exact difference was. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com From homyang4u at gmail.com Thu Mar 3 04:45:14 2011 From: homyang4u at gmail.com (homyang cha) Date: Thu Mar 3 04:45:24 2011 Subject: ClamAV SpamAssassin easy installation package outdated In-Reply-To: References: <4CEE4A05.5020406@ecs.soton.ac.uk> Message-ID: Hello Mr Julian Can you please again update the ClamAV and SpamAssassin easy Installation package in the download section. Right now the latest version is ClamAV-0.97 but mailscanner sites has version 0.96.5. I am facing the same problem as earlier. Thanks in advance On Thu, Nov 25, 2010 at 5:35 PM, Julian Field wrote: > Just updated it for you! > > > On 24/11/2010 07:57, homyang cha wrote: > >> Hello Everybody >> I have used ClamAV and SpamAssassin easy installation package with >> MailScanner. Now I want to upgrade the easy installation package but it is >> outdated. When I debug MailScanner --lint it shows the version of the ClamAV >> engine is outdated. So when will this package be updated? Is there other >> ways to update this package? Is using ClamAV and SpamAssassin seperately a >> better option? I found insalling easy package is much faster and works fine >> without any problems. Please help. >> >> Thanks in advance >> >> >> -- >> homyang (aka puran) >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM and twitter.com/MailScanner > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- homyang (aka puran) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110303/bcc1aa48/attachment.html From alvaro at hostalia.com Thu Mar 3 13:50:35 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Thu Mar 3 13:50:28 2011 Subject: EndCustomFunctions when the batch finish Message-ID: <4D6F9CAB.2040100@hostalia.com> Hi, I've a CustomFunction to insert messages into a database. The plugin is just: sub InitDBPlug { $dbh = DBI->connect("DBI:mysql:database=... } sub DBPlug { $sth = $dbh->prepare("INSERT INTO... $sth->execute(... } sub EndDBPlug { $dbh->commit; $dbh->disconnect; } The problem is that as I see in bin/Mailscanner, the End functions of the "plugins" are called (with MailScanner::Config::EndCustomFunctions()) only when the child has to be restarted by "restartevery" variable: (time>=$StartTime && time<$RestartTime && !$BayesRebuild) The default value for "Restart Every" is 7200, so the MySQL connection is kept open until that time without any use. So, Can I add safely : # Close down all the user's custom functions MailScanner::Config::EndCustomFunctions(); inside that "while" to be executed every time that a Batch finish to close the DB connection? Thank you! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From steve.freegard at fsl.com Thu Mar 3 17:56:02 2011 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Mar 3 17:56:43 2011 Subject: EndCustomFunctions when the batch finish In-Reply-To: <4D6F9CAB.2040100@hostalia.com> References: <4D6F9CAB.2040100@hostalia.com> Message-ID: <4D6FD632.40909@fsl.com> Hi Alvaro, On 03/03/11 13:50, Alvaro Marin wrote: > The problem is that as I see in bin/Mailscanner, the End functions of > the "plugins" are called (with > MailScanner::Config::EndCustomFunctions()) only when the child has to be > restarted by "restartevery" variable: > > (time>=$StartTime && time<$RestartTime && !$BayesRebuild) > > The default value for "Restart Every" is 7200, so the MySQL connection > is kept open until that time without any use. > > So, Can I ad safely : > > # Close down all the user's custom functions > MailScanner::Config::EndCustomFunctions(); > > inside that "while" to be executed every time that a Batch finish to > close the DB connection? > If you do that; your database handle will get destroyed and the next time DBPlug() is called it will fail to insert anything (and will return an error). It would also mean you'd have to hack MailScanner every time you upgrade it. If you want to connect/disconnect each time your code runs; then do everything in DBPlug() and not in the Init/End functions e.g. sub InitDBPlug { # Nothing here... } sub DBPlug { my $dbh = DBI->connect ... ... $dbh->commit; $dbh->disconnect; } sub EndDBPlug { # Nothing here either... } You only want to do database connect/disconnect in the Init/End functions if you want to keep your database connection for the life of the child process; this is more efficient if you are doing a lot of database work as connect/disconnect is expensive if you are doing it a lot. Hope that helps. Kind Regards, Steve. From garthl at dcdata.co.za Fri Mar 4 08:38:09 2011 From: garthl at dcdata.co.za (garth) Date: Fri Mar 4 08:38:06 2011 Subject: Mailscanner with Clamd In-Reply-To: <4D70A261.8040903@dcdata.co.za> References: <4D70A261.8040903@dcdata.co.za> Message-ID: <4D70A4F1.1070909@dcdata.co.za> Hi Guys > > I dont think this is to do with Mailscanner but has anyone picked up > this since last night. I have received 100's of messages from > postmaster about these so called viruses. I have upgraded clam to 0.97 > . Even txt files are being caught for this. Does anyone know if this > is legit? Possibly a new trojan/virus that has spread? > > Report: Clamd: message was infected: MBL_144360.UNOFFICIAL > Report: Clamd: msg-32241-55.html was infected: MBL_144360.UNOFFICIAL > > Thanks > -- > Garth Lancaster > > *LinuxTech t/a DcData* > *CK number: 2001/058368/23* > *Website:* http://www.dcdata.co.za > *Support:* +27(0)860-1-LINUX > *Mobile:* +27(0)781417916 > *Tel:* +27(0)333446100 > *Fax:* +27(0)866878971 > This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110304/6f5e3703/attachment.html From alvaro at hostalia.com Fri Mar 4 10:24:53 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Fri Mar 4 10:24:43 2011 Subject: EndCustomFunctions when the batch finish In-Reply-To: <4D6FD632.40909@fsl.com> References: <4D6F9CAB.2040100@hostalia.com> <4D6FD632.40909@fsl.com> Message-ID: <4D70BDF5.3080409@hostalia.com> Hi Steve, El 03/03/11 18:56, Steve Freegard escribi?: > Hi Alvaro, > > On 03/03/11 13:50, Alvaro Marin wrote: >> The problem is that as I see in bin/Mailscanner, the End functions of >> the "plugins" are called (with >> MailScanner::Config::EndCustomFunctions()) only when the child has to be >> restarted by "restartevery" variable: >> >> (time>=$StartTime && time<$RestartTime && !$BayesRebuild) >> >> The default value for "Restart Every" is 7200, so the MySQL connection >> is kept open until that time without any use. >> >> So, Can I ad safely : >> >> # Close down all the user's custom functions >> MailScanner::Config::EndCustomFunctions(); >> >> inside that "while" to be executed every time that a Batch finish to >> close the DB connection? >> > > If you do that; your database handle will get destroyed and the next > time DBPlug() is called it will fail to insert anything (and will return > an error). It would also mean you'd have to hack MailScanner every time > you upgrade it. > > If you want to connect/disconnect each time your code runs; then do > everything in DBPlug() and not in the Init/End functions e.g. > > sub InitDBPlug { > # Nothing here... > } > > sub DBPlug { > my $dbh = DBI->connect ... > ... > $dbh->commit; > $dbh->disconnect; > } > > sub EndDBPlug { > # Nothing here either... > } > > You only want to do database connect/disconnect in the Init/End > functions if you want to keep your database connection for the life of > the child process; this is more efficient if you are doing a lot of > database work as connect/disconnect is expensive if you are doing it a lot. > > Hope that helps. > > Kind Regards, > Steve. Thank you for your answer. I was doing what you've said when you wrote me! It runs fine, MySQL server, until now, doesn't matter about the massive connect/disconnect. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From hkeasytech at gmail.com Fri Mar 4 10:33:53 2011 From: hkeasytech at gmail.com (Barry Kwok) Date: Fri Mar 4 10:34:03 2011 Subject: Mailscanner with Clamd In-Reply-To: <4D70A4F1.1070909@dcdata.co.za> References: <4D70A261.8040903@dcdata.co.za> <4D70A4F1.1070909@dcdata.co.za> Message-ID: It is false positives from Sanesecurity please read this thread http://www.freelists.org/post/sanesecurity/False-positives-on-MBL-144360UNOFFICIAL Barry On Fri, Mar 4, 2011 at 4:38 PM, garth wrote: > Hi Guys > > > I dont think this is to do with Mailscanner but has anyone picked up this > since last night. I have received 100's of messages from postmaster about > these so called viruses. I have upgraded clam to 0.97 . Even txt files are > being caught for this. Does anyone know if this is legit? Possibly a new > trojan/virus that has spread? > > Report: Clamd: message was infected: MBL_144360.UNOFFICIAL > Report: Clamd: msg-32241-55.html was infected: MBL_144360.UNOFFICIAL > > Thanks > > -- > Garth Lancaster > > *LinuxTech t/a DcData* > *CK number: 2001/058368/23* > *Website:* http://www.dcdata.co.za *Support:* +27(0)860-1-LINUX * > Mobile:* +27(0)781417916 *Tel:* +27(0)333446100 *Fax:* +27(0)866878971 > > > -- > This email and all contents are subject to the following disclaimer: > http://www.dcdata.co.za/emaildisclaimer.html > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110304/a80530d3/attachment.html From ssilva at sgvwater.com Fri Mar 4 17:18:05 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 4 17:20:15 2011 Subject: Mailscanner with Clamd In-Reply-To: References: <4D70A261.8040903@dcdata.co.za> <4D70A4F1.1070909@dcdata.co.za> Message-ID: on 3/4/2011 2:33 AM Barry Kwok spake the following: > > On Fri, Mar 4, 2011 at 4:38 PM, garth > wrote: > > Hi Guys >> >> I dont think this is to do with Mailscanner but has anyone picked up >> this since last night. I have received 100's of messages from postmaster >> about these so called viruses. I have upgraded clam to 0.97 . Even txt >> files are being caught for this. Does anyone know if this is legit? >> Possibly a new trojan/virus that has spread? >> >> Report: Clamd: message was infected: MBL_144360.UNOFFICIAL >> Report: Clamd: msg-32241-55.html was infected: MBL_144360.UNOFFICIAL >> > It is false positives from Sanesecurity > > please read this thread > > http://www.freelists.org/post/sanesecurity/False-positives-on-MBL-144360UNOFFICIAL > > Barry Actually, it is the malwarepatrol database. I stopped using it for now. You should delete the mbl.ndb from your signature dir and stop dl'ing it until it is resolved (If it gets resolved) From jvoorhees1 at gmail.com Tue Mar 8 22:30:07 2011 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Tue Mar 8 22:30:19 2011 Subject: Mailscanner: "Making attempt # at processing message" Message-ID: Hi all: I'm running CentOS 5.5 x86 and MailScanner 4.82.6-1. Today I found that my postfix queue was big (+700 messages when normal is 50) and no messages were being delivered. I noticed that MailScanner wasn't analyzing any message because it seemd to be stuck with some of them with messages like these in my logs: MailScanner[24297]: Making attempt 2 at processing message AA2081E2003C.AFC50 MailScanner[24875]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 MailScanner[24297]: Making attempt 2 at processing message 895CA1E20210.ABD5B MailScanner[24297]: Making attempt 2 at processing message E2D481E202A3.AE77B MailScanner[24297]: Making attempt 2 at processing message B83001E202C5.AD53E MailScanner[24297]: Making attempt 2 at processing message 1C12E1E20207.A9661 MailScanner[24938]: Making attempt 2 at processing message 062A31E202FE.A94F7 MailScanner[24938]: Making attempt 3 at processing message CE9041E202FF.AA005 MailScanner[24923]: Making attempt 2 at processing message 5F3701E202FC.A5CC7 MailScanner[24967]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 I have seen this kinf of messages before and according to Julian's recommendation in other threads, I deleted /var/spool/MailScanner/incoming/Processing.db even /var/spool/MailScanner/incoming/Processing.db-journal too, then restared MS but the problem wasn't solved. I tried this more than 5 or 6 with no success. So I finally decided too look for those extrange messages that apparently were making MS to crash and deleted them from /var/spool/postfix/hold: # grep -E 'attempt.*[[:upper:][:digit:]]{12}' /var/log/maillog| awk '{ print $12 }' | cut -d . -f 1 | while read ID; do rm -fv /var/spool/postfix/hold/${ID}; done and a lot of messages (I don't remember how many) were deleted, then MS started to analyze other messages without problems decreasing the amount of queued mail. The big question is: how can I know in a production system what's the problem with some messages that causes MS to stop working? I hope someone can help me. Thanks From phl4kx at gmail.com Wed Mar 9 01:19:26 2011 From: phl4kx at gmail.com (phl4kx) Date: Wed Mar 9 01:19:36 2011 Subject: Mailscanner: "Making attempt # at processing message" In-Reply-To: References: Message-ID: I have a similar problem, I detect the ID of the message, and send this to another email server, after I put a block ruler in my firewall to accept only IP from the other email server and send the message enabling debug in mailscanner, my problem was perl, patch the perl and now all is OK, the problemas was attachment and .doc and .zip files, Good Bye 2011/3/8 Jason Voorhees : > Hi all: > > I'm running CentOS 5.5 x86 and MailScanner 4.82.6-1. Today I found > that my postfix queue was big (+700 messages when normal is ?50) and > no messages were being delivered. I noticed that MailScanner wasn't > analyzing any message because it seemd to be stuck with some of them > with messages like these in my logs: > > > MailScanner[24297]: Making attempt 2 at processing message AA2081E2003C.AFC50 > MailScanner[24875]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 > MailScanner[24297]: Making attempt 2 at processing message 895CA1E20210.ABD5B > MailScanner[24297]: Making attempt 2 at processing message E2D481E202A3.AE77B > MailScanner[24297]: Making attempt 2 at processing message B83001E202C5.AD53E > MailScanner[24297]: Making attempt 2 at processing message 1C12E1E20207.A9661 > MailScanner[24938]: Making attempt 2 at processing message 062A31E202FE.A94F7 > MailScanner[24938]: Making attempt 3 at processing message CE9041E202FF.AA005 > MailScanner[24923]: Making attempt 2 at processing message 5F3701E202FC.A5CC7 > MailScanner[24967]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 > > I have seen this kinf of messages before and according to Julian's > recommendation in other threads, I deleted > /var/spool/MailScanner/incoming/Processing.db even > /var/spool/MailScanner/incoming/Processing.db-journal too, then > restared MS but the problem wasn't solved. I tried this more than 5 or > 6 with no success. > > So I finally decided too look for those extrange messages that > apparently were making MS to crash and deleted them from > /var/spool/postfix/hold: > > # grep -E 'attempt.*[[:upper:][:digit:]]{12}' /var/log/maillog| awk '{ > print $12 }' | cut -d . -f 1 | while read ID; do rm -fv > /var/spool/postfix/hold/${ID}; done > > and a lot of messages (I don't remember how many) were deleted, then > MS started to analyze other messages without problems decreasing the > amount of queued mail. > > The big question is: how can I know in a production system what's the > problem with some messages that causes MS to stop working? > > I hope someone can help me. > > Thanks > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jaearick at colby.edu Wed Mar 9 13:46:55 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Wed Mar 9 13:47:25 2011 Subject: Mailscanner: "Making attempt # at processing message" In-Reply-To: References: Message-ID: Hi, I too have starting having the same problem in the past couple of weeks, including once last night and once just a few minutes ago. So what in perl did you patch? My setup: Redhat 5.6 x86_x64, MailScanner 4.82.6-1, sendmail. I am using the version of perl that comes with Redhat (perl 5.8.8), plus all of the perl modules supplied by the MailScanner install. In my case, I find gobs of messages in quarantine when MailScanner falls apart, that I have to move back into mqueue.in and rerun thru the system (without problems the second time). In this morning's case, the problem seemed to start with a "reload via pid" from cron, followed by MailScanner processes that would not die, followed by all messages going to quarantine. Jeff Earickson Colby College On Tue, Mar 8, 2011 at 8:19 PM, phl4kx wrote: > I have a similar problem, I detect the ID of the message, and send > this to another email server, after I put a block ruler in my firewall > to accept only IP from the other email server and send the message > enabling debug in mailscanner, my problem was perl, patch the perl and > now all is OK, the problemas was attachment and .doc and .zip files, > > Good Bye > > 2011/3/8 Jason Voorhees : >> Hi all: >> >> I'm running CentOS 5.5 x86 and MailScanner 4.82.6-1. Today I found >> that my postfix queue was big (+700 messages when normal is ?50) and >> no messages were being delivered. I noticed that MailScanner wasn't >> analyzing any message because it seemd to be stuck with some of them >> with messages like these in my logs: >> >> >> MailScanner[24297]: Making attempt 2 at processing message AA2081E2003C.AFC50 >> MailScanner[24875]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 >> MailScanner[24297]: Making attempt 2 at processing message 895CA1E20210.ABD5B >> MailScanner[24297]: Making attempt 2 at processing message E2D481E202A3.AE77B >> MailScanner[24297]: Making attempt 2 at processing message B83001E202C5.AD53E >> MailScanner[24297]: Making attempt 2 at processing message 1C12E1E20207.A9661 >> MailScanner[24938]: Making attempt 2 at processing message 062A31E202FE.A94F7 >> MailScanner[24938]: Making attempt 3 at processing message CE9041E202FF.AA005 >> MailScanner[24923]: Making attempt 2 at processing message 5F3701E202FC.A5CC7 >> MailScanner[24967]: Making attempt 2 at processing message 1E7811E202FD.AAAC3 >> >> I have seen this kinf of messages before and according to Julian's >> recommendation in other threads, I deleted >> /var/spool/MailScanner/incoming/Processing.db even >> /var/spool/MailScanner/incoming/Processing.db-journal too, then >> restared MS but the problem wasn't solved. I tried this more than 5 or >> 6 with no success. >> >> So I finally decided too look for those extrange messages that >> apparently were making MS to crash and deleted them from >> /var/spool/postfix/hold: >> >> # grep -E 'attempt.*[[:upper:][:digit:]]{12}' /var/log/maillog| awk '{ >> print $12 }' | cut -d . -f 1 | while read ID; do rm -fv >> /var/spool/postfix/hold/${ID}; done >> >> and a lot of messages (I don't remember how many) were deleted, then >> MS started to analyze other messages without problems decreasing the >> amount of queued mail. >> >> The big question is: how can I know in a production system what's the >> problem with some messages that causes MS to stop working? >> >> I hope someone can help me. >> >> Thanks >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jvoorhees1 at gmail.com Wed Mar 9 15:27:16 2011 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Wed Mar 9 15:27:26 2011 Subject: Mailscanner: "Making attempt # at processing message" In-Reply-To: References: Message-ID: Hi: On Wed, Mar 9, 2011 at 8:46 AM, Jeff Earickson wrote: > Hi, > > I too have starting having the same problem in the past couple of > weeks, including once last night and once just a few minutes ago. ?So > what in perl did you patch? > > My setup: Redhat 5.6 x86_x64, MailScanner 4.82.6-1, sendmail. ?I am > using the version of perl that comes with Redhat (perl 5.8.8), plus > all of the perl modules supplied by the MailScanner install. > > In my case, I find gobs of messages in quarantine when MailScanner > falls apart, that I have to move back into mqueue.in and rerun thru > the system (without problems the second time). ?In this morning's > case, the problem seemed to start with a "reload via pid" from cron, > followed by MailScanner processes that would not die, followed by all > messages going to quarantine. > > Jeff Earickson > Colby College > My scenario was similar: CentOS 5.5 x86 up to date, no pending patches. MailScanner it's also the latest version. I have seen this problem with different versions of MailScanner (previous versions) and almost always with up to date RHEL/CentOS 5.x x86/x86_64 systems. Sometime just deleting Processing.db files solved the problem, but sometimes don't. This is a problem I don't realize entirely. From sbanderson at impromed.com Thu Mar 10 18:41:16 2011 From: sbanderson at impromed.com (Scott B. Anderson) Date: Thu Mar 10 18:41:43 2011 Subject: mutiple Signature Image Filenames Message-ID: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> I've been using inline signatures, both html and txt for a long time, based on ruleset by domain (multiple inline signatures) but until now have not been asked to use a picture in the signature. I realize I could use an a href in the html signature -- but want to avoid doing that for reasons that should be obvious to all of us here. I started by using the Signature Image Filename, and that works great as long as only one of the domans are assigned an image, or all domains use the same image. Is there a way to specify multiple Signature Image Filenames? I'm using 4.81.4 at the moment, but could upgrade if necessary. If I missed this when RTFM'ing I'm sorry in advance. Scott Anderson sbanderson at impromed.com -- ImproMed, LLC. -- From maxsec at gmail.com Thu Mar 10 19:12:24 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Mar 10 19:12:43 2011 Subject: mutiple Signature Image Filenames In-Reply-To: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> References: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> Message-ID: Have a look for overloading in the wiki, and see if this works for this feature Martin On Thursday, 10 March 2011, Scott B. Anderson wrote: > I've been using inline signatures, both html and txt for a long time, based on ruleset by domain (multiple inline signatures) but until now have not been asked to use a picture in the signature. ?I realize I could use an a href in the html signature -- but want to avoid doing that for reasons that should be obvious to all of us here. ?I started by using the Signature Image Filename, and that works great as long as only one of the domans are assigned an image, or all domains use the same image. ?Is there a way to specify multiple Signature Image Filenames? ?I'm using 4.81.4 at the moment, but could upgrade if necessary. ?If I missed this when RTFM'ing I'm sorry in advance. > > Scott Anderson > sbanderson at impromed.com > > > > -- > ImproMed, LLC. > -- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK From sbanderson at impromed.com Thu Mar 10 19:42:58 2011 From: sbanderson at impromed.com (Scott B. Anderson) Date: Thu Mar 10 19:43:33 2011 Subject: mutiple Signature Image Filenames In-Reply-To: References: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> Message-ID: <7D95F4DE708E0948892128F41A2507380628653E@ES2.impromed.com> Actually, I'm running into a different issue now. When I changed: Inline HTML Signature = %report-dir%/inline.sig.html to Inline HTML Signature = %rules-dir%/inline-html.conf And set %rules-dir%/inline-html.conf to From: *@domain1.com %report-dir%/domain1-inline.sig.html From: *@domain2.com %report-dir%/domain2-inline.sig.html I got the following on the outbound email: From: *@domain1.com /etc/MailScanner/reports/en/domain1-inline.sig.html From: *@domain2.com /etc/MailScanner/reports/en/domain2-inline.sig.html So it didn't expand that part at all. Domain2-inline.sig.html is a copy of domain1, and since Signature Image Filename doesn't appear to support rulesets, I overloaded it in MailScanner.conf - eg Signature Image Filename = %report-dir%/domain1.gif %report-dir%/domain2.gif and Signature Image Filename = domain1.gif domain2.gif So I'm now back to my original configuration where I'm just using a ruleset on scan clean messages by domain and that is working fine for one image, one or more domains. Scott -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, March 10, 2011 1:12 PM To: MailScanner discussion Subject: Re: mutiple Signature Image Filenames Have a look for overloading in the wiki, and see if this works for this feature Martin On Thursday, 10 March 2011, Scott B. Anderson wrote: > I've been using inline signatures, both html and txt for a long time, based on ruleset by domain (multiple inline signatures) but until now have not been asked to use a picture in the signature. ?I realize I could use an a href in the html signature -- but want to avoid doing that for reasons that should be obvious to all of us here. ?I started by using the Signature Image Filename, and that works great as long as only one of the domans are assigned an image, or all domains use the same image. ?Is there a way to specify multiple Signature Image Filenames? ?I'm using 4.81.4 at the moment, but could upgrade if necessary. ?If I missed this when RTFM'ing I'm sorry in advance. > > Scott Anderson > sbanderson at impromed.com > > > > -- > ImproMed, LLC. > -- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- ImproMed, LLC. -- From markus at markusoft.se Fri Mar 11 07:41:15 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Mar 11 07:41:32 2011 Subject: mutiple Signature Image Filenames In-Reply-To: <7D95F4DE708E0948892128F41A2507380628653E@ES2.impromed.com> Message-ID: <26587454.9972.1299829273561.JavaMail.markus@cronlabworkstation0> Hi Scott I would guess your problem is using a rule file called .conf and not .rules %rules-dir%/inline-html.conf should be %rules-dir%/inline-html.rules /M ----- Original Message ----- From: "Scott B. Anderson" To: "MailScanner discussion" Sent: torsdag, 10 mar 2011 20:42:58 Subject: RE: mutiple Signature Image Filenames Actually, I'm running into a different issue now. When I changed: Inline HTML Signature = %report-dir%/inline.sig.html to Inline HTML Signature = %rules-dir%/inline-html.conf And set %rules-dir%/inline-html.conf to From: *@domain1.com %report-dir%/domain1-inline.sig.html From: *@domain2.com %report-dir%/domain2-inline.sig.html I got the following on the outbound email: From: *@domain1.com /etc/MailScanner/reports/en/domain1-inline.sig.html From: *@domain2.com /etc/MailScanner/reports/en/domain2-inline.sig.html So it didn't expand that part at all. Domain2-inline.sig.html is a copy of domain1, and since Signature Image Filename doesn't appear to support rulesets, I overloaded it in MailScanner.conf - eg Signature Image Filename = %report-dir%/domain1.gif %report-dir%/domain2.gif and Signature Image Filename = domain1.gif domain2.gif So I'm now back to my original configuration where I'm just using a ruleset on scan clean messages by domain and that is working fine for one image, one or more domains. Scott -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth Sent: Thursday, March 10, 2011 1:12 PM To: MailScanner discussion Subject: Re: mutiple Signature Image Filenames Have a look for overloading in the wiki, and see if this works for this feature Martin On Thursday, 10 March 2011, Scott B. Anderson wrote: > I've been using inline signatures, both html and txt for a long time, based on ruleset by domain (multiple inline signatures) but until now have not been asked to use a picture in the signature. ?I realize I could use an a href in the html signature -- but want to avoid doing that for reasons that should be obvious to all of us here. ?I started by using the Signature Image Filename, and that works great as long as only one of the domans are assigned an image, or all domains use the same image. ?Is there a way to specify multiple Signature Image Filenames? ?I'm using 4.81.4 at the moment, but could upgrade if necessary. ?If I missed this when RTFM'ing I'm sorry in advance. > > Scott Anderson > sbanderson at impromed.com > > > > -- > ImproMed, LLC. > -- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- ImproMed, LLC. -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: http://gothenburg.cronlab.com/mail/index.php?id=15E82ADE034.9FB67-&learn=spam&host=212.91.140.36 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From jvoorhees1 at gmail.com Fri Mar 11 18:16:16 2011 From: jvoorhees1 at gmail.com (Jason Voorhees) Date: Fri Mar 11 18:16:26 2011 Subject: Mailscanner: "Making attempt # at processing message" In-Reply-To: References: Message-ID: On Wed, Mar 9, 2011 at 10:27 AM, Jason Voorhees wrote: > Hi: > > On Wed, Mar 9, 2011 at 8:46 AM, Jeff Earickson wrote: >> Hi, >> >> I too have starting having the same problem in the past couple of >> weeks, including once last night and once just a few minutes ago. ?So >> what in perl did you patch? >> >> My setup: Redhat 5.6 x86_x64, MailScanner 4.82.6-1, sendmail. ?I am >> using the version of perl that comes with Redhat (perl 5.8.8), plus >> all of the perl modules supplied by the MailScanner install. >> >> In my case, I find gobs of messages in quarantine when MailScanner >> falls apart, that I have to move back into mqueue.in and rerun thru >> the system (without problems the second time). ?In this morning's >> case, the problem seemed to start with a "reload via pid" from cron, >> followed by MailScanner processes that would not die, followed by all >> messages going to quarantine. >> >> Jeff Earickson >> Colby College >> > > My scenario was similar: CentOS 5.5 x86 up to date, no pending > patches. MailScanner it's also the latest version. > > I have seen this problem with different versions of MailScanner > (previous versions) and almost always with up to date RHEL/CentOS 5.x > x86/x86_64 systems. > Sometime just deleting Processing.db files solved the problem, but > sometimes don't. This is a problem I don't realize entirely. > Nobody knows? From dm.gouveia at gmail.com Fri Mar 11 20:14:25 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Fri Mar 11 20:14:35 2011 Subject: What else can be done? Message-ID: Hi Guys, Hope someone could help me 'cause I searched the list and I didn't find an answer. I'm running a Ubuntu server 10.10 with Postfix 2.7.1 with MailScanner 4.79.11, ClamAV 0.96, SpamAssassin and MailWatch. It started when I realized that clamAV wasn't doing the job correctly, then I moved my configs back to clamscan instead of using clamdscan. I don't know why but when I change the clamav-wrapper to clamdscan the clamav "check the message"but didn't recognize any virus, anyway this is not the biggest problem. When I moved the configs back (only the config into the wrapper) when any 'suspect message' arrive in my network (can be a .chm or .com for example) the recipient is not receiving the warning which says were his file was archived !!! What is saving me for a while now is the mailwatch that advise me when a email with virus or suspected file arrive, however my customers are not receiving that notification anymore and before I moved the wrapper config it was working perfectly. A bit about my MailScanner.conf Deliver Cleaned Messages = yes I just realize that my postfix maybe have a problem because I got the error below into the mail.log mike postfix/error[12214]: 70922280BE8: to=, relay=none, delay=17599, delays=17598/0.23/0/0.15, dsn=4.3.0, status=deferred (mail transport unavailable) Any ideas? I'm running a postfix relay server, postmap is up to date and I have a transport file indicating the server that those messages need to be routed. Thanks all, -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110311/65e37a5e/attachment.html From maxsec at gmail.com Fri Mar 11 21:24:01 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Mar 11 21:24:10 2011 Subject: What else can be done? In-Reply-To: References: Message-ID: Hi you don't to alter the wrapper code at all, just change the mailScanner.conf config to say clamd rather than clam. Read config file about this and also how you need to alter the group settings etc to cope with clamd so the clamd user can see the mail files. start from item 6 here to give you a starting point for what you need to do. http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd&s=clamd -- Martin Hepworth Oxford, UK On 11 March 2011 20:14, Danilo Marques de Gouveia wrote: > Hi Guys, > > Hope someone could help me 'cause I searched the list and I didn't find an > answer. > > I'm running a Ubuntu server 10.10 with Postfix 2.7.1 with > MailScanner 4.79.11, ClamAV 0.96, SpamAssassin and MailWatch. > > It started when I realized that clamAV wasn't doing the job correctly, then > I moved my configs back to clamscan instead of using clamdscan. I don't know > why but when I change the clamav-wrapper to clamdscan the clamav "check the > message"but didn't recognize any virus, anyway this is not the biggest > problem. > > When I moved the configs back (only the config into the wrapper) when any > 'suspect message' arrive in my network (can be a .chm or .com for example) > the recipient is not receiving the warning which says were his file was > archived !!! > > What is saving me for a while now is the mailwatch that advise me when a > email with virus or suspected file arrive, however my customers are not > receiving that notification anymore and before I moved the wrapper config it > was working perfectly. > > A bit about my MailScanner.conf > > Deliver Cleaned Messages = yes > > I just realize that my postfix maybe have a problem because I got the error > below into the mail.log > > mike postfix/error[12214]: 70922280BE8: to=, > relay=none, delay=17599, delays=17598/0.23/0/0.15, dsn=4.3.0, > status=deferred (mail transport unavailable) > > Any ideas? I'm running a postfix relay server, postmap is up to date and I > have a transport file indicating the server that those messages need to be > routed. > > Thanks all, > -- > Danilo Marques de Gouveia > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110311/43f75a4b/attachment.html From Kevin_Miller at ci.juneau.ak.us Sat Mar 12 00:57:03 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Sat Mar 12 00:57:19 2011 Subject: RBL Listings Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC26A4@city-exchange07> Recently I've had a number of false positives on mail from google (not necessarily gmail). It's all in the 209.85.161.X range. Specifically 209.85.161.192, 209.85.161.180, 209.85.161.50, 209.85.161.52.66 and 209.85.161.68. Is anyone else seeing this? It consistantly scores very low but is clobbered because I had the "Spam lists to be spam = 1". I'm using Spamhaus-xen and spamcop.net. When I test the addresses at places like anti-abuse.org or mxtoolbox.com they don't show up in any RBLs. I've changed to "Spam lists to be spam = 2" which should help w/the false positives, but may increase the spam that gets through. Also, does being listed in DCC, pyzor, or razor constitute an RBL from a MailScanner perspective? I use them in spamassassin, but they aren't listed in the spamlist in MailScanner.conf. Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mejaz at cyberia.net.sa Sat Mar 12 01:22:40 2011 From: mejaz at cyberia.net.sa (Ejaz) Date: Sat Mar 12 01:26:25 2011 Subject: spam messages need to sent junk folder Message-ID: <728A623F9BCC48A6A5BAA8D112D16669@EJAZ> Hello, Would you please any one help me as I wanted to deliver the spam messages into my recipient junk folder instead of storing in my server. Thanks in advance. Regards, __________________ Mohammed Ejaz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110312/2fee42a7/attachment.html From glenn.steen at gmail.com Sat Mar 12 20:02:30 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 12 20:02:40 2011 Subject: Mailscanner: "Making attempt # at processing message" In-Reply-To: References: Message-ID: Haven't seen it, no. Might be related to your set of perl modules or tools... Hard to say really, even if you gave more info than you do... If it persists, offer Jules shell access to troubleshoot (and perhaps some compensation for his time;-) . Cheers Den 11 mar 2011 19.24, "Jason Voorhees" skrev: On Wed, Mar 9, 2011 at 10:27 AM, Jason Voorhees wrote: > Hi: > > On Wed, Mar ... Nobody knows? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailma... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110312/88686feb/attachment.html From glenn.steen at gmail.com Sat Mar 12 20:14:44 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 12 20:14:55 2011 Subject: RBL Listings In-Reply-To: <4A09477D575C2C4B86497161427DD94C15C2BC26A4@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C15C2BC26A4@city-exchange07> Message-ID: DCc, pyzor and razor are digest tests, and as such aren't considered RBLs (not really checked through the DNS system, among other things). If you get unacceptable FPs in MS, simply don't use that BL in MS, use it for points in SA only. But if the digests fire _and_ your BL... It sure looks like spam, no?! You've looked at the content, I gather? Cheers Den 12 mar 2011 02.04, "Kevin Miller" skrev: Recently I've had a number of false positives on mail from google (not necessarily gmail). It's all in the 209.85.161.X range. Specifically 209.85.161.192, 209.85.161.180, 209.85.161.50, 209.85.161.52.66 and 209.85.161.68. Is anyone else seeing this? It consistantly scores very low but is clobbered because I had the "Spam lists to be spam = 1". I'm using Spamhaus-xen and spamcop.net. When I test the addresses at places like anti-abuse.org or mxtoolbox.com they don't show up in any RBLs. I've changed to "Spam lists to be spam = 2" which should help w/the false positives, but may increase the spam that gets through. Also, does being listed in DCC, pyzor, or razor constitute an RBL from a MailScanner perspective? I use them in spamassassin, but they aren't listed in the spamlist in MailScanner.conf. Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110312/61f81a03/attachment.html From glenn.steen at gmail.com Sat Mar 12 20:34:15 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 12 20:34:25 2011 Subject: spam messages need to sent junk folder In-Reply-To: <728A623F9BCC48A6A5BAA8D112D16669@EJAZ> References: <728A623F9BCC48A6A5BAA8D112D16669@EJAZ> Message-ID: Depends on the mailstore, the setup etc. In Exchange you might use IMF to set a high value for your subject spam tag. The bad thing with that is that the IMF has some FP prone rules of it own. Might be easier to help the users do a rule through the rule wizard. Cheers Den 12 mar 2011 02.30, "Ejaz" skrev: Hello, Would you please any one help me as I wanted to deliver the spam messages into my recipient junk folder instead of storing in my server. Thanks in advance. Regards, __________________ Mohammed Ejaz -- This message has been scanned for viruses and dangerous content by *MailScanner* , and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110312/e6f3ca51/attachment.html From Johan at double-l.nl Mon Mar 14 11:24:26 2011 From: Johan at double-l.nl (Johan Hendriks) Date: Mon Mar 14 11:24:36 2011 Subject: requeu quarantined mail. Message-ID: <57200BF94E69E54880C9BB1AF714BBCBDD31F6@w2003s01.double-l.local> Hello all. For some reason, my Mailscanner stopped working, and all mail even the good mail got quarantined. The message was trying to kill mailscanner. I have this tackled, by shutting down clamav, delete the clamav database (was using scamp) and now everithing is looking good again. Also started the scamp script, no more problems for now. But excidents always comes in two. This happend during the weekend, so all mail from the whole weekend is quarantined by MailScanner. The thing i want to do now is put all the quarantined mail back in the postfix queue so that this mail gets prossed again like regular mail. I have mailwatch installed, it contains almost 7000 mails. Not do able through the GUI. What is the best way to reprocess this mail. Also there is a lot of DHL and FEDEX mail in there. So the mail must be checked again and not beiing released so that it does skip the scan. Thanks Johan Hendriks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/94c7552d/attachment.html From algorges at gmail.com Mon Mar 14 14:10:03 2011 From: algorges at gmail.com (Alexandre Gorges) Date: Mon Mar 14 14:10:22 2011 Subject: formatting txt file Message-ID: I have problems in receiving txt files. The Mailscanner destroys the formatting of the file. All the tabs and lines are out of order, not being able to import the file in the application that runs on Microsoft platforms. I have set "Use SpamAssassin = no, Virus Scanning = no, Scan Messages = no" without success. I'm using mailscanner 4.82.6-1, postfix 2.5.5, 3.2.4 spamassassin, clamav 0.97-1. Centos 4.9 Follow links to the files. http://www.dag.eti.br/suporte/mailscanner/txt.zip Solution so far was to open the file in wordpad and save back to the correct layout. What might be happening? -- Alexandre Gorges -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/57aa493e/attachment.html From dudi at kolcore.com Mon Mar 14 14:28:45 2011 From: dudi at kolcore.com (Dudi Goldenberg) Date: Mon Mar 14 14:29:53 2011 Subject: formatting txt file In-Reply-To: References: Message-ID: <9A4085B7A6E42849838BFCD1672A732A07C16C1ACF@IE2RD2XVS101.red002.local> Hi, >I have problems in receiving txt files. >The Mailscanner destroys the formatting of the file. All the tabs and lines are out of order, not being able to import the file in the application that runs on Microsoft platforms. Your "wrong" file lines are terminated with 0x0a instead of CR/LF (0x0d, 0x0a) that windows will understand. What application creates these files? you should set it to terminate the lines with CR/LF and you will be Ok. Regards, D. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/7d6e0bff/attachment.html From alvaro at hostalia.com Mon Mar 14 14:53:03 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Mon Mar 14 14:53:15 2011 Subject: Malformed signature kills MailScanner Message-ID: <4D7E2BCF.3060508@hostalia.com> Hello, two days ago, we started to receive messages with a zip attachment. Those messages were killing MailScanner processes so the queue started to grow up. ClamAV wasy detecting those messages with the "rogue.hdb" signatures of Sanesecurity: Mar 12 00:01:28 192.168.66.215 clamd[7666]: /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND Mar 12 00:01:28 192.168.66.215 clamd[7666]: /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND As you see, the name of the virus has a " " at the end. Logs show this strange line: Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus in I changed the rogue.hdb signature file and removed the space at the end of the line and then the messages were processed fine and the queue was processed. Now I see that the signature is correct, without that space, but for example there are other examples: $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose 2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb [119235/119235] -> "rogue.hdb" [1] $ grep " $" rogue.hdb 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 (those signatures have a space at the end of the line). I'll notify to the signature's creator to correct this, but why MailScanner dies when the signature has an space? Can be fixed to check it? Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From alvaro at hostalia.com Mon Mar 14 15:16:29 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Mon Mar 14 15:16:39 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7E2BCF.3060508@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> Message-ID: <4D7E314D.1070200@hostalia.com> Hi again, just another thing, running MailScanner with --debug, died with these message: Can't call method "CombineReports" on unblessed reference at /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736. Regards, El 14/03/11 15:53, Alvaro Marin escribi?: > Hello, > > two days ago, we started to receive messages with a zip attachment. > Those messages were killing MailScanner processes so the queue started > to grow up. > ClamAV wasy detecting those messages with the "rogue.hdb" signatures of > Sanesecurity: > > Mar 12 00:01:28 192.168.66.215 clamd[7666]: > /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: > Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND > Mar 12 00:01:28 192.168.66.215 clamd[7666]: > /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: > Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND > > As you see, the name of the virus has a " " at the end. Logs show this > strange line: > > Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus in > > I changed the rogue.hdb signature file and removed the space at the end > of the line and then the messages were processed fine and the queue was > processed. > > Now I see that the signature is correct, without that space, but for > example there are other examples: > > $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose > 2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb > [119235/119235] -> "rogue.hdb" [1] > $ grep " $" rogue.hdb > 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 > 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 > 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 > > (those signatures have a space at the end of the line). > > I'll notify to the signature's creator to correct this, but why > MailScanner dies when the signature has an space? Can be fixed to check it? > > Thanks! > > Regards, > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From maxsec at gmail.com Mon Mar 14 16:08:52 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Mar 14 16:09:01 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7E314D.1070200@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> Message-ID: what version of MailScanner, clamav and the libraries (mailscanner -v) -- Martin Hepworth Oxford, UK On 14 March 2011 15:16, Alvaro Marin wrote: > Hi again, > > just another thing, running MailScanner with --debug, died with these > message: > > Can't call method "CombineReports" on unblessed reference at > /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736. > > Regards, > > > El 14/03/11 15:53, Alvaro Marin escribi?: > > Hello, >> >> two days ago, we started to receive messages with a zip attachment. >> Those messages were killing MailScanner processes so the queue started >> to grow up. >> ClamAV wasy detecting those messages with the "rogue.hdb" signatures of >> Sanesecurity: >> >> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: >> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: >> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >> >> As you see, the name of the virus has a " " at the end. Logs show this >> strange line: >> >> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found spam-virus in >> >> I changed the rogue.hdb signature file and removed the space at the end >> of the line and then the messages were processed fine and the queue was >> processed. >> >> Now I see that the signature is correct, without that space, but for >> example there are other examples: >> >> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose >> 2011-03-14 15:43:56 URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb >> [119235/119235] -> "rogue.hdb" [1] >> $ grep " $" rogue.hdb >> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 >> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 >> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 >> >> (those signatures have a space at the end of the line). >> >> I'll notify to the signature's creator to correct this, but why >> MailScanner dies when the signature has an space? Can be fixed to check >> it? >> >> Thanks! >> >> Regards, >> >> > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/92360c60/attachment.html From maxsec at gmail.com Mon Mar 14 16:04:31 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Mon Mar 14 16:12:53 2011 Subject: requeu quarantined mail. In-Reply-To: <57200BF94E69E54880C9BB1AF714BBCBDD31F6@w2003s01.double-l.local> References: <57200BF94E69E54880C9BB1AF714BBCBDD31F6@w2003s01.double-l.local> Message-ID: check you're only using the normal signatures in clam and not the SAne security ones as this has caused troubles in the past. -- Martin Hepworth Oxford, UK On 14 March 2011 11:24, Johan Hendriks wrote: > Hello all. > > For some reason, my Mailscanner stopped working, and all mail even the good > mail got quarantined. > The message was trying to kill mailscanner. > I have this tackled, by shutting down clamav, delete the clamav database > (was using scamp) and now everithing is looking good again. > > Also started the scamp script, no more problems for now. > > But excidents always comes in two. > This happend during the weekend, so all mail from the whole weekend is > quarantined by MailScanner. > > The thing i want to do now is put all the quarantined mail back in the > postfix queue so that this mail gets prossed again like regular mail. > > > > I have mailwatch installed, it contains almost 7000 mails. > Not do able through the GUI. > > > > What is the best way to reprocess this mail. > > Also there is a lot of DHL and FEDEX mail in there. > > So the mail must be checked again and not beiing released so that it does > skip the scan. > > > > > > > > Thanks > > Johan Hendriks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/df595426/attachment.html From alvaro at hostalia.com Mon Mar 14 16:17:03 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Mon Mar 14 16:17:13 2011 Subject: Malformed signature kills MailScanner In-Reply-To: References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> Message-ID: <4D7E3F7F.7020402@hostalia.com> Hi, yes, sorry: # /opt/MailScanner/bin/MailScanner -v Running on Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686 GNU/Linux This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.82.6 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.015 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.07_03 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.07 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.26 Test::Pod 0.92 Test::Simple 1.9719 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.52 Archive::Tar 0.23 bignum missing Business::ISBN missing Business::ISBN::Data missing Data::Dump 1.82 DB_File 1.25 DBD::SQLite 1.607 DBI 1.16 Digest 1.02 Digest::HMAC 2.39 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17015 Error 0.2602 ExtUtils::CBuilder 2.2002 ExtUtils::ParseXS 2.38 Getopt::Long missing Inline missing IO::String 1.10 IO::Zlib 2.27 IP::Country missing Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF 1.999001 Mail::SPF::Query 0.340201 Module::Build 0.20 Net::CIDR::Lite 0.66 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.022 NetAddr::IP missing Parse::RecDescent missing SAVI 3.17 Test::Harness missing Test::Manifest 2.0.0 Text::Balanced 1.54 URI 0.77 version 0.72 YAML # /usr/local/sbin/clamd -V ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011 Regards, El 14/03/11 17:08, Martin Hepworth escribi?: > what version of MailScanner, clamav and the libraries (mailscanner -v) > > -- > Martin Hepworth > Oxford, UK > > > On 14 March 2011 15:16, Alvaro Marin > wrote: > > Hi again, > > just another thing, running MailScanner with --debug, died with > these message: > > Can't call method "CombineReports" on unblessed reference at > /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736. > > Regards, > > > El 14/03/11 15:53, Alvaro Marin escribi?: > > Hello, > > two days ago, we started to receive messages with a zip attachment. > Those messages were killing MailScanner processes so the queue > started > to grow up. > ClamAV wasy detecting those messages with the "rogue.hdb" > signatures of > Sanesecurity: > > Mar 12 00:01:28 192.168.66.215 clamd[7666]: > /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: > Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND > Mar 12 00:01:28 192.168.66.215 clamd[7666]: > /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: > Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND > > As you see, the name of the virus has a " " at the end. Logs > show this > strange line: > > Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found > spam-virus in > > I changed the rogue.hdb signature file and removed the space at > the end > of the line and then the messages were processed fine and the > queue was > processed. > > Now I see that the signature is correct, without that space, but for > example there are other examples: > > $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose > 2011-03-14 15:43:56 > URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb > [119235/119235] -> "rogue.hdb" [1] > $ grep " $" rogue.hdb > 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 > 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 > 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 > > (those signatures have a space at the end of the line). > > I'll notify to the signature's creator to correct this, but why > MailScanner dies when the signature has an space? Can be fixed > to check it? > > Thanks! > > Regards, > > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From algorges at gmail.com Mon Mar 14 16:45:16 2011 From: algorges at gmail.com (Alexandre Gorges) Date: Mon Mar 14 16:45:36 2011 Subject: formatting txt file In-Reply-To: <9A4085B7A6E42849838BFCD1672A732A07C16C1ACF@IE2RD2XVS101.red002.local> Message-ID: Ok but why mailscanner change the file? the application is a company's internal system to control travel, was developed by another company, I'm not changing the application to generate a new export. What can be done in mailscanner, not to reformat the file? From: Dudi Goldenberg Hi, >I have problems in receiving txt files. >The Mailscanner destroys the formatting of the file. All the tabs and lines are out of order, not being able to import the file in the application that runs on Microsoft platforms. Your ?wrong? file lines are terminated with 0x0a instead of CR/LF (0x0d, 0x0a) that windows will understand. What application creates these files? you should set it to terminate the lines with CR/LF and you will be Ok. Regards, D. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/c9a9d465/attachment-0001.html From alvaro at hostalia.com Mon Mar 14 16:53:55 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Mon Mar 14 16:54:05 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7E3F7F.7020402@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> Message-ID: <4D7E4823.2040608@hostalia.com> Hi, I've been debugging the code and this is the result: #/opt/MailScanner/bin/MailScanner --debug ... Have a batch of 1 message. Output is "INFECTED:: Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL :: ./D30232D90002.AFF7F/nnMy_Documents.zip" virus = "Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL " re = "(?:^\s*Sane.*UNOFFICIAL\s*$|^\s*HTML\/.*\s*$|^\s*.*Phish.*\s*$)" Processing line "" produced ScannerOutput = "0 D30232D90002.AFF7F Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL " Found spam-virus: , id= Can't call method "CombineReports" on unblessed reference at /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 731. so the problem is in SweepViruses.pm, with this part of code: if ($ScannerOutput =~ s/^0\s+//) { # It's a spam-virus and the infection name for the spam report # is in $ScannerOutput $ScannerOutput =~ /^(\S+)\s+(\S+)\s*$/; my ($messageid, $report) = ($1, $2); print STDERR "Found spam-virus: $messageid, $report\n"; MailScanner::Log::WarnLog("Found spam-virus %s in %s", $report, $messageid); $batch->{messages}{"$messageid"}->{spamvirusreport} .= ', ' if $batch->{"$messageid"}->{spamvirusreport}; $batch->{messages}{"$messageid"}->{spamvirusreport} .= $report; print STDERR "id=" . $batch->{messages}{"$messageid"}->{id} . "\n"; } the regexp /^(\S+)\s+(\S+)\s*$/ doesn't match with the value of $ScannerOutput, due to the space in the virus's name. One solution could be to check the $virusname variable when the "split" is done: ($keyword, $virusname, $filename) = split(/:: /, $line, 3); in ProcessClamAVModOutput function, to delete spaces or strange characters (the problem is with the name of the signature, not with MailScanner, but IMHO it would be better if the name could be checked to avoid these type of problems). Jules, what do you think? Thank you! Regards, El 14/03/11 17:17, Alvaro Marin escribi?: > Hi, > > yes, sorry: > > # /opt/MailScanner/bin/MailScanner -v > Running on > Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686 > GNU/Linux > > This is Perl version 5.010001 (5.10.1) > > This is MailScanner version 4.82.6 > Module versions are: > 1.00 AnyDBM_File > 1.30 Archive::Zip > 0.23 bignum > 1.11 Carp > 2.015 Compress::Zlib > 1.119 Convert::BinHex > 0.17 Convert::TNEF > 2.124 Data::Dumper > 2.27 Date::Parse > 1.03 DirHandle > 1.06 Fcntl > 2.77 File::Basename > 2.14 File::Copy > 2.02 FileHandle > 2.07_03 File::Path > 0.22 File::Temp > 0.92 Filesys::Df > 3.64 HTML::Entities > 3.64 HTML::Parser > 3.57 HTML::TokeParser > 1.25 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.04 Mail::Header > 1.89 Math::BigInt > 0.22 Math::BigRat > 3.08 MIME::Base64 > 5.427 MIME::Decoder > 5.427 MIME::Decoder::UU > 5.427 MIME::Head > 5.427 MIME::Parser > 3.08 MIME::QuotedPrint > 5.427 MIME::Tools > 0.14 Net::CIDR > 1.25 Net::IP > 0.19 OLE::Storage_Lite > 1.04 Pod::Escapes > 3.07 Pod::Simple > 1.17 POSIX > 1.21 Scalar::Util > 1.82 Socket > 2.20 Storable > 1.4 Sys::Hostname::Long > 0.27 Sys::Syslog > 1.26 Test::Pod > 0.92 Test::Simple > 1.9719 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.52 Archive::Tar > 0.23 bignum > missing Business::ISBN > missing Business::ISBN::Data > missing Data::Dump > 1.82 DB_File > 1.25 DBD::SQLite > 1.607 DBI > 1.16 Digest > 1.02 Digest::HMAC > 2.39 Digest::MD5 > 2.13 Digest::SHA1 > 1.01 Encode::Detect > 0.17015 Error > 0.2602 ExtUtils::CBuilder > 2.2002 ExtUtils::ParseXS > 2.38 Getopt::Long > missing Inline > missing IO::String > 1.10 IO::Zlib > 2.27 IP::Country > missing Mail::ClamAV > 3.003001 Mail::SpamAssassin > v2.007 Mail::SPF > 1.999001 Mail::SPF::Query > 0.340201 Module::Build > 0.20 Net::CIDR::Lite > 0.66 Net::DNS > v0.003 Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.022 NetAddr::IP > missing Parse::RecDescent > missing SAVI > 3.17 Test::Harness > missing Test::Manifest > 2.0.0 Text::Balanced > 1.54 URI > 0.77 version > 0.72 YAML > > > > # /usr/local/sbin/clamd -V > ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011 > > > Regards, > > > El 14/03/11 17:08, Martin Hepworth escribi?: >> what version of MailScanner, clamav and the libraries (mailscanner -v) >> >> -- >> Martin Hepworth >> Oxford, UK >> >> >> On 14 March 2011 15:16, Alvaro Marin > > wrote: >> >> Hi again, >> >> just another thing, running MailScanner with --debug, died with >> these message: >> >> Can't call method "CombineReports" on unblessed reference at >> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736. >> >> Regards, >> >> >> El 14/03/11 15:53, Alvaro Marin escribi?: >> >> Hello, >> >> two days ago, we started to receive messages with a zip attachment. >> Those messages were killing MailScanner processes so the queue >> started >> to grow up. >> ClamAV wasy detecting those messages with the "rogue.hdb" >> signatures of >> Sanesecurity: >> >> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: >> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: >> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >> >> As you see, the name of the virus has a " " at the end. Logs >> show this >> strange line: >> >> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found >> spam-virus in >> >> I changed the rogue.hdb signature file and removed the space at >> the end >> of the line and then the messages were processed fine and the >> queue was >> processed. >> >> Now I see that the signature is correct, without that space, but for >> example there are other examples: >> >> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose >> 2011-03-14 15:43:56 >> URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb >> [119235/119235] -> "rogue.hdb" [1] >> $ grep " $" rogue.hdb >> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 >> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 >> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 >> >> (those signatures have a space at the end of the line). >> >> I'll notify to the signature's creator to correct this, but why >> MailScanner dies when the signature has an space? Can be fixed >> to check it? >> >> Thanks! >> >> Regards, >> >> >> >> -- >> Alvaro Mar?n Illera >> Hostalia Internet >> www.hostalia.com >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From jaearick at colby.edu Mon Mar 14 17:39:31 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Mon Mar 14 17:40:18 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7E4823.2040608@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> Message-ID: All (And Julian), I am willing to bet that this bug is what has been biting us who have been sending emails with the subject "Making attempt # at processing message". It smells similar. Thanks for the debugging effort; I didn't have much to go on. Jeff Earickson Colby College On Mon, Mar 14, 2011 at 12:53 PM, Alvaro Marin wrote: > Hi, > > I've been debugging the code and this is the result: > > #/opt/MailScanner/bin/MailScanner --debug > ... > Have a batch of 1 message. > Output is "INFECTED:: Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL :: > ./D30232D90002.AFF7F/nnMy_Documents.zip" > virus = "Sanesecurity.Rogue.0hr.0903v13268 .UNOFFICIAL " re = > "(?:^\s*Sane.*UNOFFICIAL\s*$|^\s*HTML\/.*\s*$|^\s*.*Phish.*\s*$)" > Processing line "" produced > ScannerOutput = "0 D30232D90002.AFF7F Sanesecurity.Rogue.0hr.0903v13268 > .UNOFFICIAL " > Found spam-virus: , > id= > Can't call method "CombineReports" on unblessed reference at > /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 731. > > so the problem is in SweepViruses.pm, with this part of code: > > ? ? ? ? ?if ($ScannerOutput =~ s/^0\s+//) { > ? ? ? ? ? ?# It's a spam-virus and the infection name for the spam report > ? ? ? ? ? ?# is in $ScannerOutput > ? ? ? ? ? ?$ScannerOutput =~ /^(\S+)\s+(\S+)\s*$/; > ? ? ? ? ? ?my ($messageid, $report) = ($1, $2); > > ? ? ? ? ? ?print STDERR "Found spam-virus: $messageid, $report\n"; > ? ? ? ? ? ?MailScanner::Log::WarnLog("Found spam-virus %s in %s", > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?$report, $messageid); > ? ? ? ? ? ?$batch->{messages}{"$messageid"}->{spamvirusreport} .= ', ' > ? ? ? ? ? ? ?if $batch->{"$messageid"}->{spamvirusreport}; > ? ? ? ? ? ?$batch->{messages}{"$messageid"}->{spamvirusreport} .= $report; > ? ? ? ? ? ?print STDERR "id=" . $batch->{messages}{"$messageid"}->{id} . > "\n"; > ? ? ? ? ?} > > the regexp /^(\S+)\s+(\S+)\s*$/ doesn't match with the value of > $ScannerOutput, due to the space in the virus's name. > > One solution could be to check the $virusname variable when the "split" is > done: > > ?($keyword, $virusname, $filename) = split(/:: /, $line, 3); > > in ProcessClamAVModOutput function, to delete spaces or strange characters > (the problem is with the name of the signature, not with MailScanner, but > IMHO it would be better if the name could be checked to avoid these type of > problems). > > Jules, what do you think? > > Thank you! > > Regards, > > El 14/03/11 17:17, Alvaro Marin escribi?: >> >> Hi, >> >> yes, sorry: >> >> # /opt/MailScanner/bin/MailScanner -v >> Running on >> Linux relay 2.6.32-5-686-bigmem #1 SMP Wed Jan 12 04:40:25 UTC 2011 i686 >> GNU/Linux >> >> This is Perl version 5.010001 (5.10.1) >> >> This is MailScanner version 4.82.6 >> Module versions are: >> 1.00 AnyDBM_File >> 1.30 Archive::Zip >> 0.23 bignum >> 1.11 Carp >> 2.015 Compress::Zlib >> 1.119 Convert::BinHex >> 0.17 Convert::TNEF >> 2.124 Data::Dumper >> 2.27 Date::Parse >> 1.03 DirHandle >> 1.06 Fcntl >> 2.77 File::Basename >> 2.14 File::Copy >> 2.02 FileHandle >> 2.07_03 File::Path >> 0.22 File::Temp >> 0.92 Filesys::Df >> 3.64 HTML::Entities >> 3.64 HTML::Parser >> 3.57 HTML::TokeParser >> 1.25 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 2.04 Mail::Header >> 1.89 Math::BigInt >> 0.22 Math::BigRat >> 3.08 MIME::Base64 >> 5.427 MIME::Decoder >> 5.427 MIME::Decoder::UU >> 5.427 MIME::Head >> 5.427 MIME::Parser >> 3.08 MIME::QuotedPrint >> 5.427 MIME::Tools >> 0.14 Net::CIDR >> 1.25 Net::IP >> 0.19 OLE::Storage_Lite >> 1.04 Pod::Escapes >> 3.07 Pod::Simple >> 1.17 POSIX >> 1.21 Scalar::Util >> 1.82 Socket >> 2.20 Storable >> 1.4 Sys::Hostname::Long >> 0.27 Sys::Syslog >> 1.26 Test::Pod >> 0.92 Test::Simple >> 1.9719 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.52 Archive::Tar >> 0.23 bignum >> missing Business::ISBN >> missing Business::ISBN::Data >> missing Data::Dump >> 1.82 DB_File >> 1.25 DBD::SQLite >> 1.607 DBI >> 1.16 Digest >> 1.02 Digest::HMAC >> 2.39 Digest::MD5 >> 2.13 Digest::SHA1 >> 1.01 Encode::Detect >> 0.17015 Error >> 0.2602 ExtUtils::CBuilder >> 2.2002 ExtUtils::ParseXS >> 2.38 Getopt::Long >> missing Inline >> missing IO::String >> 1.10 IO::Zlib >> 2.27 IP::Country >> missing Mail::ClamAV >> 3.003001 Mail::SpamAssassin >> v2.007 Mail::SPF >> 1.999001 Mail::SPF::Query >> 0.340201 Module::Build >> 0.20 Net::CIDR::Lite >> 0.66 Net::DNS >> v0.003 Net::DNS::Resolver::Programmable >> missing Net::LDAP >> 4.022 NetAddr::IP >> missing Parse::RecDescent >> missing SAVI >> 3.17 Test::Harness >> missing Test::Manifest >> 2.0.0 Text::Balanced >> 1.54 URI >> 0.77 version >> 0.72 YAML >> >> >> >> # /usr/local/sbin/clamd -V >> ClamAV 0.97/12837/Mon Mar 14 16:24:09 2011 >> >> >> Regards, >> >> >> El 14/03/11 17:08, Martin Hepworth escribi?: >>> >>> what version of MailScanner, clamav and the libraries (mailscanner -v) >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >>> >>> >>> On 14 March 2011 15:16, Alvaro Marin >> > wrote: >>> >>> Hi again, >>> >>> just another thing, running MailScanner with --debug, died with >>> these message: >>> >>> Can't call method "CombineReports" on unblessed reference at >>> /opt/MailScanner/lib/MailScanner/MessageBatch.pm line 736. >>> >>> Regards, >>> >>> >>> El 14/03/11 15:53, Alvaro Marin escribi?: >>> >>> Hello, >>> >>> two days ago, we started to receive messages with a zip attachment. >>> Those messages were killing MailScanner processes so the queue >>> started >>> to grow up. >>> ClamAV wasy detecting those messages with the "rogue.hdb" >>> signatures of >>> Sanesecurity: >>> >>> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245/nFedEx.zip: >>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >>> Mar 12 00:01:28 192.168.66.215 clamd[7666]: >>> /var/spool/MailScanner/incoming/17861/0630461AA4F.A1245.message: >>> Sanesecurity.Rogue.0hr.0311v23576 .UNOFFICIAL FOUND >>> >>> As you see, the name of the virus has a " " at the end. Logs >>> show this >>> strange line: >>> >>> Mar 12 00:01:48 192.168.66.215 MailScanner[17877]: Found >>> spam-virus in >>> >>> I changed the rogue.hdb signature file and removed the space at >>> the end >>> of the line and then the messages were processed fine and the >>> queue was >>> processed. >>> >>> Now I see that the signature is correct, without that space, but for >>> example there are other examples: >>> >>> $ wget http://ftp.swin.edu.au/sanesecurity/rogue.hdb --no-verbose >>> 2011-03-14 15:43:56 >>> URL:http://ftp.swin.edu.au/sanesecurity/rogue.hdb >>> [119235/119235] -> "rogue.hdb" [1] >>> $ grep " $" rogue.hdb >>> 424d531f5dcb364c5b29bdcb5962c8f9:37376:Sanesecurity.Rogue.0hr.08239110 >>> 9ffc6994a66be0d8667550a0e9ed80ea:36864:Sanesecurity.Rogue.0hr.0903v13268 >>> 3018e99857f31a59e0777396ae634a8f:29568:Sanesecurity.Rogue.0hr.0311n19694 >>> >>> (those signatures have a space at the end of the line). >>> >>> I'll notify to the signature's creator to correct this, but why >>> MailScanner dies when the signature has an space? Can be fixed >>> to check it? >>> >>> Thanks! >>> >>> Regards, >>> >>> >>> >>> -- >>> Alvaro Mar?n Illera >>> Hostalia Internet >>> www.hostalia.com >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> > > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Mar 14 17:55:24 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 14 17:55:48 2011 Subject: Malformed signature kills MailScanner In-Reply-To: References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> Message-ID: on 3/14/2011 10:39 AM Jeff Earickson spake the following: > All (And Julian), > > I am willing to bet that this bug is what has been biting us who have > been sending emails > with the subject "Making attempt # at processing message". It smells > similar. Thanks for the > debugging effort; I didn't have much to go on. > > Jeff Earickson > Colby College Have to see if Jules chimes in on this one... Or Glenn... Any of the more proficient perl coders... From dudi at kolcore.com Mon Mar 14 17:57:34 2011 From: dudi at kolcore.com (Dudi Goldenberg) Date: Mon Mar 14 17:57:59 2011 Subject: formatting txt file In-Reply-To: References: <9A4085B7A6E42849838BFCD1672A732A07C16C1ACF@IE2RD2XVS101.red002.local> Message-ID: <9A4085B7A6E42849838BFCD1672A732A07C16C1C15@IE2RD2XVS101.red002.local> I don't think that MailScanner is guilty here... Did you compare the original file with the file received from MailScanner? D. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexandre Gorges Sent: Monday, March 14, 2011 18:45 To: Lista Mailscanner Subject: Re: formatting txt file Ok but why mailscanner change the file? the application is a company's internal system to control travel, was developed by another company, I'm not changing the application to generate a new export. What can be done in mailscanner, not to reformat the file? From: Dudi Goldenberg > Hi, >I have problems in receiving txt files. >The Mailscanner destroys the formatting of the file. All the tabs and lines are out of order, not being able to import the file in the application that runs on Microsoft platforms. Your "wrong" file lines are terminated with 0x0a instead of CR/LF (0x0d, 0x0a) that windows will understand. What application creates these files? you should set it to terminate the lines with CR/LF and you will be Ok. Regards, D. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/bca30baf/attachment.html From glenn.steen at gmail.com Mon Mar 14 18:09:20 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 14 18:09:30 2011 Subject: formatting txt file In-Reply-To: References: <9A4085B7A6E42849838BFCD1672A732A07C16C1ACF@IE2RD2XVS101.red002.local> Message-ID: Have you verified (with hexedit or similar tool) that the files sre ok before being sent as attachments? That the sending sw doesn't mess it up? If so, do you attach a signature in MS? What happens if you don't? Cheers Den 14 mar 2011 17.48, "Alexandre Gorges" skrev: Ok but why mailscanner change the file? the application is a company's internal system to control travel, was developed by another company, I'm not changing the application to generate a new export. What can be done in mailscanner, not to reformat the file? From: Dudi Goldenberg Hi, >I have problems in receiving txt files. >The Mailscanner destroys the formatting of th... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/f926db85/attachment.html From algorges at gmail.com Mon Mar 14 18:18:50 2011 From: algorges at gmail.com (Alexandre Gorges) Date: Mon Mar 14 18:19:08 2011 Subject: formatting txt file In-Reply-To: <9A4085B7A6E42849838BFCD1672A732A07C16C1C15@IE2RD2XVS101.red002.local> Message-ID: Yes, I compared the files. there are two files in the zip link http://www.dag.eti.br/suporte/mailscanner/txt.zip correct.rem the file is the file without going through mailscanner, wrong.rem the file is the same file, but passing by mailscanner. only when I use postfix, the file is delivered normally. when I use postfix + mailscanner the problem appears. the mailscanner should just read the file, not change. and somehow it seems that mailscanner is rewriting the txt. From: Dudi Goldenberg Reply-To: Lista Mailscanner Date: Mon, 14 Mar 2011 10:57:34 -0700 To: Lista Mailscanner Subject: RE: formatting txt file I don?t think that MailScanner is guilty here? Did you compare the original file with the file received from MailScanner? D. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alexandre Gorges Sent: Monday, March 14, 2011 18:45 To: Lista Mailscanner Subject: Re: formatting txt file Ok but why mailscanner change the file? the application is a company's internal system to control travel, was developed by another company, I'm not changing the application to generate a new export. What can be done in mailscanner, not to reformat the file? From: Dudi Goldenberg Hi, >I have problems in receiving txt files. >The Mailscanner destroys the formatting of the file. All the tabs and lines are out of order, not being able to import the file in the application that runs on Microsoft platforms. Your ?wrong? file lines are terminated with 0x0a instead of CR/LF (0x0d, 0x0a) that windows will understand. What application creates these files? you should set it to terminate the lines with CR/LF and you will be Ok. Regards, D. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110314/f1f7400d/attachment-0001.html From Kevin_Miller at ci.juneau.ak.us Mon Mar 14 19:06:15 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Mar 14 19:06:30 2011 Subject: RBL Listings In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C15C2BC26A4@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC26A7@city-exchange07> >DCc, pyzor and razor are digest tests, and as such aren't >considered RBLs (not really checked through the DNS system, >among other things). Thanks - that's what I suspected but wanted to make sure I could rule them out. >If you get unacceptable FPs in MS, simply don't use that BL >in MS, use it for points in SA only. But if the digests >fire _and_ your BL... It sure looks like spam, no?! You've >looked at the content, I gather? The digests don't necessarily fire on these. There were a couple, but many of the messages didn't pop on the digest tests. I have looked at the content. It's all above board. The actual spam scores are generally in the negative range. It's just the presence of the google address that's tripping them up. But it's not all google addresses. MailWatch doesn't report which RBL was being triggered and looking at the 'raw' messages in the /var/spool/MailScanner/quarantine//spam directory doesn't offer any clues as to which either. All kind of a mystery. I'll grab one of the raw messages and run it through MailScanner in debug mode if I can find my notes on doing so. It's probably on the wiki. That's the problem with MailScanner & spamassassin - they're so darn reliable that it's months and months between issues that I forget how to use them! ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mark at msapiro.net Mon Mar 14 19:46:14 2011 From: mark at msapiro.net (Mark Sapiro) Date: Mon Mar 14 19:46:24 2011 Subject: formatting txt file In-Reply-To: References: Message-ID: <4D7E7086.1020409@msapiro.net> On 11:59 AM, Alexandre Gorges wrote: > Yes, I compared the files. > there are two files in the zip link > http://www.dag.eti.br/suporte/mailscanner/txt.zip > correct.rem the file is the file without going through mailscanner, > wrong.rem the file is the same file, but passing by mailscanner. > > only when I use postfix, the file is delivered normally. when I use > postfix + mailscanner the problem appears. the mailscanner should just > read the file, not change. and somehow it seems that mailscanner is > rewriting the txt. How are the files sent in the email? If I run 'file' on your two files, I see that correct.rem has line terminators and wrong.rem has only terminators. If I attach the two files to an email and send it to myself, it makes no difference whether the mail passes through MailScanner or not. What determines the line terminators on the attachments saved from the email is the MUA that I use to save them. If I use Thunderbird on Windows, both files are saved with and if I use mutt on Unix, both files are saved with . In other words, they are text files and they are saved in the normal format for text files on the platform. For transfer between MTAs via SMTP, they are always transferred with line terminators per the SMTP standard. If you want to preserve the line endings, the file has to be sent encoded and with some content type other than text, e.g. application/octet-stream. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From Kevin_Miller at ci.juneau.ak.us Tue Mar 15 00:24:17 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Mar 15 00:24:33 2011 Subject: Spamassassin woes... Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> This morning I tried to update my spamassasin and it seems to be only half baked. I'm running on SUSE Linux Enterprise Server 11 SP1. I was using the distro rpm, but it was just version 2.5.x. I figured I outta upgrade to 3.3.1, courtesy of Julian's package. I uninstalled the SLES spamassassin rpms then downloaded the Install-Clam-SA-latest.tar.gz package from mailscanner.info and ran the install.sh script. See http://pastebin.com/ayB7tQZu for gory details. When I ran it, it asked if I wanted to install clamav. I said no - line 31. It seems to have tried to install clamav anyway. Around line 119 it blew up. Re line 121 - make is installed. The build directory referenced on line 124 does not exist. I don't know whether the process deleted it or if it never existed. The script proceeds to go about installing spamassassin but at 452 there's a funny error. Not sure it's critical. When I start MailScanner it seems to find spamassassin. However it doesn't all seem to be there. I used to have spamassassin, spamc and spamd in /usr/bin. They're now gone. Sa-learn, sa-compile, and sa-update are also MIA. Does the mailscanner package not install the whole enchalada? As I mentioned, when running MailScanner, the messages are examined by spamassassin, but the system is a bit crippled with key binaries not present. Thanks. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From maxsec at gmail.com Tue Mar 15 06:23:49 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Mar 15 06:23:58 2011 Subject: Spamassassin woes... In-Reply-To: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> Message-ID: Kevin Ms doesn't use the binaries but the perl api as you prob know. Have you done a sa-update as the 3.3 releases have no rules by default and you have to download them. I'd check the binaries aren't elsewhere. Martin On Tuesday, 15 March 2011, Kevin Miller wrote: > This morning I tried to update my spamassasin and it seems to be only half baked. > I'm running on SUSE Linux Enterprise Server 11 SP1. > I was using the distro rpm, but it was just version 2.5.x. ?I figured I outta upgrade to 3.3.1, courtesy of Julian's package. > > I uninstalled the SLES spamassassin rpms then downloaded the Install-Clam-SA-latest.tar.gz package from mailscanner.info and ran the install.sh script. > > See http://pastebin.com/ayB7tQZu for gory details. > > When I ran it, it asked if I wanted to install clamav. ?I said no - line 31. ?It seems to have tried to install clamav anyway. > Around line 119 it blew up. > Re line 121 - make is installed. ?The build directory referenced on line 124 does not exist. ?I don't know whether the process deleted it or if it never existed. > > The script proceeds to go about installing spamassassin but at 452 there's a funny error. ?Not sure it's critical. > > When I start MailScanner it seems to find spamassassin. ?However it doesn't all seem to be there. ?I used to have spamassassin, spamc and spamd in /usr/bin. ?They're now gone. > > Sa-learn, sa-compile, and sa-update are also MIA. > > Does the mailscanner package not install the whole enchalada? > > As I mentioned, when running MailScanner, the messages are examined by spamassassin, but the system is a bit crippled with key binaries not present. > > Thanks. > > ...Kevin > -- > Kevin Miller ? ? ? ? ? ? ? ?Registered Linux User No: 307357 > CBJ MIS Dept. ? ? ? ? ? ? ? Network Systems Admin., Mail Admin. > 155 South Seward Street ? ? ph: (907) 586-0242 > Juneau, Alaska 99801 ? ? ? ?fax: (907 586-4500 -- -- Martin Hepworth Oxford, UK From alvaro at hostalia.com Tue Mar 15 11:56:27 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Tue Mar 15 11:56:37 2011 Subject: Malformed signature kills MailScanner In-Reply-To: References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> Message-ID: <4D7F53EB.1080309@hostalia.com> Hi, El 14/03/11 18:55, Scott Silva escribi?: > on 3/14/2011 10:39 AM Jeff Earickson spake the following: >> All (And Julian), >> >> I am willing to bet that this bug is what has been biting us who have >> been sending emails >> with the subject "Making attempt # at processing message". It smells >> similar. Thanks for the >> debugging effort; I didn't have much to go on. >> >> Jeff Earickson >> Colby College > > Have to see if Jules chimes in on this one... Or Glenn... Any of the more > proficient perl coders... > I see that there are spaces in some signature names of some Sanesecurity archives (doppelstern.hdb, winnow.attachments.hdb, winnow_malware.hdb...), so I've added this line: $virusname =~ s/ //; after the split (line 1624 of SweepViruses.pm) : ($keyword, $virusname, $filename) = split(/:: /, $line, 3); to delete spaces in the name of the virus. Perhaps there is a better place to do it, but it works fine for me. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From alvaro at hostalia.com Tue Mar 15 12:17:47 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Tue Mar 15 12:17:57 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7F53EB.1080309@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> <4D7F53EB.1080309@hostalia.com> Message-ID: <4D7F58EB.6070303@hostalia.com> El 15/03/11 12:56, Alvaro Marin escribi?: > $virusname =~ s/ //; A smarter way... $virusname =~ s/\s//g; Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From glenn.steen at gmail.com Tue Mar 15 17:36:59 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 15 17:37:10 2011 Subject: Spamassassin woes... In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> Message-ID: Likely found in /usr/local/bin...or similar, along with sa-update... Cheers Den 15 mar 2011 07.29, "Martin Hepworth" skrev: Kevin Ms doesn't use the binaries but the perl api as you prob know. Have you done a sa-update as the 3.3 releases have no rules by default and you have to download them. I'd check the binaries aren't elsewhere. Martin On Tuesday, 15 March 2011, Kevin Miller wrote: > This morning I trie... -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110315/85dec26e/attachment.html From remy at unix-asp.com Wed Mar 16 11:26:57 2011 From: remy at unix-asp.com (Remy de Ruysscher) Date: Wed Mar 16 11:26:59 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) Message-ID: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> *HELP* I'm flooded by spam! I recently upgraded MS to the latest FreeBSD port version and found problems with the latest p5-Mime-Tools so I reverted this port. However MS is not scanning for spam anymore, I don't see any headers appended to the message anymore. SA is running fine no errors while doing a lint or manually scanning a message. # Add this extra header to all messages found to be spam. # This can also be the filename of a ruleset. Spam Header = X-%org-name%-MailScanner-SpamCheck: # Add this extra header if "Spam Score" = yes. The header will # contain 1 character for every point of the SpamAssassin score. Spam Score Header = X-%org-name%-MailScanner-SpamScore: FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 MailScanner --lint Trying to setlogsock(unix) Reading configuration file /usr/local/etc/MailScanner/MailScanner.conf Configuration: Failed to find any configuration files like /usr/local/etc/MailScanner/conf.d/*, skipping them. at /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 Read 867 hostnames from the phishing whitelist Read 6660 hostnames from the phishing blacklists Checking version numbers... Version number in MailScanner.conf (4.82.6) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From MailScanner setting GID to (125) MailScanner setting UID to (125) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 119273 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamd, f-prot-6 =========================================================================== Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com Virus Scanning: Clamd found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses =========================================================================== Virus Scanner test reports: Clamd said "eicar.com was infected: Eicar-Test-Signature" If any of your virus scanners (clamd,f-prot-6) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. From maxsec at gmail.com Wed Mar 16 12:58:54 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 16 12:59:04 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: What happens us you ms in debug mode Mailscanner --debug --debug-sa ?? On Wednesday, 16 March 2011, Remy de Ruysscher wrote: > *HELP* I'm flooded by spam! > > > > I recently upgraded MS to the latest FreeBSD port version and found problems > with the latest p5-Mime-Tools so I reverted this port. > > However MS is not scanning for spam anymore, I don't see any headers > appended to the message anymore. > > > > SA is running fine no errors while doing a lint or manually scanning a > message. > > > > # Add this extra header to all messages found to be spam. > > # This can also be the filename of a ruleset. > > Spam Header = X-%org-name%-MailScanner-SpamCheck: > > > > # Add this extra header if "Spam Score" = yes. The header will > > # contain 1 character for every point of the SpamAssassin score. > > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > > > > FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 > > > > MailScanner --lint > > Trying to setlogsock(unix) > > > > Reading configuration file /usr/local/etc/MailScanner/MailScanner.conf > > Configuration: Failed to find any configuration files like > /usr/local/etc/MailScanner/conf.d/*, skipping them. at > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 > > Read 867 hostnames from the phishing whitelist > > Read 6660 hostnames from the phishing blacklists > > > > Checking version numbers... > > Version number in MailScanner.conf (4.82.6) is correct. > > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > > ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From > > > > MailScanner setting GID to ?(125) > > MailScanner setting UID to ?(125) > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Connected to Processing Attempts Database > > Created Processing Attempts Database successfully > > There are 119273 messages in the Processing Attempts Database > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = clamd" > > Found these virus scanners installed: clamd, f-prot-6 > > =========================================================================== > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > Other Checks: Found 1 problems > > Virus and Content Scanning: Starting > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > > Virus Scanning: Clamd found 2 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 2 viruses > > =========================================================================== > > Virus Scanner test reports: > > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > > > If any of your virus scanners (clamd,f-prot-6) > > are not listed there, you should check that they are installed correctly > > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK From remy at unix-asp.com Wed Mar 16 13:13:38 2011 From: remy at unix-asp.com (Remy de Ruysscher) Date: Wed Mar 16 13:13:40 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: Tried that too, it scans mail and then delivers it. I've fine tuned the spam lists and turned on DCC and Pyzor, and I checks various stuff in Postfix too. Spam List = spamhaus-ZEN spamcop.net NJABL AHBL CBL MULTI-SURBL MAPS-RBL SORBS-DNSBL BARRACUDA # This is the list of spam domain blacklists which you are using # (such as the "rfc-ignorant" domains). See the "Spam List Definitions" # file for more information about what you can put here. # This can also be the filename of a ruleset. Spam Domain List = RFC-IGNORANT-DSN RFC-IGNORANT-BOGUSMX Apparently the X-UNIX-ASP-MailScanner-SpamCheck: header is now only shown in spam messages: X-UNIX-ASP-MailScanner-SpamCheck: spam, CBL X-UNIX-ASP-MailScanner-From: buh@zeldom.ru X-Spam-Status: Yes Spam filtering works (again) but I'm not very confident it will reach those high spam scores I've seen in the past. Anyone willing to share their anti-spam configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth > Sent: woensdag 16 maart 2011 13:59 > To: MailScanner discussion > Subject: Re: MS not scanning for spam and Spam Header missing! (FreeBSD > 8) > > What happens us you ms in debug mode > > Mailscanner --debug --debug-sa > > ?? > > On Wednesday, 16 March 2011, Remy de Ruysscher > wrote: > > *HELP* I'm flooded by spam! > > > > > > > > I recently upgraded MS to the latest FreeBSD port version and found > > problems with the latest p5-Mime-Tools so I reverted this port. > > > > However MS is not scanning for spam anymore, I don't see any headers > > appended to the message anymore. > > > > > > > > SA is running fine no errors while doing a lint or manually scanning a > > message. > > > > > > > > # Add this extra header to all messages found to be spam. > > > > # This can also be the filename of a ruleset. > > > > Spam Header = X-%org-name%-MailScanner-SpamCheck: > > > > > > > > # Add this extra header if "Spam Score" = yes. The header will > > > > # contain 1 character for every point of the SpamAssassin score. > > > > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > > > > > > > > FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 > > > > > > > > MailScanner --lint > > > > Trying to setlogsock(unix) > > > > > > > > Reading configuration file /usr/local/etc/MailScanner/MailScanner.conf > > > > Configuration: Failed to find any configuration files like > > /usr/local/etc/MailScanner/conf.d/*, skipping them. at > > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 > > > > Read 867 hostnames from the phishing whitelist > > > > Read 6660 hostnames from the phishing blacklists > > > > > > > > Checking version numbers... > > > > Version number in MailScanner.conf (4.82.6) is correct. > > > > > > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > > > > ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From > > > > > > > > MailScanner setting GID to ?(125) > > > > MailScanner setting UID to ?(125) > > > > > > > > Checking for SpamAssassin errors (if you use it)... > > > > Using SpamAssassin results cache > > > > Connected to SpamAssassin cache database > > > > SpamAssassin reported no errors. > > > > Connected to Processing Attempts Database > > > > Created Processing Attempts Database successfully > > > > There are 119273 messages in the Processing Attempts Database > > > > Using locktype = posix > > > > MailScanner.conf says "Virus Scanners = clamd" > > > > Found these virus scanners installed: clamd, f-prot-6 > > > > > ========================================================== > ============ > > ===== > > > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > > > Other Checks: Found 1 problems > > > > Virus and Content Scanning: Starting > > > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > > > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > > > > Virus Scanning: Clamd found 2 infections > > > > Infected message 1 came from 10.1.1.1 > > > > Virus Scanning: Found 2 viruses > > > > > ========================================================== > ============ > > ===== > > > > Virus Scanner test reports: > > > > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > > > > > > > If any of your virus scanners (clamd,f-prot-6) > > > > are not listed there, you should check that they are installed > > correctly > > > > and that MailScanner is finding them correctly via its virus.scanners.conf. > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6470 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/eab7161f/smime.bin From alex at vidadigital.com.pa Wed Mar 16 14:49:08 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed Mar 16 14:49:17 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: Your MTA might be running by itself if there is no indication that MailScanner is actually running. On Wed, Mar 16, 2011 at 8:13 AM, Remy de Ruysscher wrote: > Tried that too, it scans mail and then delivers it. > I've fine tuned the spam lists and turned on DCC and Pyzor, and I checks > various stuff in Postfix too. > > Spam List = spamhaus-ZEN spamcop.net NJABL AHBL CBL MULTI-SURBL MAPS-RBL > SORBS-DNSBL BARRACUDA > > # This is the list of spam domain blacklists which you are using > # (such as the "rfc-ignorant" domains). See the "Spam List Definitions" > # file for more information about what you can put here. > # This can also be the filename of a ruleset. > Spam Domain List = RFC-IGNORANT-DSN RFC-IGNORANT-BOGUSMX > > Apparently the X-UNIX-ASP-MailScanner-SpamCheck: header is now only shown in > spam messages: > > X-UNIX-ASP-MailScanner-SpamCheck: spam, CBL > X-UNIX-ASP-MailScanner-From: buh@zeldom.ru > X-Spam-Status: Yes > > Spam filtering works (again) but I'm not very confident it will reach those > high spam scores I've seen in the past. > > Anyone willing to share their anti-spam configuration? > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth >> Sent: woensdag 16 maart 2011 13:59 >> To: MailScanner discussion >> Subject: Re: MS not scanning for spam and Spam Header missing! (FreeBSD >> 8) >> >> What happens us you ms in debug mode >> >> Mailscanner --debug --debug-sa >> >> ?? >> >> On Wednesday, 16 March 2011, Remy de Ruysscher >> wrote: >> > *HELP* I'm flooded by spam! >> > >> > >> > >> > I recently upgraded MS to the latest FreeBSD port version and found >> > problems with the latest p5-Mime-Tools so I reverted this port. >> > >> > However MS is not scanning for spam anymore, I don't see any headers >> > appended to the message anymore. >> > >> > >> > >> > SA is running fine no errors while doing a lint or manually scanning a >> > message. >> > >> > >> > >> > # Add this extra header to all messages found to be spam. >> > >> > # This can also be the filename of a ruleset. >> > >> > Spam Header = X-%org-name%-MailScanner-SpamCheck: >> > >> > >> > >> > # Add this extra header if "Spam Score" = yes. The header will >> > >> > # contain 1 character for every point of the SpamAssassin score. >> > >> > Spam Score Header = X-%org-name%-MailScanner-SpamScore: >> > >> > >> > >> > FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 >> > >> > >> > >> > MailScanner --lint >> > >> > Trying to setlogsock(unix) >> > >> > >> > >> > Reading configuration file /usr/local/etc/MailScanner/MailScanner.conf >> > >> > Configuration: Failed to find any configuration files like >> > /usr/local/etc/MailScanner/conf.d/*, skipping them. at >> > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 >> > >> > Read 867 hostnames from the phishing whitelist >> > >> > Read 6660 hostnames from the phishing blacklists >> > >> > >> > >> > Checking version numbers... >> > >> > Version number in MailScanner.conf (4.82.6) is correct. >> > >> > >> > >> > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf >> > >> > ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From >> > >> > >> > >> > MailScanner setting GID to ?(125) >> > >> > MailScanner setting UID to ?(125) >> > >> > >> > >> > Checking for SpamAssassin errors (if you use it)... >> > >> > Using SpamAssassin results cache >> > >> > Connected to SpamAssassin cache database >> > >> > SpamAssassin reported no errors. >> > >> > Connected to Processing Attempts Database >> > >> > Created Processing Attempts Database successfully >> > >> > There are 119273 messages in the Processing Attempts Database >> > >> > Using locktype = posix >> > >> > MailScanner.conf says "Virus Scanners = clamd" >> > >> > Found these virus scanners installed: clamd, f-prot-6 >> > >> > >> ========================================================== >> ============ >> > ===== >> > >> > Filename Checks: Windows/DOS Executable (1 eicar.com) >> > >> > Other Checks: Found 1 problems >> > >> > Virus and Content Scanning: Starting >> > >> > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ >> > >> > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com >> > >> > Virus Scanning: Clamd found 2 infections >> > >> > Infected message 1 came from 10.1.1.1 >> > >> > Virus Scanning: Found 2 viruses >> > >> > >> ========================================================== >> ============ >> > ===== >> > >> > Virus Scanner test reports: >> > >> > Clamd said "eicar.com was infected: Eicar-Test-Signature" >> > >> > >> > >> > If any of your virus scanners (clamd,f-prot-6) >> > >> > are not listed there, you should check that they are installed >> > correctly >> > >> > and that MailScanner is finding them correctly via its > virus.scanners.conf. >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> >> -- >> -- >> Martin Hepworth >> Oxford, UK >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From remy at unix-asp.com Wed Mar 16 15:02:22 2011 From: remy at unix-asp.com (Remy de Ruysscher) Date: Wed Mar 16 15:02:26 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: No, because I use postfix (which places incoming mail in de hold dir). I see the normal MS headers in the mail. Anyway I'm catching already a lot more spam with the adjustments mentioned earlier. Anyone willing to share their anti-spam configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alex Neuman > Sent: woensdag 16 maart 2011 15:49 > To: MailScanner discussion > Subject: Re: MS not scanning for spam and Spam Header missing! (FreeBSD > 8) > > Your MTA might be running by itself if there is no indication that MailScanner > is actually running. > > On Wed, Mar 16, 2011 at 8:13 AM, Remy de Ruysscher asp.com> wrote: > > Tried that too, it scans mail and then delivers it. > > I've fine tuned the spam lists and turned on DCC and Pyzor, and I > > checks various stuff in Postfix too. > > > > Spam List = spamhaus-ZEN spamcop.net NJABL AHBL CBL MULTI-SURBL > > MAPS-RBL SORBS-DNSBL BARRACUDA > > > > # This is the list of spam domain blacklists which you are using # > > (such as the "rfc-ignorant" domains). See the "Spam List Definitions" > > # file for more information about what you can put here. > > # This can also be the filename of a ruleset. > > Spam Domain List = RFC-IGNORANT-DSN RFC-IGNORANT-BOGUSMX > > > > Apparently the X-UNIX-ASP-MailScanner-SpamCheck: header is now only > > shown in spam messages: > > > > X-UNIX-ASP-MailScanner-SpamCheck: spam, CBL > > X-UNIX-ASP-MailScanner-From: buh@zeldom.ru > > X-Spam-Status: Yes > > > > Spam filtering works (again) but I'm not very confident it will reach > > those high spam scores I've seen in the past. > > > > Anyone willing to share their anti-spam configuration? > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth > >> Sent: woensdag 16 maart 2011 13:59 > >> To: MailScanner discussion > >> Subject: Re: MS not scanning for spam and Spam Header missing! > >> (FreeBSD > >> 8) > >> > >> What happens us you ms in debug mode > >> > >> Mailscanner --debug --debug-sa > >> > >> ?? > >> > >> On Wednesday, 16 March 2011, Remy de Ruysscher asp.com> > >> wrote: > >> > *HELP* I'm flooded by spam! > >> > > >> > > >> > > >> > I recently upgraded MS to the latest FreeBSD port version and found > >> > problems with the latest p5-Mime-Tools so I reverted this port. > >> > > >> > However MS is not scanning for spam anymore, I don't see any > >> > headers appended to the message anymore. > >> > > >> > > >> > > >> > SA is running fine no errors while doing a lint or manually > >> > scanning a message. > >> > > >> > > >> > > >> > # Add this extra header to all messages found to be spam. > >> > > >> > # This can also be the filename of a ruleset. > >> > > >> > Spam Header = X-%org-name%-MailScanner-SpamCheck: > >> > > >> > > >> > > >> > # Add this extra header if "Spam Score" = yes. The header will > >> > > >> > # contain 1 character for every point of the SpamAssassin score. > >> > > >> > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > >> > > >> > > >> > > >> > FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 > >> > > >> > > >> > > >> > MailScanner --lint > >> > > >> > Trying to setlogsock(unix) > >> > > >> > > >> > > >> > Reading configuration file > >> > /usr/local/etc/MailScanner/MailScanner.conf > >> > > >> > Configuration: Failed to find any configuration files like > >> > /usr/local/etc/MailScanner/conf.d/*, skipping them. at > >> > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 > >> > > >> > Read 867 hostnames from the phishing whitelist > >> > > >> > Read 6660 hostnames from the phishing blacklists > >> > > >> > > >> > > >> > Checking version numbers... > >> > > >> > Version number in MailScanner.conf (4.82.6) is correct. > >> > > >> > > >> > > >> > ERROR: The "envelope_sender_header" in your > >> > spam.assassin.prefs.conf > >> > > >> > ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From > >> > > >> > > >> > > >> > MailScanner setting GID to ?(125) > >> > > >> > MailScanner setting UID to ?(125) > >> > > >> > > >> > > >> > Checking for SpamAssassin errors (if you use it)... > >> > > >> > Using SpamAssassin results cache > >> > > >> > Connected to SpamAssassin cache database > >> > > >> > SpamAssassin reported no errors. > >> > > >> > Connected to Processing Attempts Database > >> > > >> > Created Processing Attempts Database successfully > >> > > >> > There are 119273 messages in the Processing Attempts Database > >> > > >> > Using locktype = posix > >> > > >> > MailScanner.conf says "Virus Scanners = clamd" > >> > > >> > Found these virus scanners installed: clamd, f-prot-6 > >> > > >> > > >> > ========================================================== > >> ============ > >> > ===== > >> > > >> > Filename Checks: Windows/DOS Executable (1 eicar.com) > >> > > >> > Other Checks: Found 1 problems > >> > > >> > Virus and Content Scanning: Starting > >> > > >> > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > >> > > >> > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > >> > > >> > Virus Scanning: Clamd found 2 infections > >> > > >> > Infected message 1 came from 10.1.1.1 > >> > > >> > Virus Scanning: Found 2 viruses > >> > > >> > > >> > ========================================================== > >> ============ > >> > ===== > >> > > >> > Virus Scanner test reports: > >> > > >> > Clamd said "eicar.com was infected: Eicar-Test-Signature" > >> > > >> > > >> > > >> > If any of your virus scanners (clamd,f-prot-6) > >> > > >> > are not listed there, you should check that they are installed > >> > correctly > >> > > >> > and that MailScanner is finding them correctly via its > > virus.scanners.conf. > >> > > >> > > >> > -- > >> > MailScanner mailing list > >> > mailscanner@lists.mailscanner.info > >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > > >> > Before posting, read http://wiki.mailscanner.info/posting > >> > > >> > Support MailScanner development - buy the book off the website! > >> > > >> > >> -- > >> -- > >> Martin Hepworth > >> Oxford, UK > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> -- > >> This message has been scanned for viruses and dangerous content by > >> MailScanner, and is believed to be clean. > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > -- > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6470 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/51a89af2/smime.bin From maxsec at gmail.com Wed Mar 16 15:03:34 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 16 15:03:43 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: I'd 1) double check the postfix setup and make sure it's all good. 2) Don't use the spamlist here but either in the MTA ot as part of the scoring in SA, also check you're not getting blocked by spamhaus due to high call. NB CBL is I think part of the ZEN list so you don't need this agai, and I'm not sure I'd trust the barracuda list to definitely say its spam. -- Martin Hepworth Oxford, UK On 16 March 2011 13:13, Remy de Ruysscher wrote: > Tried that too, it scans mail and then delivers it. > I've fine tuned the spam lists and turned on DCC and Pyzor, and I checks > various stuff in Postfix too. > > Spam List = spamhaus-ZEN spamcop.net NJABL AHBL CBL MULTI-SURBL MAPS-RBL > SORBS-DNSBL BARRACUDA > > # This is the list of spam domain blacklists which you are using > # (such as the "rfc-ignorant" domains). See the "Spam List Definitions" > # file for more information about what you can put here. > # This can also be the filename of a ruleset. > Spam Domain List = RFC-IGNORANT-DSN RFC-IGNORANT-BOGUSMX > > Apparently the X-UNIX-ASP-MailScanner-SpamCheck: header is now only shown > in > spam messages: > > X-UNIX-ASP-MailScanner-SpamCheck: spam, CBL > X-UNIX-ASP-MailScanner-From: buh@zeldom.ru > X-Spam-Status: Yes > > Spam filtering works (again) but I'm not very confident it will reach those > high spam scores I've seen in the past. > > Anyone willing to share their anti-spam configuration? > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Martin Hepworth > > Sent: woensdag 16 maart 2011 13:59 > > To: MailScanner discussion > > Subject: Re: MS not scanning for spam and Spam Header missing! (FreeBSD > > 8) > > > > What happens us you ms in debug mode > > > > Mailscanner --debug --debug-sa > > > > ?? > > > > On Wednesday, 16 March 2011, Remy de Ruysscher > > wrote: > > > *HELP* I'm flooded by spam! > > > > > > > > > > > > I recently upgraded MS to the latest FreeBSD port version and found > > > problems with the latest p5-Mime-Tools so I reverted this port. > > > > > > However MS is not scanning for spam anymore, I don't see any headers > > > appended to the message anymore. > > > > > > > > > > > > SA is running fine no errors while doing a lint or manually scanning a > > > message. > > > > > > > > > > > > # Add this extra header to all messages found to be spam. > > > > > > # This can also be the filename of a ruleset. > > > > > > Spam Header = X-%org-name%-MailScanner-SpamCheck: > > > > > > > > > > > > # Add this extra header if "Spam Score" = yes. The header will > > > > > > # contain 1 character for every point of the SpamAssassin score. > > > > > > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > > > > > > > > > > > > FreeBSD unix-asp.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0 > > > > > > > > > > > > MailScanner --lint > > > > > > Trying to setlogsock(unix) > > > > > > > > > > > > Reading configuration file /usr/local/etc/MailScanner/MailScanner.conf > > > > > > Configuration: Failed to find any configuration files like > > > /usr/local/etc/MailScanner/conf.d/*, skipping them. at > > > /usr/local/lib/MailScanner/MailScanner/Config.pm line 2044 > > > > > > Read 867 hostnames from the phishing whitelist > > > > > > Read 6660 hostnames from the phishing blacklists > > > > > > > > > > > > Checking version numbers... > > > > > > Version number in MailScanner.conf (4.82.6) is correct. > > > > > > > > > > > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > > > > > > ERROR: is not correct, it should match X-UNIX-ASP-MailScanner-From > > > > > > > > > > > > MailScanner setting GID to (125) > > > > > > MailScanner setting UID to (125) > > > > > > > > > > > > Checking for SpamAssassin errors (if you use it)... > > > > > > Using SpamAssassin results cache > > > > > > Connected to SpamAssassin cache database > > > > > > SpamAssassin reported no errors. > > > > > > Connected to Processing Attempts Database > > > > > > Created Processing Attempts Database successfully > > > > > > There are 119273 messages in the Processing Attempts Database > > > > > > Using locktype = posix > > > > > > MailScanner.conf says "Virus Scanners = clamd" > > > > > > Found these virus scanners installed: clamd, f-prot-6 > > > > > > > > ========================================================== > > ============ > > > ===== > > > > > > Filename Checks: Windows/DOS Executable (1 eicar.com) > > > > > > Other Checks: Found 1 problems > > > > > > Virus and Content Scanning: Starting > > > > > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/ > > > > > > Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > > > > > > Virus Scanning: Clamd found 2 infections > > > > > > Infected message 1 came from 10.1.1.1 > > > > > > Virus Scanning: Found 2 viruses > > > > > > > > ========================================================== > > ============ > > > ===== > > > > > > Virus Scanner test reports: > > > > > > Clamd said "eicar.com was infected: Eicar-Test-Signature" > > > > > > > > > > > > If any of your virus scanners (clamd,f-prot-6) > > > > > > are not listed there, you should check that they are installed > > > correctly > > > > > > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > > > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > -- > > -- > > Martin Hepworth > > Oxford, UK > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/9930fd24/attachment.html From remy at unix-asp.com Wed Mar 16 15:15:16 2011 From: remy at unix-asp.com (Remy de Ruysscher) Date: Wed Mar 16 15:15:23 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6470 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/b5e0e163/smime-0001.bin From raymond at prolocation.net Wed Mar 16 15:19:07 2011 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Wed Mar 16 15:19:16 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: Hi! > CBL is not part of spamhaus blocklist. ?? > spamhaus.org??????????????????? sbl.spamhaus.org. > > spamhaus-XBL??????????????????? xbl.spamhaus.org. > > spamhaus-PBL????????? ??????????pbl.spamhaus.org. > > spamhaus-ZEN??????????????????? zen.spamhaus.org. XBL holds the CBL data. Exploits Block List The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits. If your IP address is listed by the XBL, see the XBL FAQs for solutions Incorporates CBL data and NJABL proxy data The XBL wholly incorporates data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are: - the CBL (Composite Block List) from cbl.abuseat.org - the NJABL Open Proxy IPs list from www.njabl.org. XBL Usage The Exploits Block List can be used by all modern mail servers, by setting your mail server's anti-spam DNSBL feature (sometimes called "Blacklist DNS Servers" or "RBL servers") to query xbl.spamhaus.org. XBL is also part of a combined DNSBL comprising SBL, XBL and PBL, see: ZEN Bye, Raymond. From ms-list at alexb.ch Wed Mar 16 15:28:19 2011 From: ms-list at alexb.ch (Alex Broens) Date: Wed Mar 16 15:28:34 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: <4D80D713.5040409@alexb.ch> On 2011-03-16 16:15, Remy de Ruysscher wrote: > Thanks for the reply. > > > > CBL is not part of spamhaus blocklist. very wrong - CBL is the main data source in XBL (xbl.spamhaus.org) > > > spamhaus.org sbl.spamhaus.org. > > spamhaus-XBL xbl.spamhaus.org. > > spamhaus-PBL pbl.spamhaus.org. > > spamhaus-ZEN zen.spamhaus.org. > > > > ZEN is a combination of the first three. > > > > I do not use the blocklists in the MTA (that's unsound), but rather in MS. > I'm assigning a low score to the Barracuda list, so that should be ok. > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin > Hepworth > Sent: woensdag 16 maart 2011 16:04 > To: MailScanner discussion > Subject: Re: MS not scanning for spam and Spam Header missing! (FreeBSD 8) > > > > I'd > > 1) double check the postfix setup and make sure it's all good. > 2) Don't use the spamlist here but either in the MTA ot as part of the > scoring in SA, also check you're not getting blocked by spamhaus due to high > call. NB CBL is I think part of the ZEN list so you don't need this agai, > and I'm not sure I'd trust the barracuda list to definitely say its spam. > > From remy at unix-asp.com Wed Mar 16 15:31:00 2011 From: remy at unix-asp.com (Remy de Ruysscher) Date: Wed Mar 16 15:31:04 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn > Sent: woensdag 16 maart 2011 16:19 > To: MailScanner discussion > Subject: RE: MS not scanning for spam and Spam Header missing! (FreeBSD > 8) > > Hi! > > > CBL is not part of spamhaus blocklist. > You are correct! I'm removing the NJABL and CBL from my spam lists, thanks! > > > spamhaus.org??????????????????? sbl.spamhaus.org. > > > > spamhaus-XBL??????????????????? xbl.spamhaus.org. > > > > spamhaus-PBL????????? ??????????pbl.spamhaus.org. > > > > spamhaus-ZEN??????????????????? zen.spamhaus.org. > > XBL holds the CBL data. > > Exploits Block List > The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses > of hijacked PCs infected by illegal 3rd party exploits, including open proxies > (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam > engines, and other types of trojan-horse exploits. > > If your IP address is listed by the XBL, see the XBL FAQs for solutions > > Incorporates CBL data and NJABL proxy data > > The XBL wholly incorporates data from two highly-trusted DNSBL sources, > with tweaks by Spamhaus to maximise the data efficiency and lower False > Positives. The main components are: > - the CBL (Composite Block List) from cbl.abuseat.org > - the NJABL Open Proxy IPs list from www.njabl.org. > > XBL Usage > > The Exploits Block List can be used by all modern mail servers, by setting your > mail server's anti-spam DNSBL feature (sometimes called "Blacklist DNS > Servers" or "RBL servers") to query xbl.spamhaus.org. XBL is also part of a > combined DNSBL comprising SBL, XBL and PBL, see: ZEN > > Bye, > Raymond. > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6470 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/c9a65256/smime.bin From maxsec at gmail.com Wed Mar 16 15:59:01 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 16 15:59:10 2011 Subject: MS not scanning for spam and Spam Header missing! (FreeBSD 8) In-Reply-To: References: <002d01cbe3cd$0fce99f0$2f6bcdd0$@unix-asp.com> Message-ID: On 16 March 2011 15:15, Remy de Ruysscher wrote: > Thanks for the reply. > > > > CBL is not part of spamhaus blocklist. > > > > spamhaus.org sbl.spamhaus.org. > > spamhaus-XBL xbl.spamhaus.org. > > spamhaus-PBL pbl.spamhaus.org. > > spamhaus-ZEN zen.spamhaus.org. > > > > ZEN is a combination of the first three. > > > > I do not use the blocklists in the MTA (that?s unsound), but rather in MS. > I?m assigning a low score to the Barracuda list, so that should be ok. > If you use the Spam List in MailScanner.conf this has nothing to do with spamassassin at all and will act independantly to mark email as spam. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/10ca6e85/attachment.html From mrm at medicine.wisc.edu Wed Mar 16 17:23:15 2011 From: mrm at medicine.wisc.edu (Michael Masse) Date: Wed Mar 16 17:23:37 2011 Subject: Problem w/ DNS since updating Message-ID: <4D80ABB30200003E0000B018@gwmail.medicine.wisc.edu> I have multiple MailScanner's running on fully patched Centos 4 systems. I recently upgraded MailScanner on all of my systems to 4.82.6-1 from 4.78.17-1. Each system runs it's own cached-nameserver and has been like this for many many years. Since the update I've been having very strange problems with DNS. Just about every day or so now I have to restart named on each system because it will stop resolving properly. A manual restart of the named service gets things working again, but I've never had to do this before and it's happening on all MailScanner systems. Just curious if anyone else has experienced something like this in the past? -Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110316/ae4e3b22/attachment.html From q at snj.ca Wed Mar 16 17:30:06 2011 From: q at snj.ca (Quintin Giesbrecht) Date: Wed Mar 16 17:30:26 2011 Subject: Issue since updating Message-ID: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> We did an update this morning. Both MS and SA from MS website. Now all of our spam scores are 0. Obviously my end users are mad at me :( Not sure what info to provide, but here goes....if anyone has any ideas as to what is wrong, or would like further details, please let me know. Thanks! 3.31 for SA 4.82.6 for MS MailScanner --lint: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 903 hostnames from the phishing whitelist Read 6514 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 37 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 598 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.82.6) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist Quintin Giesbrecht IT Manager Smith Neufeld Jodoin LLP (204)392-6514 http://snj.ca q@snj.ca ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. From pparsons at techeez.com Wed Mar 16 17:37:24 2011 From: pparsons at techeez.com (Philip Parsons) Date: Wed Mar 16 17:40:03 2011 Subject: Issue since updating In-Reply-To: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> Message-ID: <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> SA 3.xx does not come with any rules you have to run sa-update. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin Giesbrecht Sent: March-16-11 10:30 AM To: mailscanner@lists.mailscanner.info Subject: Issue since updating We did an update this morning. Both MS and SA from MS website. Now all of our spam scores are 0. Obviously my end users are mad at me :( Not sure what info to provide, but here goes....if anyone has any ideas as to what is wrong, or would like further details, please let me know. Thanks! 3.31 for SA 4.82.6 for MS MailScanner --lint: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 903 hostnames from the phishing whitelist Read 6514 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 37 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 598 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.82.6) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist Quintin Giesbrecht IT Manager Smith Neufeld Jodoin LLP (204)392-6514 http://snj.ca q@snj.ca ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From q at snj.ca Wed Mar 16 18:00:53 2011 From: q at snj.ca (Quintin Giesbrecht) Date: Wed Mar 16 18:01:11 2011 Subject: Issue since updating In-Reply-To: <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> Message-ID: <782A53FD749DDF4D93FC6310AF067CBA7AE083@exchange.snjlaw.local> Thanks, I just figured that out just before your email came in! Learned something new :) It is working once again... Q -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip Parsons Sent: March-16-11 12:37 PM To: mailscanner@lists.mailscanner.info Subject: RE: Issue since updating SA 3.xx does not come with any rules you have to run sa-update. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin Giesbrecht Sent: March-16-11 10:30 AM To: mailscanner@lists.mailscanner.info Subject: Issue since updating We did an update this morning. Both MS and SA from MS website. Now all of our spam scores are 0. Obviously my end users are mad at me :( Not sure what info to provide, but here goes....if anyone has any ideas as to what is wrong, or would like further details, please let me know. Thanks! 3.31 for SA 4.82.6 for MS MailScanner --lint: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 903 hostnames from the phishing whitelist Read 6514 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 37 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 598 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.82.6) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist Quintin Giesbrecht IT Manager Smith Neufeld Jodoin LLP (204)392-6514 http://snj.ca q@snj.ca ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. From q at snj.ca Wed Mar 16 18:12:39 2011 From: q at snj.ca (Quintin Giesbrecht) Date: Wed Mar 16 18:13:03 2011 Subject: Issue since updating In-Reply-To: <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> Message-ID: <782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local> Does this now mean that sa-update should be run periodically via a cron job? Thanks, Quintin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philip Parsons Sent: March-16-11 12:37 PM To: mailscanner@lists.mailscanner.info Subject: RE: Issue since updating SA 3.xx does not come with any rules you have to run sa-update. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin Giesbrecht Sent: March-16-11 10:30 AM To: mailscanner@lists.mailscanner.info Subject: Issue since updating We did an update this morning. Both MS and SA from MS website. Now all of our spam scores are 0. Obviously my end users are mad at me :( Not sure what info to provide, but here goes....if anyone has any ideas as to what is wrong, or would like further details, please let me know. Thanks! 3.31 for SA 4.82.6 for MS MailScanner --lint: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 903 hostnames from the phishing whitelist Read 6514 hostnames from the phishing blacklists Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 37 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 598 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.82.6) is correct. Unrar is not installed, it should be in /usr/bin/unrar. This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. Your envelope_sender_header in spam.assassin.prefs.conf is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule ======================================================================== === Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** 1.message: Eicar-Test-Signature FOUND ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses ======================================================================== === Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamavmodule) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist Quintin Giesbrecht IT Manager Smith Neufeld Jodoin LLP (204)392-6514 http://snj.ca q@snj.ca ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. From mikael at syska.dk Wed Mar 16 18:24:01 2011 From: mikael at syska.dk (Mikael Syska) Date: Wed Mar 16 18:24:14 2011 Subject: Issue since updating In-Reply-To: <782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local> References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local> <11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com> <782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local> Message-ID: Hi, On Wed, Mar 16, 2011 at 7:12 PM, Quintin Giesbrecht wrote: > Does this now mean that sa-update should be run periodically via a cron > job? Yes, like before ... now it just dont getting shipped with any rules. > > Thanks, > > Quintin > > -----Original Message----- [snip] Mvh Mikael Syska From q at snj.ca Wed Mar 16 18:26:09 2011 From: q at snj.ca (Quintin Giesbrecht) Date: Wed Mar 16 18:26:26 2011 Subject: Issue since updating In-Reply-To: References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local><11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com><782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local> Message-ID: <782A53FD749DDF4D93FC6310AF067CBA7AE08B@exchange.snjlaw.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mikael Syska Sent: March-16-11 1:24 PM To: MailScanner discussion Subject: Re: Issue since updating Hi, On Wed, Mar 16, 2011 at 7:12 PM, Quintin Giesbrecht wrote: > Does this now mean that sa-update should be run periodically via a > cron job? >Yes, like before ... now it just dont getting shipped with any rules. Thanks - so I should have been updating the rules all along? Wow, I guess I missed that one :) Thanks for the help. Q > > Thanks, > > Quintin > > -----Original Message----- [snip] Mvh Mikael Syska -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. From nsnidanko at harperpowerproducts.com Wed Mar 16 18:46:54 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Wed Mar 16 18:47:07 2011 Subject: Issue since updating References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local><11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com><782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local> <782A53FD749DDF4D93FC6310AF067CBA7AE08B@exchange.snjlaw.local> Message-ID: <5A3F1C070C66DB4F9C71950D33E91CA51549F5@tor_nt01.harperdda.com> You didn't miss a lot. Database was the same for the past 4 month. 1.3.3.updates.spamassassin.org => 1052462 Is there any alternative channels that you guys use with 3.3.1? Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quintin Giesbrecht Sent: March 16, 2011 2:26 PM To: MailScanner discussion Subject: RE: Issue since updating -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mikael Syska Sent: March-16-11 1:24 PM To: MailScanner discussion Subject: Re: Issue since updating Hi, On Wed, Mar 16, 2011 at 7:12 PM, Quintin Giesbrecht wrote: > Does this now mean that sa-update should be run periodically via a > cron job? >Yes, like before ... now it just dont getting shipped with any rules. Thanks - so I should have been updating the rules all along? Wow, I guess I missed that one :) Thanks for the help. Q > > Thanks, > > Quintin > > -----Original Message----- [snip] Mvh Mikael Syska -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ---------------- This communication, including its attachments, if any, is confidential and intended only for the person(s) to whom it is addressed, and may contain proprietary and/or privileged material. Any unauthorized review, disclosure, copying, other distribution of this communication or taking of any action in reliance on its contents is strictly prohibited. If you have received this message in error, please notify us immediately so that we may amend our records. Then, please delete this message, and its attachments, if any, without reading, copying or forwarding it to anyone. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Mar 16 19:43:01 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Mar 16 19:44:09 2011 Subject: Malformed signature kills MailScanner In-Reply-To: <4D7F58EB.6070303@hostalia.com> References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> <4D7F53EB.1080309@hostalia.com> <4D7F58EB.6070303@hostalia.com> <4D8112C5.6000108@ecs.soton.ac.uk> Message-ID: New version 4.83.2 published including this important fix. Many thanks for Alvaro for finding this one. Jules. > El 15/03/11 12:56, Alvaro Marin escribi?: > >> $virusname =~ s/ //; > > A smarter way... > > $virusname =~ s/\s//g; > > Regards, > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bonivart at opencsw.org Wed Mar 16 20:08:06 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed Mar 16 20:08:34 2011 Subject: Malformed signature kills MailScanner In-Reply-To: References: <4D7E2BCF.3060508@hostalia.com> <4D7E314D.1070200@hostalia.com> <4D7E3F7F.7020402@hostalia.com> <4D7E4823.2040608@hostalia.com> <4D7F53EB.1080309@hostalia.com> <4D8112C5.6000108@ecs.soton.ac.uk> <4D7F58EB.6070303@hostalia.com> Message-ID: On Wed, Mar 16, 2011 at 8:43 PM, Jules Field wrote: > New version 4.83.2 published including this important fix. > > Many thanks for Alvaro for finding this one. > > Jules. Could you please also take a look at my patch for ClamAV updates. The logging is wrong. http://lists.mailscanner.info/pipermail/mailscanner/2011-March/097544.html /peter From AHKAPLAN at PARTNERS.ORG Thu Mar 17 19:58:38 2011 From: AHKAPLAN at PARTNERS.ORG (Kaplan, Andrew H.) Date: Thu Mar 17 19:58:49 2011 Subject: update_bad_phishing sites script error Message-ID: Hi there -- I don't know if this issue has been discussed already, if it has sorry about the repeat. Anyway, we have the the several mailscanner scripts running at regular intervals on our sendmail server. One the scripts, update_bad_phishing_sites, has been reporting the a series or errors. These errors include the following: Unable to retrieve http://www.mailscanner.tv/.2011-114 :500 Can't connect to www.mailscanner.tv:80 (connect: timeout) Failed to retrieve http://www.mailscanner.tv/2011-114.1 at /opt/MailScanner/bin/update_bad_phishing_sites line 198. Failed to retrieve http://www.mailscanner.tv/2011-114.2 at /opt/MailScanner/bin/update_bad_phishing_sites line 198. Failed to retrieve http://www.mailscanner.tv/2011-114.3 at /opt/MailScanner/bin/update_bad_phishing_sites line 198. ... These errors are then followed by the messages shown below: Unable to open base file (/var/spool/MailScanner/quarantine/phishingupdate/cache//2011-114) Reading status from /var/spool/MailScanner/quarantine/phishingupdate/status Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2011-113 exists... ok Checking that /var/spool/MailScanner/quarantine/phishingupdate/cache/2011-113.36 exists... no - resetting..... ok I am working with: Current: 2011-114 - 68 and Status: 2011-113 - -1 This is base update Update required Retrieving http://www.mailscanner.tv/2011-114.1 Retrieving http://www.mailscanner.tv/2011-114.2 Retrieving http://www.mailscanner.tv/2011-114.3 Retrieving http://www.mailscanner.tv/2011-114.4 Retrieving http://www.mailscanner.tv/2011-114.5 Retrieving http://www.mailscanner.tv/2011-114.6 ... So it appears the problem occurs initially, and then corrects itself. This just started happening yesterday early afternoon. The version of MailScanner that is currently running on the server is the 4.82.6-1 release. Do I need to upgrade MailScanner to version 4.83.3-1 in order to correct this issue, or is there another means to fix this? Thanks. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110317/cfce70c6/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Mar 17 22:09:36 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 17 22:09:52 2011 Subject: Spamassassin woes... In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC26CD@city-exchange07> Martin Hepworth wrote: > Kevin > > Ms doesn't use the binaries but the perl api as you prob know. Have > you done a sa-update as the 3.3 releases have no rules by default and > you have to download them. I'd check the binaries aren't elsewhere. > > Martin Thanks for the reply Martin - I've been sidetracked w/several issues unrelated to MailScanner & spamassassin. I do have the 3.003001 ruleset. It existed prior to my uninstalling spamassassin 3.2.5. I'll just install sa from source (No point in installed SLES's RPMs as they're obsolete.) I was just kind of surprised that Julian's package didn't install the whole kit and kaboodle. As you noted, it uses the perl api, but there's no way to update it w/o the binaries. Unless the lack of them is related to the make error on line 121 of the output on pastebin. I'll take that question over to the SUSE forums unless there's someone else here using SLES that's encountered a similar issue. Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Thu Mar 17 22:19:17 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 17 22:19:28 2011 Subject: Spamassassin woes... In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C15C2BC26CE@city-exchange07> Nope - no trace of them anywhere after uninstalling 3.2.5. I'll probably have to install 3.3.1 from source. I fully understand (and agree with) the practice of distributions not upgrading packages when newer ones come out, but there's *some* packages like spamassassin and clamav that should be the latest. Bug/security fixes aren't always enough. Sigh... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Tuesday, March 15, 2011 9:37 AM To: MailScanner discussion Subject: Re: Spamassassin woes... Likely found in /usr/local/bin...or similar, along with sa-update... Cheers Den 15 mar 2011 07.29, "Martin Hepworth" > skrev: Kevin Ms doesn't use the binaries but the perl api as you prob know. Have you done a sa-update as the 3.3 releases have no rules by default and you have to download them. I'd check the binaries aren't elsewhere. Martin On Tuesday, 15 March 2011, Kevin Miller > wrote: > This morning I trie... -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110317/5f5d80be/attachment.html From maxsec at gmail.com Fri Mar 18 06:28:07 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Mar 18 06:28:16 2011 Subject: Spamassassin woes... In-Reply-To: <4A09477D575C2C4B86497161427DD94C15C2BC26CE@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C15C2BC26B4@city-exchange07> <4A09477D575C2C4B86497161427DD94C15C2BC26CE@city-exchange07> Message-ID: not used Jules packages on non RH based systems, but the imstall from source on either package isn't too onerous (esp SA which can be done easily from CPAN) -- Martin Hepworth Oxford, UK On 17 March 2011 22:19, Kevin Miller wrote: > Nope - no trace of them anywhere after uninstalling 3.2.5. I'll probably > have to install 3.3.1 from source. > I fully understand (and agree with) the practice of distributions not > upgrading packages when newer ones come out, but there's *some* packages > like spamassassin and clamav that should be the latest. Bug/security fixes > aren't always enough. Sigh... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Glenn Steen > *Sent:* Tuesday, March 15, 2011 9:37 AM > *To:* MailScanner discussion > *Subject:* Re: Spamassassin woes... > > Likely found in /usr/local/bin...or similar, along with sa-update... > > Cheers > > Den 15 mar 2011 07.29, "Martin Hepworth" skrev: > > Kevin > > Ms doesn't use the binaries but the perl api as you prob know. Have > you done a sa-update as the 3.3 releases have no rules by default and > you have to download them. I'd check the binaries aren't elsewhere. > > Martin > > > On Tuesday, 15 March 2011, Kevin Miller > wrote: > > This morning I trie... > -- > -- > Martin Hepworth > Oxford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110318/088b3baa/attachment.html From jonas at vrt.dk Fri Mar 18 07:55:54 2011 From: jonas at vrt.dk (Jonas) Date: Fri Mar 18 07:56:08 2011 Subject: Issue since updating In-Reply-To: <5A3F1C070C66DB4F9C71950D33E91CA51549F5@tor_nt01.harperdda.com> References: <782A53FD749DDF4D93FC6310AF067CBA7AE080@exchange.snjlaw.local><11D8E491D9562549A61FD3186F363420BFDA0B85@exchange.techeez.com><782A53FD749DDF4D93FC6310AF067CBA7AE088@exchange.snjlaw.local><782A53FD749DDF4D93FC6310AF067CBA7AE08B@exchange.snjlaw.local> <5A3F1C070C66DB4F9C71950D33E91CA51549F5@tor_nt01.harperdda.com> Message-ID: <09F23668E315FD4597C13D73E5123ADF5BD23D@SCTSBS.sct.dk> > > Is there any alternative channels that you guys use with 3.3.1? > Yes, the sought rule set (google it) it's pretty useful. Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk From markus at markusoft.se Fri Mar 18 09:19:13 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Mar 18 09:19:28 2011 Subject: Allow Multiple HTML Signatures, not working? In-Reply-To: <17226698.10653.1300439239022.JavaMail.markus@cronlabworkstation0> Message-ID: <8980526.10660.1300439949128.JavaMail.markus@cronlabworkstation0> Hi! I am having problems with Allow Multiple HTML Signatures = no I always get multiple image signatures in my mails Looks like the same problems as http://article.gmane.org/gmane.mail.virus.mailscanner/73770/match=multiple+inline+html+signatures Is anyone successfully using this feature? I tried to do some debugging of this, and found that the signature image is successfully detected by the sub DisarmTagCallback { function, but the variable SigImageFound is still 0 in sub DisarmHTML { I made log prints in these two locations, and see that they are done in different threads, and that value seems not to be passed between them. Could this be a bug? (Notice the different pids in the log below) 30574:Mar 18 09:34:23 xxx MailScanner[23120]: SigImage: 1 <-- From DisarmTagCallback 30579:Mar 18 09:34:23 xxx MailScanner[23093]: sigimagepresent: 0 <-- From DisarmHTML BR/ Markus -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From markus at markusoft.se Fri Mar 18 09:55:34 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Mar 18 09:55:49 2011 Subject: Using hard links when storing messages In-Reply-To: <9356320.10681.1300441715800.JavaMail.markus@cronlabworkstation0> Message-ID: <157772.10686.1300442132565.JavaMail.markus@cronlabworkstation0> Hi, I'm using the store-/path/_TOUSER_/ feature in Non Spam Actions to store a copy of the mail for each recipient. However this is a waste of space, and I thought it would be better to use hardlinks when multiple copies are used. I have made a small patch that tries to make a hardlink if the mail has already been stored, but creates a new copy if it fails: The diff is against PFDiskStore.pm: 104a105,106 > $this->{AlreadyStored} = 0; > 626a629,635 > if($this->{AlreadyStored} == 1) > { > if(link($this->{AlreadyStoredPath}, $targetdir . '/' . $targetfile)) > { > return $targetdir . '/' . $targetfile; > } > } 631a641,642 > $this->{AlreadyStored} = 1; > $this->{AlreadyStoredPath} = $targetdir . '/' . $targetfile; Is this something that would be useful for others? BR/ Markus -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From alvaro at hostalia.com Fri Mar 18 11:12:56 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Fri Mar 18 11:13:04 2011 Subject: UUencoded attachments Message-ID: <4D833E38.8050602@hostalia.com> Hi, one of our customers is using a webmail (squirrelmail or horde) that can't show uuencoded files as attachments, so they are shown as text. MailScanner extract them correctly, and I think that could be a method to re-attach them in base64+MIME format. I see a commented function in Message.pm: ## Try to detect and dispatch embedded uuencode as a fake multipart message. ## Returns new entity or undef. ## #sub hunt_for_uuencode { that could help to convert those uuencoded files to base64+MIME mail. Any idea about how to use it? Thanks! Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From maxsec at gmail.com Fri Mar 18 12:16:51 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Mar 18 12:17:00 2011 Subject: UUencoded attachments In-Reply-To: <4D833E38.8050602@hostalia.com> References: <4D833E38.8050602@hostalia.com> Message-ID: hmm got me wondering as to what would still be using uuencode for attachments and not mime???? -- Martin Hepworth Oxford, UK On 18 March 2011 11:12, Alvaro Marin wrote: > Hi, > > one of our customers is using a webmail (squirrelmail or horde) that can't > show uuencoded files as attachments, so they are shown as text. > > MailScanner extract them correctly, and I think that could be a method to > re-attach them in base64+MIME format. > > I see a commented function in Message.pm: > > ## Try to detect and dispatch embedded uuencode as a fake multipart > message. > ## Returns new entity or undef. > ## > #sub hunt_for_uuencode { > > that could help to convert those uuencoded files to base64+MIME mail. > Any idea about how to use it? > > Thanks! > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110318/5bf7d1f1/attachment.html From l.wilke at it-betrieb.de Fri Mar 18 12:25:23 2011 From: l.wilke at it-betrieb.de (Lars Wilke) Date: Fri Mar 18 12:25:34 2011 Subject: reports encoding Message-ID: <20110318122523.GA2535@dagobert.entenhausen.it-betrieb.de> Hi, i seek some advice on how i should cope with emails encoded in utf-8 vs ISO8859-1 or 15. Sadly i have no control about the users mail clients. As i understand it, in MailScanner i can only distinguish between the languages the reports are in. I can not further distinguish between different encodings. Is this correct? So how do other people cope with this? Not strictly on topic but related, i need to insert disclaimers at the end of the mail (yes i know, better let the mua do this but ...). The only viable non commercial solution seems to be altermime, which suffers the same problem. AFAIU it does not distinguish or handle different encodings :( i guess i could write a wrapper for altermime which tries to figure out the correct encoding? Hm, but i guess this will open a big can of worms. Any advice would be very welcome, thanks --lars From alvaro at hostalia.com Fri Mar 18 13:19:24 2011 From: alvaro at hostalia.com (Alvaro Marin) Date: Fri Mar 18 13:19:34 2011 Subject: UUencoded attachments In-Reply-To: References: <4D833E38.8050602@hostalia.com> Message-ID: <4D835BDC.7060509@hostalia.com> me too :( It seems that it's something related to Lotus Notes and there isn't option to change it :-/ I'm creating a perl program with MIME::Parser to convert the messages, but it would be great if it could be done in MailScanner. El 18/03/11 13:16, Martin Hepworth escribi?: > hmm got me wondering as to what would still be using uuencode for > attachments and not mime???? > -- > Martin Hepworth > Oxford, UK > > > On 18 March 2011 11:12, Alvaro Marin > wrote: > > Hi, > > one of our customers is using a webmail (squirrelmail or horde) that > can't show uuencoded files as attachments, so they are shown as text. > > MailScanner extract them correctly, and I think that could be a > method to re-attach them in base64+MIME format. > > I see a commented function in Message.pm: > > ## Try to detect and dispatch embedded uuencode as a fake multipart > message. > ## Returns new entity or undef. > ## > #sub hunt_for_uuencode { > > that could help to convert those uuencoded files to base64+MIME mail. > Any idea about how to use it? > > Thanks! > Regards, > > -- > Alvaro Mar?n Illera > Hostalia Internet > www.hostalia.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From markus at markusoft.se Fri Mar 18 14:56:08 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Mar 18 14:56:24 2011 Subject: Allow Multiple HTML Signatures, not working? In-Reply-To: <8980526.10660.1300439949128.JavaMail.markus@cronlabworkstation0> Message-ID: <19662921.10747.1300460167302.JavaMail.markus@cronlabworkstation0> > Hi! > > I am having problems with > > Allow Multiple HTML Signatures = no > > I always get multiple image signatures in my mails Looks like the same > problems as > > http://article.gmane.org/gmane.mail.virus.mailscanner/73770/match=multiple+inline+html+signatures > > > Is anyone successfully using this feature? > > > I tried to do some debugging of this, and found that the signature > image is successfully detected by the > > sub DisarmTagCallback { > > function, but the variable SigImageFound is still 0 in > > sub DisarmHTML { > > I made log prints in these two locations, and see that they are done > in different threads, and that value seems not to be passed between > them. Could this be a bug? (Notice the different pids in the log > below) > > 30574:Mar 18 09:34:23 xxx MailScanner[23120]: SigImage: 1 <-- From > DisarmTagCallback > 30579:Mar 18 09:34:23 xxx MailScanner[23093]: sigimagepresent: 0 <-- > From DisarmHTML > > > BR/ > > Markus > > Hi, I'm not sure if I am alone with this problem, but I worked a bit with this on my end, and have come up with a patch to get it to work. The problem as I see it, is that the HTML parser runs in one thread, and does not tell the main thread about the signature finding. This patch below adds information about the found signature to the pipe from the parser, and sets the global variable in the main thread. 6796a6797,6798 > #Add SignatureImageIsFound Magic text if the sig is found > print $pipe "SignatureImageIsFound\n" if ($SigImageFound == 1); 6815c6817,6818 < push @DisarmDoneSomething, $pipedata; --- > $SigImageFound = 1 if($pipedata eq "SignatureImageIsFound"); > push @DisarmDoneSomething, $pipedata unless ($pipedata eq "SignatureImageIsFound"); The patch is against # $Id: Message.pm 4986 2010-01-18 14:52:38Z sysjkf This feature would actually be very useful to make replied messages not grow in size! Thanks /Markus -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From mark at msapiro.net Fri Mar 18 19:34:14 2011 From: mark at msapiro.net (Mark Sapiro) Date: Fri Mar 18 19:34:29 2011 Subject: Mailscanner 4.83.2 breaks logwatch report. Message-ID: The change in MailScanner 4.83.2 changes log entries of the form Mar 16 01:10:57 sbh16 MailScanner[4887]: Clamd::INFECTED:: Worm.Mydoom.M :: ./7AD6C6900BA.ABEC6/ to Mar 16 01:10:57 sbh16 MailScanner[4887]: Clamd::INFECTED::Worm.Mydoom.M :: ./7AD6C6900BA.ABEC6/ I.e., the space following INFECTED:: is dropped. The attached patch (logwatch.patch.txt) applies to the logwatch.scripts/services/mailscanner file distributed with logwatch 7.4.0 and fixes the problem. Note, that the only part of this patch that is tested is the Clamd part as I don't run any other virus scanners, but the patch shouldn't hurt in any case as it only makes the space optional. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan -------------- next part -------------- --- mailscanner 2010-04-30 19:34:09.000000000 -0700 +++ /etc/logwatch/scripts/services/mailscanner 2011-03-18 12:01:26.000000000 -0700 @@ -168,13 +168,13 @@ $VirusType_BitDefender{$1}++; $MailScan_Virus_BitDefender++; } elsif ( ($ThisLine =~ m/^\/var\/spool\/MailScanner\/incoming\/.+: ([\w\_\-\.\/]+) FOUND/i) or - ($ThisLine =~ m/Clamd::INFECTED:: (\S+) ::/i) ) { + ($ThisLine =~ m/Clamd::INFECTED:: ?(\S+) ::/i) ) { $VirusType_ClamAv{$1}++; $MailScan_Virus_ClamAv++; - } elsif ($ThisLine =~ m/ClamAVModule::INFECTED:: (.+)::/) { + } elsif ($ThisLine =~ m/ClamAVModule::INFECTED:: ?(.+)::/) { $VirusType_ClamAVModule{$1}++; $MailScan_Virus_ClamAVModule++; - } elsif ($ThisLine =~ m/INFECTED:: (.+) (FOUND )?::/) { + } elsif ($ThisLine =~ m/INFECTED:: ?(.+) (FOUND )?::/) { $VirusType_Clamd{$1}++; $MailScan_Virus_Clamd++; } elsif ($ThisLine =~ m/\/.+ Infection: (.+)/i) { @@ -203,7 +203,7 @@ } elsif ($ThisLine =~ m/>>> Virus \'(.+)\' found/) { $VirusType_Sophos{$1}++; $MailScan_Virus_Sophos++; - } elsif ($ThisLine =~ m/SophosSAVI::INFECTED:: (.+)::/) { + } elsif ($ThisLine =~ m/SophosSAVI::INFECTED:: ?(.+)::/) { $VirusType_SophosSavi{$1}++; $MailScan_Virus_SophosSavi++; } elsif ($ThisLine =~ m/Commercial scanner (.+) timed out!/){ From dm.gouveia at gmail.com Fri Mar 18 21:03:53 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Fri Mar 18 21:04:03 2011 Subject: MailScanner Notify Message-ID: Hi guys, MailScanner do not advice the recipient that a virus was found and archive only, can anyone help me? Versions; Postfix 2.7.1 Postgrey 1.32 MailScanner 4.79.11 MailWatch 1.0.5 clamAV 0.96.5 SpamAssassin 3.003.001 MailScanner Config %etc-dir% = /etc/MailScanner %mcp-dir% = /etc/MailScanner/mcp %org-long-name% = Test.inc %org-name% = test %report-dir% = /etc/MailScanner/reports/pt_br %rules-dir% = /etc/MailScanner/rules %web-site% = www.test.com Add Envelope From Header = yes Add Envelope To Header = no Add Text Of Doc = no Add Watermark = yes Allow External Message Bodies = no Allow File MIME Types = Allow Filenames = Allow Filetypes = Allow Form Tags = yes #disarm Allow IFrame Tags = yes #disarm Allow Multiple HTML Signatures = no Allow Object Codebase Tags = yes Allow Partial Messages = no Allow Password-Protected Archives = no Allow Script Tags = yes #disarm Allow WebBugs = yes #disarm Allowed Sophos Error Messages = Also Find Numeric Phishing = yes Always Include MCP Report = no Always Include SpamAssassin Report = no Always Looked Up Last = &MailWatchLogging Always Looked Up Last After Batch = no Antiword = /usr/bin/antiword -f Antiword Timeout = 50 Archive Mail = /var/spool/MailScanner/archive Archives Are = zip ole #rar Archives: Allow File MIME Types = Archives: Allow Filenames = Archives: Allow Filetypes = Archives: Deny File MIME Types = Archives: Deny Filenames = #\.com$ \.exe$ \.bat$ \.asc$ Archives: Deny Filetypes = Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf Archives: Filetype Rules = %etc-dir%/archives.filetype.rules.conf Attach Image To HTML Message Only = yes Attach Image To Signature = yes #no Attachment Encoding Charset = ISO-8859-1 Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachments Min Total Size To Zip = 100k Attachments Zip Filename = MessageAttachments.zip Automatic Syntax Check = yes Block Encrypted Messages = no Block Unencrypted Messages = no Bounce MCP As Attachment = no Bounce Spam As Attachment = no Cache SpamAssassin Results = yes Check Filenames In Password-Protected Archives = no #yes Check SpamAssassin If On Spam List = yes Check Watermarks To Skip Spam Checks = yes Check Watermarks With No Sender = yes ClamAV Full Message Scan = no #yes ClamAVmodule Maximum Compression Ratio = 250 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum Recursion Level = 8 Clamd Lock File = /var/run/clamav/clamd.pid Clamd Socket = /var/run/clamav/clamd.ctl Clamd Use Threads = yes Clean Header Value = Found to be clean Content Modify Subject = start Content Subject Text = [Conteudo Suspeito] #{Dangerous Content?} Convert Dangerous HTML To Text = no Convert HTML To Text = no Country Sub-Domains List = %etc-dir%/country.domains.conf Custom Functions Dir = /etc/MailScanner/CustomFunctions Custom Spam Scanner Timeout = 20 Custom Spam Scanner Timeout History = 20 Dangerous Content Scanning = yes Debug = no Debug SpamAssassin = no Definite MCP Is High Scoring = no Definite Spam Is High Scoring = no Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deliver Cleaned Messages = yes Deliver Disinfected Files = no Deliver In Background = yes Deliver Unparsable TNEF = yes #no Delivery Method = batch Deny File MIME Types = Deny Filenames = #\.com$ \.exe$ \.bat$ \.asc$ Deny Filetypes = Detailed MCP Report = yes Detailed Spam Report = yes Disarmed Modify Subject = start Disarmed Subject Text = [HTML Desativado] #{Disarmed} Disinfected Header Value = Disinfected Disinfected Report = %report-dir%/disinfected.report.txt Dont Sign HTML If Headers Exist = # In-Reply-To: References: Enable Spam Bounce = %rules-dir%/bounce.rules Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: Expand TNEF = no File Command = /usr/bin/file File Timeout = 20 Filename Modify Subject = start Filename Rules = %etc-dir%/filename.rules.conf Filename Subject Text = [Anexo Suspeito] Filetype Rules = %etc-dir%/filetype.rules.conf Find Archives By Content = yes Find Phishing Fraud = yes Find UU-Encoded Files = no First Check = spam Fpscand Port = 10200 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Hide Incoming Work Dir = yes Hide Incoming Work Dir in Notices = no High Scoring MCP Actions = deliver High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {MCP?} High Scoring Spam Actions = store notify High Scoring Spam Modify Subject = no #start High Scoring Spam Subject Text = {Spam?} High SpamAssassin Score = 10 Highlight Phishing Fraud = yes Hostname = MailScanner #the %org-name% ($HOSTNAME) MailScanner ID Header = X-%org-name%-MailScanner-ID: Ignore Spam Whitelist If Recipients Exceed = 20 Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap shim Include Binary Attachments In SpamAssassin = no Include Scanner Name In Reports = yes Include Scores In MCP Report = no Include Scores In SpamAssassin Report = yes Incoming Queue Dir = /var/spool/postfix/hold Incoming Work Dir = /var/spool/MailScanner/incoming Incoming Work Group = clamav Incoming Work Permissions = 0640 Incoming Work User = Infected Header Value = Found to be infected Information Header Value = Please contact the ISP for more information Inline HTML Signature = %report-dir%/inline.sig.html Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Signature = %report-dir%/inline.sig.txt Inline Text Warning = %report-dir%/inline.warning.txt IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol: Is Definitely MCP = no Is Definitely Not MCP = no Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = no Keep Spam And MCP Archive Clean = no Known Web Bug Servers = msgtag.com Language Strings = %report-dir%/languages.conf Local Postmaster = postmaster Lock Type = Lockfile Dir = /var/lock/subsys/MailScanner Log Dangerous HTML Tags = no Log Delivery And Non-Delivery = no Log MCP = no Log Non Spam = no Log Permitted File MIME Types = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Silent Viruses = no Log Spam = yes #no Log SpamAssassin Rule Actions = yes Log Speed = yes #no Mail Header = X-%org-name%-MailScanner: MailScanner Version Number = 4.79.11 Mark Infected Messages = yes Mark Unscanned Messages = no #yes Max Children = 5 Max Custom Spam Scanner Size = 20k Max Custom Spam Scanner Timeouts = 10 Max Normal Queue Size = 800 Max Spam Check Size = 200k Max Spam List Timeouts = 7 Max SpamAssassin Size = 80k continue 120k Max SpamAssassin Timeouts = 5 Max Unsafe Bytes Per Scan = 50m Max Unsafe Messages Per Scan = 30 Max Unscanned Bytes Per Scan = 100m Max Unscanned Messages Per Scan = 30 Maximum Archive Depth = 0 Maximum Attachment Size = -1 Maximum Attachments Per Message = 50 Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Processing Attempts = 3 MCP Actions = deliver MCP Checks = no MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: MCP High SpamAssassin Score = 10 MCP Max SpamAssassin Size = 100k MCP Max SpamAssassin Timeouts = 20 MCP Modify Subject = start MCP Required SpamAssassin Score = 1 MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin Timeout = 10 MCP SpamAssassin User State Dir = MCP Subject Text = {MCP?} Minimum Attachment Size = -1 Minimum Code Status = supported Minimum Stars If On Spam List = 0 Missing Mail Archive Is = directory Monitors for ClamAV Updates = /usr/local/share/clamav/*.cld /usr/local/share/clamav/*.cvd Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide MTA = postfix Multiple Headers = append Never Notify Senders Of Precedence = list bulk Non MCP Actions = deliver Non Spam Actions = deliver #header "X-Spam-Status: No" Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Notice Signature = -- \nMailScanner\nEmail Virus Scanner\ nwww.mailscanner.info Notices From = MailScanner Notices Include Full Headers = no #yes Notices To = root@test.com Notify Senders = no Notify Senders Of Blocked Filenames Or Filetypes = no #yes Notify Senders Of Blocked Size Attachments = no Notify Senders Of Other Blocked Content = yes Notify Senders Of Viruses = no Outgoing Queue Dir = /var/spool/postfix/incoming Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Phishing Modify Subject = start #no Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Subject Text = [Phishing] #{Fraud?} PID file = /var/run/MailScanner/MailScanner.pid Place New Headers At Top Of Message = no Processing Attempts Database = /var/spool/MailScanner/incoming/Processing.db Quarantine Dir = /var/spool/MailScanner/quarantine Quarantine Group = Quarantine Infections = yes Quarantine Modified Body = no Quarantine Permissions = 0600 Quarantine Silent Viruses = no Quarantine User = Quarantine Whole Message = no Quarantine Whole Messages As Queue Files = no Queue Scan Interval = 2 Read IP Address From Received Header = no Rebuild Bayes Every = 0 Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Reject Message = no Rejection Report = %report-dir%/rejection.report.txt Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Required SpamAssassin Score = 5 Restart Every = 7600 Run As Group = postfix Run As User = postfix Run In Foreground = no Scan Messages = yes Scanned Modify Subject = no # end Scanned Subject Text = {Scanned} Send Notices = yes Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender Spam Report = %report-dir%/sender.spam.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sign Clean Messages = no #yes Sign Messages Already Processed = no Signature Image Filename = signature.jpg Signature Image Filename = %report-dir%/sig.jpg Silent Viruses = HTML-IFrame All-Viruses Size Modify Subject = no #start Size Subject Text = {Size} Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Spam Actions = deliver #header "X-Spam-Status: Yes" Spam Checks = yes Spam Domain List = Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam List = Spam List Definitions = %etc-dir%/spam.lists.conf Spam List Timeout = 5 Spam List Timeouts History = 10 Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Spam Modify Subject = start Spam Score = no #yes Spam Score Character = s Spam Score Header = X-%org-name%-MailScanner-SpamScore: Spam Score Number Format = %d Spam Subject Text = [SPAM] #{Spam?} SpamAssassin Auto Whitelist = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db SpamAssassin Cache Timings = 1800,300,10800,172800,600 SpamAssassin Default Rules Dir = SpamAssassin Install Prefix = SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Rule Actions = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin Timeout = 35 #75 SpamAssassin Timeouts History = 30 SpamAssassin User State Dir = /var/lib/MailScanner SpamScore Number Instead Of Stars = no Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report: Split Exim Spool = no Still Deliver Silent Viruses = no Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Syslog Facility = mail Syslog Socket Type = TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 Treat Invalid Watermarks With No Sender as Spam = nothing Unpack Microsoft Documents = yes #off Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Unscanned Header Value = Not scanned #: please contact your Internet E-Mail Service Provider for details Unzip Filenames = *.txt *.ini *.log *.csv Unzip Maximum File Size = 50k Unzip Maximum Files Per Archive = 10 Unzip MimeType = text/plain Use Custom Spam Scanner = no Use Default Rules With Multiple Recipients = no Use SpamAssassin = yes Use Stricter Phishing Net = yes Use TNEF Contents = no #replace Use Watermarking = no Virus Modify Subject = start Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Virus Scanner Timeout = 30 Virus Scanners = clamav Virus Scanning = yes Virus Subject Text = [Virus] Wait During Bayes Rebuild = no Warning Is Attachment = yes Watermark Header = X-%org-name%-MailScanner-Watermark: Watermark Lifetime = 604800 Watermark Secret = %org-name%-Secret Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Zip Attachments = no -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110318/a64aa0a3/attachment.html From glenn.steen at gmail.com Fri Mar 18 21:27:21 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 18 21:27:33 2011 Subject: Allow Multiple HTML Signatures, not working? In-Reply-To: <19662921.10747.1300460167302.JavaMail.markus@cronlabworkstation0> References: <8980526.10660.1300439949128.JavaMail.markus@cronlabworkstation0> <19662921.10747.1300460167302.JavaMail.markus@cronlabworkstation0> Message-ID: On 18 March 2011 15:56, Markus Nilsson wrote: >> Hi! >> >> I am having problems with >> >> Allow Multiple HTML Signatures = no >> >> I always get multiple image signatures in my mails Looks like the same >> problems as >> >> http://article.gmane.org/gmane.mail.virus.mailscanner/73770/match=multiple+inline+html+signatures >> >> >> Is anyone successfully using this feature? >> >> >> I tried to do some debugging of this, and found that the signature >> image is successfully detected by the >> >> sub DisarmTagCallback { >> >> function, but the variable SigImageFound is still 0 in >> >> sub DisarmHTML { >> >> I made log prints in these two locations, and see that they are done >> in different threads, and that value seems not to be passed between >> them. Could this be a bug? (Notice the different pids in the log >> below) >> >> 30574:Mar 18 09:34:23 xxx MailScanner[23120]: SigImage: 1 <-- From >> DisarmTagCallback >> 30579:Mar 18 09:34:23 xxx MailScanner[23093]: sigimagepresent: 0 <-- >> From DisarmHTML >> >> >> BR/ >> >> Markus >> >> > > Hi, > > I'm not sure if I am alone with this problem, but I worked a bit with this on my end, and have come up with a patch to get it to work. > > The problem as I see it, is that the HTML parser runs in one thread, and does not tell the main thread about the signature finding. This patch below adds information about the found signature to the pipe from the parser, and sets the global variable in the main thread. > > 6796a6797,6798 >> ? ? #Add SignatureImageIsFound Magic text if the sig is found >> ? ? print $pipe "SignatureImageIsFound\n" if ($SigImageFound == 1); > 6815c6817,6818 > < ? ? ? push @DisarmDoneSomething, $pipedata; > --- >> ? ? ? $SigImageFound = 1 if($pipedata eq "SignatureImageIsFound"); >> ? ? ? push @DisarmDoneSomething, $pipedata unless ($pipedata eq "SignatureImageIsFound"); > > > The patch is against > # ? $Id: Message.pm 4986 2010-01-18 14:52:38Z sysjkf > > > This feature would actually be very useful to make replied messages not grow in size! > > Thanks > /Markus > > Without commenting on the merit of your patch (I'm a tad too tipsy to do that:-), I know that unlesss you start doing proper context diffs, noone (most prominently Jules) will look at them;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 18 21:38:20 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 18 21:38:29 2011 Subject: MailScanner Notify In-Reply-To: References: Message-ID: On 18 March 2011 22:03, Danilo Marques de Gouveia wrote: > Hi guys, > MailScanner do not advice the recipient that a virus was found and archive > only, can anyone help me? (snip) > Silent Viruses = HTML-IFrame All-Viruses (snip) > Still Deliver Silent Viruses = no (snip) Look at the docs for these, understand the ramificaions, then... if you still want this, do some informed changes. The docs are in the comments just above each setting in MailScanner.conf, also in a nice way on www.mailscanner.info (in the cocs, there is a HTMLified list of all settings in MailScanner.info) and I'm sure the MailScanner book (available on the website) touch on this as well (although it's been a while since I read it last:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From doctor at doctor.nl2k.ab.ca Sat Mar 19 13:49:42 2011 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sat Mar 19 13:49:55 2011 Subject: Exim and current Mailscanenr Message-ID: <20110319134942.GA16704@doctor.nl2k.ab.ca> All right I was wondering if MailScanner docs need updating? Running Exim 4.74 and See in their panic log exim user lost privilege for using -C option . How ? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee Now is the time time to declare your allegiance! From maxsec at gmail.com Sat Mar 19 15:44:18 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Mar 19 15:44:27 2011 Subject: Exim and current Mailscanenr In-Reply-To: <20110319134942.GA16704@doctor.nl2k.ab.ca> References: <20110319134942.GA16704@doctor.nl2k.ab.ca> Message-ID: There was a fix for a small and difficult to exploit hole in exam to do with escalated privs. Check the exitm docs for details and for ways to work around On Saturday, 19 March 2011, The Doctor wrote: > All right > > I was wondering if MailScanner docs need updating? > > Running Exim 4.74 ?and > > See in their panic log > > exim user lost privilege for using -C option > > . > > How ? > > -- > Member - Liberal International ?This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca > God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! > http://twitter.com/rootnl2k http://www.facebook.com/dyadallee > Now is the time time to declare your allegiance! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK From markus at markusoft.se Mon Mar 21 07:38:02 2011 From: markus at markusoft.se (Markus Nilsson) Date: Mon Mar 21 07:38:20 2011 Subject: Allow Multiple HTML Signatures, not working? In-Reply-To: Message-ID: <24223067.2.1300693081575.JavaMail.markus@cronlabworkstation0> > >> Hi! > >> > >> I am having problems with > >> > >> Allow Multiple HTML Signatures = no > >> > >> I always get multiple image signatures in my mails Looks like the > >> same > >> problems as > >> > >> http://article.gmane.org/gmane.mail.virus.mailscanner/73770/match=multiple+inline+html+signatures > >> > >> ... > >> > >> > > > > Hi, > > > > I'm not sure if I am alone with this problem, but I worked a bit > > with this on my end, and have come up with a patch to get it to > > work. > > > > The problem as I see it, is that the HTML parser runs in one thread, > > and does not tell the main thread about the signature finding. This > > patch below adds information about the found signature to the pipe > > from the parser, and sets the global variable in the main thread. > > ... > > > > > Without commenting on the merit of your patch (I'm a tad too tipsy to > do that:-), I know that unlesss you start doing proper context diffs, > noone (most prominently Jules) will look at them;). > > Cheers > -- > -- Glenn Hi, Thanks Glenn, you are right, that wasn't very helpful. Sorry for that! I'm blaming the friday afternoon :) I hope this is better, and please tell me if I should send it in another format! This diff is against the Message.pm in 4.83.3-1 --- Message.pm 2011-03-21 08:31:47.000000000 +0100 +++ Message.pm.patched 2011-03-21 08:33:56.000000000 +0100 @@ -6856,39 +6856,42 @@ default_h => [ sub { print @_; }, "text"], ) ->parse_file($oldname) or MailScanner::Log::WarnLog("HTML disarming, can't open file %s: %s", $oldname, $!); } # Dump the contents of %DisarmDoneSomething down the pipe foreach my $ddskey (keys %DisarmDoneSomething) { print $pipe "$ddskey\n"; } + #Add SignatureImageIsFound Magic text if the sig is found + print $pipe "SignatureImageIsFound\n" if ($SigImageFound == 1); print $pipe "ENDENDEND\n"; $pipe->close; $pipe = undef; exit 0; # The child will never get here. } # In the parent. my @DisarmDoneSomething; eval { $pipe->reader(); local $SIG{ALRM} = sub { die "Command Timed Out" }; alarm MailScanner::Config::Value('spamassassintimeout'); # Read the contents of %DisarmDoneSomething from the pipe my($pipedata); while (defined($pipedata = <$pipe>)) { last if $pipedata eq "ENDENDEND\n"; chomp $pipedata; - push @DisarmDoneSomething, $pipedata; + $SigImageFound = 1 if($pipedata eq "SignatureImageIsFound"); + push @DisarmDoneSomething, $pipedata unless ($pipedata eq "SignatureImageIsFound"); #print STDERR "DisarmDoneSomething $pipedata\n"; } waitpid $pid, 0; $pipe->close; $PipeReturn = $?; alarm 0; $pid = 0; }; alarm 0; # Workaround for bug in perl shipped with Solaris 9, BR/ Markus -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From dm.gouveia at gmail.com Mon Mar 21 13:20:11 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Mon Mar 21 13:20:21 2011 Subject: MailScanner Notify In-Reply-To: References: Message-ID: Hi Gleen, thanks for your help. I understood what Silent Viruses and Still Delivery Silent Viruses means and that is correct, the MailScanner can't delivery the Messages with virus, but it should take the virus out and send a notification to the user saying "The file example.xls was blocked as a virus, if you still want to receive that message, please call the helpdesk" reading the configs the option that allow this is: # Do you want to deliver messages once they have been cleaned of any # viruses? # By making this a ruleset, you can re-create the "Deliver From Local" # facility of previous versions. Deliver Cleaned Messages = yes but when a message with a virus arrives, the MailScanner sends out only the Notification to the System administrator: This is a piece of my mail.log Mar 21 10:12:01 mike MailScanner[10045]: Spam Checks: Starting Mar 21 10:12:01 mike postfix/pickup[10084]: D8F09281514: uid=103 from=< danilo.marques@curriculum.com.br> Mar 21 10:12:01 mike postfix/cleanup[10087]: D8F09281514: hold: header Received: by mx.quake.com.br (Postfix, from userid 103)??id D8F09281514; Mon, 21 Mar 2011 10:12:01 -0300 (BRT) from local; from=< danilo.marques@curriculum.com.br> Any ideas? Cheers, On Fri, Mar 18, 2011 at 6:38 PM, Glenn Steen wrote: > On 18 March 2011 22:03, Danilo Marques de Gouveia > wrote: > > Hi guys, > > MailScanner do not advice the recipient that a virus was found and > archive > > only, can anyone help me? > (snip) > > Silent Viruses = HTML-IFrame All-Viruses > (snip) > > Still Deliver Silent Viruses = no > (snip) > Look at the docs for these, understand the ramificaions, then... if > you still want this, do some informed changes. > The docs are in the comments just above each setting in > MailScanner.conf, also in a nice way on www.mailscanner.info (in the > cocs, there is a HTMLified list of all settings in MailScanner.info) > and I'm sure the MailScanner book (available on the website) touch on > this as well (although it's been a while since I read it last:). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110321/cd2e9da1/attachment.html From alex at vidadigital.com.pa Mon Mar 21 13:54:03 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Mon Mar 21 13:54:32 2011 Subject: MailScanner Notify In-Reply-To: References: Message-ID: <4D87587B.6070708@vidadigital.com.pa> That should only be done for internal users, and only for certain types of viruses - otherwise you'll be backscattering. If someone wanted to bug one of your users, they would send EICAR 1,000,000 times to your server. Your user would then receive 1,000,000 messages saying "the file eicar.com was blocked as a virus". On 3/21/2011 8:20 AM, Danilo Marques de Gouveia wrote: > Hi Gleen, thanks for your help. > > I understood what Silent Viruses and Still Delivery Silent Viruses > means and that is correct, the MailScanner can't delivery the Messages > with virus, but it should take the virus out and send a notification > to the user saying "The file example.xls was blocked as a virus, if > you still want to receive that message, please call the helpdesk" > > reading the configs the option that allow this is: > > # Do you want to deliver messages once they have been cleaned of any > # viruses? > # By making this a ruleset, you can re-create the "Deliver From Local" > # facility of previous versions. > Deliver Cleaned Messages = yes > > but when a message with a virus arrives, the MailScanner sends out > only the Notification to the System administrator: > This is a piece of my mail.log > > Mar 21 10:12:01 mike MailScanner[10045]: Spam Checks: Starting > Mar 21 10:12:01 mike postfix/pickup[10084]: D8F09281514: uid=103 > from= > > Mar 21 10:12:01 mike postfix/cleanup[10087]: D8F09281514: hold: header > Received: by mx.quake.com.br (Postfix, from > userid 103)??id D8F09281514; Mon, 21 Mar 2011 10:12:01 -0300 (BRT) > from local; from= > > > Any ideas? > > Cheers, > On Fri, Mar 18, 2011 at 6:38 PM, Glenn Steen > wrote: > > On 18 March 2011 22:03, Danilo Marques de Gouveia > > wrote: > > Hi guys, > > MailScanner do not advice the recipient that a virus was found > and archive > > only, can anyone help me? > (snip) > > Silent Viruses = HTML-IFrame All-Viruses > (snip) > > Still Deliver Silent Viruses = no > (snip) > Look at the docs for these, understand the ramificaions, then... if > you still want this, do some informed changes. > The docs are in the comments just above each setting in > MailScanner.conf, also in a nice way on www.mailscanner.info > (in the > cocs, there is a HTMLified list of all settings in MailScanner.info) > and I'm sure the MailScanner book (available on the website) touch on > this as well (although it's been a while since I read it last:). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > -- > Danilo Marques de Gouveia -- -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110321/764a7bd9/attachment.html From jaearick at colby.edu Mon Mar 21 13:49:17 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Mon Mar 21 13:55:11 2011 Subject: MS-4.83.2: problems with lots of quarantined msgs, MS crash (again) Message-ID: All, My occasional issue of MailScanner locking up with the sequence of: Making attempt 6 at processing message... Quarantined message ... as it caused MailScanner to crash several times MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 bit me again this weekend, causing 391 messages to go into the quarantine between 18:00 EST and 19:53; The problem seemed to actually start at 17:44, when "/etc/MailScanner/ScamNailer" ran, thus sending SIGHUPs to MailScanner processes. The problem seemed to clear up shortly after the cron job at 19:44 for ScamNailer whacked MailScanner again. When I copied the 391 messages over to mqueue.in and ran them thru MailScanner again later, no problems. My setup: MS 4.83.2 running with Sendmail 8.14.4 on Redhat 5.6 x64. I had hoped that the fixes in 4.83.2 fixed this issue. Jeff From jaearick at colby.edu Mon Mar 21 13:31:00 2011 From: jaearick at colby.edu (Jeff Earickson) Date: Mon Mar 21 13:57:12 2011 Subject: MS-4.83.2: problems with lots of quarantined msgs, MS crash (again) Message-ID: All, My occasional issue of MailScanner locking up with the sequence of: Making attempt 6 at processing message... Quarantined message ... as it caused MailScanner to crash several times MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 bit me again this weekend, causing 391 messages to go into the quarantine between 18:00 EST and 19:53; The problem seemed to actually start at 17:44, when "/etc/MailScanner/ScamNailer" ran, thus sending SIGHUPs to MailScanner processes. The problem seemed to clear up shortly after the cron job at 19:44 for ScamNailer whacked MailScanner again. When I copied the 391 messages over to mqueue.in and ran them thru MailScanner again later, no problems. My setup: MS 4.83.2 running with Sendmail 8.14.4 on Redhat 5.6 x64. I had hoped that the fixes in 4.83.2 fixed this issue. Jeff Earickson Colby College From garry at glendown.de Mon Mar 21 14:42:47 2011 From: garry at glendown.de (Garry Glendown) Date: Mon Mar 21 14:42:55 2011 Subject: mutiple Signature Image Filenames In-Reply-To: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> References: <7D95F4DE708E0948892128F41A25073806285438@ES2.impromed.com> Message-ID: <4D8763E7.9010403@glendown.de> On 10.03.2011 19:41, Scott B. Anderson wrote: > I've been using inline signatures, both html and txt for a long time, based on ruleset by domain (multiple inline signatures) but until now have not been asked to use a picture in the signature. I realize I could use an a href in the html signature -- but want to avoid doing that for reasons that should be obvious to all of us here. I started by using the Signature Image Filename, and that works great as long as only one of the domans are assigned an image, or all domains use the same image. Is there a way to specify multiple Signature Image Filenames? I'm using 4.81.4 Similar question, but slightly different - I'd need to have the option of adding more than one signature image to a mail ... can this be done? Tnx, Garry From glenn.steen at gmail.com Mon Mar 21 17:03:39 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 21 17:03:52 2011 Subject: MailScanner Notify In-Reply-To: References: Message-ID: Try excluding a virus detection pattern from the silent viruses setting (that is: don't have the pseudo-pattern all-viruses there) and then send a virus through... You'll notice the difference;-) As Alex says, take care with this... A far better option is to use some form of auxiliary system (like mailwatch) that can send a quarantine report ... That way, regardless of volume, you at most send one infomail/timeperiod (usually once/day)/recipient. Cheers Den 21 mar 2011 14.25, "Danilo Marques de Gouveia" skrev: Hi Gleen, thanks for your help. I understood what Silent Viruses and Still Delivery Silent Viruses means and that is correct, the MailScanner can't delivery the Messages with virus, but it should take the virus out and send a notification to the user saying "The file example.xls was blocked as a virus, if you still want to receive that message, please call the helpdesk" reading the configs the option that allow this is: # Do you want to deliver messages once they have been cleaned of any # viruses? # By making this a ruleset, you can re-create the "Deliver From Local" # facility of previous versions. Deliver Cleaned Messages = yes but when a message with a virus arrives, the MailScanner sends out only the Notification to the System administrator: This is a piece of my mail.log Mar 21 10:12:01 mike MailScanner[10045]: Spam Checks: Starting Mar 21 10:12:01 mike postfix/pickup[10084]: D8F09281514: uid=103 from=< danilo.marques@curriculum.com.br> Mar 21 10:12:01 mike postfix/cleanup[10087]: D8F09281514: hold: header Received: by mx.quake.com.br (Postfix, from userid 103)??id D8F09281514; Mon, 21 Mar 2011 10:12:01 -0300 (BRT) from local; from=< danilo.marques@curriculum.com.br> Any ideas? Cheers, On Fri, Mar 18, 2011 at 6:38 PM, Glenn Steen wrote: > > > > On 18 March 2011 22:03, Danilo Marques de Gouveia > wrote: > > > Hi guys, > > >... > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Danilo Marques de Gouveia -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110321/f79fc99c/attachment.html From dm.gouveia at gmail.com Mon Mar 21 17:28:17 2011 From: dm.gouveia at gmail.com (Danilo Marques de Gouveia) Date: Mon Mar 21 17:28:27 2011 Subject: MailScanner Notify In-Reply-To: References: Message-ID: Guys, I realized that if I use eicar instead of clamAV test-files the notifications works just fine (I didn't change the silent viruses settings, but I think it shows that if I change the silent viruses settings even with clamav test-files I would receive the notification), however I did a bulk test and my email test got tons of notifications, so I'm gonna do what you are saying, will disable that notification and keep an eye in MailWatch. Thanks all, On Mon, Mar 21, 2011 at 2:03 PM, Glenn Steen wrote: > Try excluding a virus detection pattern from the silent viruses setting > (that is: don't have the pseudo-pattern all-viruses there) and then send a > virus through... You'll notice the difference;-) > > As Alex says, take care with this... A far better option is to use some > form of auxiliary system (like mailwatch) that can send a quarantine report > ... That way, regardless of volume, you at most send one infomail/timeperiod > (usually once/day)/recipient. > > Cheers > > Den 21 mar 2011 14.25, "Danilo Marques de Gouveia" > skrev: > > > Hi Gleen, thanks for your help. > > I understood what Silent Viruses and Still Delivery Silent Viruses means > and that is correct, the MailScanner can't delivery the Messages with virus, > but it should take the virus out and send a notification to the user saying > "The file example.xls was blocked as a virus, if you still want to receive > that message, please call the helpdesk" > > reading the configs the option that allow this is: > > # Do you want to deliver messages once they have been cleaned of any > # viruses? > # By making this a ruleset, you can re-create the "Deliver From Local" > # facility of previous versions. > Deliver Cleaned Messages = yes > > but when a message with a virus arrives, the MailScanner sends out only the > Notification to the System administrator: > This is a piece of my mail.log > > Mar 21 10:12:01 mike MailScanner[10045]: Spam Checks: Starting > Mar 21 10:12:01 mike postfix/pickup[10084]: D8F09281514: uid=103 from=< > danilo.marques@curriculum.com.br> > Mar 21 10:12:01 mike postfix/cleanup[10087]: D8F09281514: hold: header > Received: by mx.quake.com.br (Postfix, from userid 103)??id D8F09281514; > Mon, 21 Mar 2011 10:12:01 -0300 (BRT) from local; from=< > danilo.marques@curriculum.com.br> > > Any ideas? > > Cheers, > > > On Fri, Mar 18, 2011 at 6:38 PM, Glenn Steen > wrote: > >> > >> > On 18 March 2011 22:03, Danilo Marques de Gouveia >> wrote: >> > > Hi guys, >> > >... >> -- >> >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > Danilo Marques de Gouveia > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Danilo Marques de Gouveia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110321/f7cd168b/attachment.html From jonas at vrt.dk Tue Mar 22 09:33:17 2011 From: jonas at vrt.dk (Jonas) Date: Tue Mar 22 09:33:29 2011 Subject: Max spam check size Message-ID: <09F23668E315FD4597C13D73E5123ADF5BD379@SCTSBS.sct.dk> Hey Guys I just had to up our max spam size check from 1MB to 2,5MB because of some Asian spam's that was 1,4MB in size. So I'm curious as to what size people use to exempt from spam scanning (if any) Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110322/ffccb9ec/attachment.html From nsnidanko at harperpowerproducts.com Tue Mar 22 20:29:59 2011 From: nsnidanko at harperpowerproducts.com (Naz Snidanko) Date: Tue Mar 22 20:30:15 2011 Subject: Max spam check size References: <09F23668E315FD4597C13D73E5123ADF5BD379@SCTSBS.sct.dk> Message-ID: <5A3F1C070C66DB4F9C71950D33E91CA515A9D2@tor_nt01.harperdda.com> Jonas, I assume you are referring to spamassassin checks. If so I have it currently set up at 750kb but we have plenty of recourses to spare, our servers have load of 0.35 on average. 1.4mb that is extreme for spam message; the biggest one that scored below 10 in the past 60 days is 196kb. I guess someone has plenty of recourses and bandwidth to spare as well, haha Regards, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas Sent: March 22, 2011 5:33 AM To: mailscanner@lists.mailscanner.info Subject: Max spam check size Hey Guys I just had to up our max spam size check from 1MB to 2,5MB because of some Asian spam's that was 1,4MB in size. So I'm curious as to what size people use to exempt from spam scanning (if any) Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110322/211a8479/attachment.html From sumit at cospringsit.com Wed Mar 23 00:47:27 2011 From: sumit at cospringsit.com (Sumit Bhattacharjee) Date: Wed Mar 23 00:48:30 2011 Subject: All messages getting marked as Spam Message-ID: Hello All, I have been using MailScanner for several months now and it has been working very well. However, since yesterday, almost all inbound messages are getting marked marked as Spam. I have the SpamAssassin threshold set to 6 (default I believe), and following are a couple of examples of the spam report (email from different domains/IP's): X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, URIBL_SEM_FRESH_15 4.10) X-cospringsitcom-MailScanner-SpamScore: 7 X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) X-cospringsitcom-MailScanner-SpamScore: 9 The commonality that I am seeing is that the URIBL_BLACK is 1.77 for almost all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure what has changed (nothing should have). I'd much appreciate any debugging steps recommended by experts on this list. Regards, Sumit Bhattacharjee This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110322/686472a4/attachment.html From alex at vidadigital.com.pa Wed Mar 23 06:20:52 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Wed Mar 23 06:21:24 2011 Subject: All messages getting marked as Spam In-Reply-To: References: Message-ID: <4D899144.9050709@vidadigital.com.pa> You can either include something like: score URIBL_BLACK 0.00 in your /etc/mail/spamassassin/local.cf and ignore those rules, or you can fix whatever's being added or included in your otherwise legitimate mails that is being listed at the URIBL lists as "url's common in spam e-mail". I'm guessing, so I'm probably wrong. But it's probably a "disclaimer" or "signature" with a URL that's being added to most e-mails going through your server (such as your "This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.", which is not really enforceable neither technically nor legally, and is only a waste of electrons) - which is being sent to spamtraps and marked as "spammy" by the URIBL lists. Unfortunately without more information I don't think we could guess what is actually triggering these rules. The URIBL lists work by listing known SPAM URL's... If a spammer decides to send out spams saying "buy this thing that will make you bigger down there" or something like that, with a URL saying "visit soandso.com", the URIBL list will add "soandso.com" to it's database. If another e-mail - even with a different text - comes with "visit soandso.com" the URIBL list rules will "hit", adding an X amount of points towards the "6" you "believe" to be the default setting. That means something is being added - by your users, or by your server - that triggers this rule. Without the original messages, there's no way of knowing, especially since it's "strictly prohibited" to disseminate this electronic mail or its contents. The fact that this happened "since yesterday" means something made the URIBL lists "aware" of the URL's being added somewhere within the messages (could be a signature) as something used by spammers (not necessarily you or your server). This means that even if you score these rules as "0.0", others might throw your messages in the junk mail folder since they still follow the original rules. On 3/22/2011 7:47 PM, Sumit Bhattacharjee wrote: > Hello All, > I have been using MailScanner for several months now and it has been > working very well. However, since yesterday, almost all inbound > messages are getting marked marked as Spam. I have the SpamAssassin > threshold set to 6 (default I believe), and following are a couple of > examples of the spam report (email from different domains/IP's): > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, > MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, > T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, > URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10) > X-cospringsitcom-MailScanner-SpamScore: 7 > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, > URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, > URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) > X-cospringsitcom-MailScanner-SpamScore: 9 > The commonality that I am seeing is that the URIBL_BLACK is 1.77 for > almost all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure > what has changed (nothing should have). > I'd much appreciate any debugging steps recommended by experts on this > list. > Regards, > Sumit Bhattacharjee > > This electronic mail (including any attachments) may contain > information that is privileged, confidential, and/or otherwise > protected from disclosure to anyone other than its intended > recipient(s). Any dissemination or use of this electronic email or its > contents (including any attachments) by persons other than the > intended recipient(s) is strictly prohibited. If you have received > this message in error, please notify us immediately by reply email so > that we may correct our internal records. Please then delete the > original message (including any attachments) in its entirety. Thank you. > -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/b6e825a2/attachment.html From ms-list at alexb.ch Wed Mar 23 06:41:58 2011 From: ms-list at alexb.ch (Alex Broens) Date: Wed Mar 23 06:42:08 2011 Subject: All messages getting marked as Spam In-Reply-To: References: Message-ID: <4D899636.7080203@alexb.ch> On 2011-03-23 1:47, Sumit Bhattacharjee wrote: > Hello All, > > I have been using MailScanner for several months now and it has been working > very well. However, since yesterday, almost all inbound messages are > getting marked marked as Spam. I have the SpamAssassin threshold set to 6 > (default I believe), and following are a couple of examples of the spam > report (email from different domains/IP's): > > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, > MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, > T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, > URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10) > X-cospringsitcom-MailScanner-SpamScore: 7 > > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, > URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, > URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) > X-cospringsitcom-MailScanner-SpamScore: 9 > > The commonality that I am seeing is that the URIBL_BLACK is 1.77 for almost > all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure what has > changed (nothing should have). > > I'd much appreciate any debugging steps recommended by experts on this list. either ALL your mail has blacklisted URLs in it (highly unlikely) or you have a DNS issue. Are you using a local resolver or your ISP's recursor? From ricardo at wenn.com Wed Mar 23 10:09:37 2011 From: ricardo at wenn.com (Ricardo Branco) Date: Wed Mar 23 10:09:56 2011 Subject: Return-Path header issue causing SA flag RP_8BIT Message-ID: <4D89C6E1.209@wenn.com> Messages comming though MailScanner are getting checked with SA and being flagged up with RP_8BIT as the Return-Path is set as follows. Return-Path:<<81>g> If we then receive the email it shows the Return-Path filled out correctly but if its quarrantined we can check the file on the server and we see the Return-Path as above, this is causing issues as all messages get marked up by SA with RP_8BIT which we have now had to score to 0. -- The WENN name, design and related marks are trademarks of WENN Ltd. (c) 2011 All Rights Reserved. Registered No: 4375163 Place of Registration: United Kingdom Registered Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England www.wenn.com This email is confidential and intended for the exclusive use of the addressee/s only. You should not disclose it's contents to any other person. If you are not the intended recipient please notify the sender immediately. The contents of this email are not for publication unless specifically stated. WENN does not accept liability for viruses introduced by this e-mail or attachments. From prandal at herefordshire.gov.uk Wed Mar 23 10:24:59 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Mar 23 10:25:18 2011 Subject: Return-Path header issue causing SA flag RP_8BIT In-Reply-To: <4D89C6E1.209@wenn.com> References: <4D89C6E1.209@wenn.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B852FB3FB18@HC-EXMBX02.herefordshire.gov.uk> Same issue and workaround here. The problem started with a spamassassin rules update on Sunday. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council? | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ricardo Branco Sent: 23 March 2011 10:10 To: MailScanner discussion Subject: Return-Path header issue causing SA flag RP_8BIT Messages comming though MailScanner are getting checked with SA and being flagged up with RP_8BIT as the Return-Path is set as follows. Return-Path:<<81>g> If we then receive the email it shows the Return-Path filled out correctly but if its quarrantined we can check the file on the server and we see the Return-Path as above, this is causing issues as all messages get marked up by SA with RP_8BIT which we have now had to score to 0. -- The WENN name, design and related marks are trademarks of WENN Ltd. (c) 2011 All Rights Reserved. Registered No: 4375163 Place of Registration: United Kingdom Registered Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England www.wenn.com This email is confidential and intended for the exclusive use of the addressee/s only. You should not disclose it's contents to any other person. If you are not the intended recipient please notify the sender immediately. The contents of this email are not for publication unless specifically stated. WENN does not accept liability for viruses introduced by this e-mail or attachments. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Mar 23 10:34:14 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 23 10:34:23 2011 Subject: Return-Path header issue causing SA flag RP_8BIT In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B852FB3FB18@HC-EXMBX02.herefordshire.gov.uk> References: <4D89C6E1.209@wenn.com> <7CA580B59C1ABD45B4614ED90D4C7B852FB3FB18@HC-EXMBX02.herefordshire.gov.uk> Message-ID: there was an 'emergency' SA rules update to 'fix' and issue with compiled rules, maybe this broke other stuff -- Martin Hepworth Oxford, UK On 23 March 2011 10:24, Randal, Phil wrote: > Same issue and workaround here. > > The problem started with a spamassassin rules update on Sunday. > > Cheers, > > Phil > > -- > Phil Randal | Infrastructure Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's > Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ricardo Branco > Sent: 23 March 2011 10:10 > To: MailScanner discussion > Subject: Return-Path header issue causing SA flag RP_8BIT > > Messages comming though MailScanner are getting checked with SA and being > flagged up with RP_8BIT as the Return-Path is set as follows. > > Return-Path:<<81>g> > > If we then receive the email it shows the Return-Path filled out correctly > but if its quarrantined we can check the file on the server and we see the > Return-Path as above, this is causing issues as all messages get marked up > by SA with RP_8BIT which we have now had to score to 0. > > > > -- > The WENN name, design and related marks are trademarks of WENN Ltd. (c) > 2011 All Rights Reserved. > > Registered No: 4375163 Place of Registration: United Kingdom Registered > Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England > > www.wenn.com > > This email is confidential and intended for the exclusive use of the > addressee/s only. > You should not disclose it's contents to any other person. If you are not > the intended recipient please notify the sender immediately. The contents of > this email are not for publication unless specifically stated. WENN does not > accept liability for viruses introduced by this e-mail or attachments. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/0e474b65/attachment.html From hkeasytech at gmail.com Wed Mar 23 11:15:25 2011 From: hkeasytech at gmail.com (Barry Kwok) Date: Wed Mar 23 11:15:34 2011 Subject: email duplicate suppression Message-ID: Hi, MTA: postfix 2.3.3 We are using MailScanner's archive rules to auto forward email. e.g FromOrTo: abc@def.com supervisor@def.com But if someone send an email to abc@def.com and cc to supervisor@def.com, supervisor@def.com will then get two copies of emails. Is there any way in Postfix or MailScanner to suppress the duplication. --barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/07a78b18/attachment.html From Robert.Meurlin at se.fujitsu.com Wed Mar 23 12:53:15 2011 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Wed Mar 23 12:53:53 2011 Subject: SV: Return-Path header issue causing SA flag RP_8BIT In-Reply-To: References: <4D89C6E1.209@wenn.com> <7CA580B59C1ABD45B4614ED90D4C7B852FB3FB18@HC-EXMBX02.herefordshire.gov.uk> Message-ID: Same issue and fix here to. /R Fr?n: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] F?r Martin Hepworth Skickat: den 23 mars 2011 11:34 Till: MailScanner discussion ?mne: Re: Return-Path header issue causing SA flag RP_8BIT there was an 'emergency' SA rules update to 'fix' and issue with compiled rules, maybe this broke other stuff -- Martin Hepworth Oxford, UK On 23 March 2011 10:24, Randal, Phil > wrote: Same issue and workaround here. The problem started with a spamassassin rules update on Sunday. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ricardo Branco Sent: 23 March 2011 10:10 To: MailScanner discussion Subject: Return-Path header issue causing SA flag RP_8BIT Messages comming though MailScanner are getting checked with SA and being flagged up with RP_8BIT as the Return-Path is set as follows. Return-Path:<<81>g> If we then receive the email it shows the Return-Path filled out correctly but if its quarrantined we can check the file on the server and we see the Return-Path as above, this is causing issues as all messages get marked up by SA with RP_8BIT which we have now had to score to 0. -- The WENN name, design and related marks are trademarks of WENN Ltd. (c) 2011 All Rights Reserved. Registered No: 4375163 Place of Registration: United Kingdom Registered Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England www.wenn.com This email is confidential and intended for the exclusive use of the addressee/s only. You should not disclose it's contents to any other person. If you are not the intended recipient please notify the sender immediately. The contents of this email are not for publication unless specifically stated. WENN does not accept liability for viruses introduced by this e-mail or attachments. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/b042f0ac/attachment.html From alex at vidadigital.com.pa Wed Mar 23 13:13:05 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Wed Mar 23 13:13:39 2011 Subject: email duplicate suppression In-Reply-To: References: Message-ID: <4D89F1E1.40505@vidadigital.com.pa> I don't see how from the way it works... Specially if one of the recipients is BCC'd... It would be interesting to find out how to accomplish this. On 3/23/2011 6:15 AM, Barry Kwok wrote: > Hi, > > MTA: postfix 2.3.3 > > We are using MailScanner's archive rules to auto forward email. > e.g > FromOrTo: abc@def.com supervisor@def.com > > > But if someone send an email to abc@def.com and > cc to supervisor@def.com , > supervisor@def.com will then get two > copies of emails. > > Is there any way in Postfix or MailScanner to suppress the duplication. > > > --barry -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/1c14b763/attachment.html From markus at markusoft.se Wed Mar 23 13:41:55 2011 From: markus at markusoft.se (Markus Nilsson) Date: Wed Mar 23 13:42:11 2011 Subject: email duplicate suppression In-Reply-To: <4D89F1E1.40505@vidadigital.com.pa> Message-ID: <26260146.245.1300887712635.JavaMail.markus@cronlabworkstation0> Skipped content of type multipart/related From hkeasytech at gmail.com Wed Mar 23 14:00:09 2011 From: hkeasytech at gmail.com (Barry Kwok) Date: Wed Mar 23 14:00:19 2011 Subject: email duplicate suppression In-Reply-To: <26260146.245.1300887712635.JavaMail.markus@cronlabworkstation0> References: <4D89F1E1.40505@vidadigital.com.pa> <26260146.245.1300887712635.JavaMail.markus@cronlabworkstation0> Message-ID: On Wed, Mar 23, 2011 at 9:41 PM, Markus Nilsson wrote: > ----- Original Message ----- > > From: "Alex Neuman van der Hans" > > I don't see how from the way it works... Specially if one of the > > recipients is BCC'd... It would be interesting to find out how to > > accomplish this. > > > > On 3/23/2011 6:15 AM, Barry Kwok wrote: > > > > Hi, > > > > > > MTA: postfix 2.3.3 > > > > > > > > We are using MailScanner's archive rules to auto forward email. > > e.g > > FromOrTo: abc@def.com supervisor@def.com > > > > > > But if someone send an email to abc@def.com and cc to > > supervisor@def.com , > > supervisor@def.com will then get two copies of emails. > > > > > > Is there any way in Postfix or MailScanner to suppress the > > duplication. > > > > > > Hi, > > Just an idea, but maybe this would work? > > FromOrTo: supervisor@def.com /dev/null > FromOrTo: abc@def.com supervisor@def.com > > /Markus > > But this make supervisor@def.com not get direct email to him anymore. -barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110323/65ebd0f8/attachment.html From markus at markusoft.se Wed Mar 23 14:13:10 2011 From: markus at markusoft.se (Markus Nilsson) Date: Wed Mar 23 14:13:27 2011 Subject: email duplicate suppression In-Reply-To: Message-ID: <26908913.253.1300889586955.JavaMail.markus@cronlabworkstation0> Skipped content of type multipart/related From alex at vidadigital.com.pa Wed Mar 23 14:19:50 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Wed Mar 23 14:20:22 2011 Subject: email duplicate suppression In-Reply-To: <26908913.253.1300889586955.JavaMail.markus@cronlabworkstation0> References: <26908913.253.1300889586955.JavaMail.markus@cronlabworkstation0> Message-ID: <4D8A0186.9050803@vidadigital.com.pa> Excellent point. If you use "forwarding" as an archive, instead of an actual archive, he should get those e-mails anyways! On 3/23/2011 9:13 AM, Markus Nilsson wrote: > I'm pretty sure the supervisor will get his own mails! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From sumit at cospringsit.com Wed Mar 23 15:21:46 2011 From: sumit at cospringsit.com (Sumit Bhattacharjee) Date: Wed Mar 23 15:22:21 2011 Subject: All messages getting marked as Spam In-Reply-To: <4D899636.7080203@alexb.ch> References: <4D899636.7080203@alexb.ch> Message-ID: Thank you for the helpful hints. My DNS resolver points to an ISP recursor for the first entry and a generic Internet server for the 2nd entry (4.2.2.2). I don't seem to have a problem pinging by domain from the command line on the server. Also, please note that not *All* inbound email is being marked as Spam. For instance, this reply from Alex Broens was not. But every other email to the MailScanner list today was marked at Spam. So I am very puzzled. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens Sent: Wednesday, March 23, 2011 12:42 AM To: mailscanner@lists.mailscanner.info Subject: Re: All messages getting marked as Spam On 2011-03-23 1:47, Sumit Bhattacharjee wrote: > Hello All, > > I have been using MailScanner for several months now and it has been > working very well. However, since yesterday, almost all inbound > messages are getting marked marked as Spam. I have the SpamAssassin > threshold set to 6 (default I believe), and following are a couple of > examples of the spam report (email from different domains/IP's): > > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, > MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, > T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, > URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10) > X-cospringsitcom-MailScanner-SpamScore: 7 > > X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, > URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, > URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, > URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) > X-cospringsitcom-MailScanner-SpamScore: 9 > > The commonality that I am seeing is that the URIBL_BLACK is 1.77 for > almost all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure > what has changed (nothing should have). > > I'd much appreciate any debugging steps recommended by experts on this list. either ALL your mail has blacklisted URLs in it (highly unlikely) or you have a DNS issue. Are you using a local resolver or your ISP's recursor? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. From ms-list at alexb.ch Wed Mar 23 15:33:48 2011 From: ms-list at alexb.ch (Alex Broens) Date: Wed Mar 23 15:34:04 2011 Subject: All messages getting marked as Spam In-Reply-To: References: <4D899636.7080203@alexb.ch> Message-ID: <4D8A12DC.4000601@alexb.ch> On 2011-03-23 16:21, Sumit Bhattacharjee wrote: > Thank you for the helpful hints. My DNS resolver points to an ISP recursor > for the first entry and a generic Internet server for the 2nd entry > (4.2.2.2). I don't seem to have a problem pinging by domain from the > command line on the server. ping tests are not relevant. Your ISP's resolvers may be tarpitted/blocked by BL providers and returning more positive response than normal. It's practice to use a recursor under your control. Once you do that I'd bet your problem goes away. > Also, please note that not *All* inbound email is being marked as Spam. For > instance, this reply from Alex Broens was not. But every other email to the > MailScanner list today was marked at Spam. So I am very puzzled. > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Broens > Sent: Wednesday, March 23, 2011 12:42 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: All messages getting marked as Spam > > On 2011-03-23 1:47, Sumit Bhattacharjee wrote: >> Hello All, >> >> I have been using MailScanner for several months now and it has been >> working very well. However, since yesterday, almost all inbound >> messages are getting marked marked as Spam. I have the SpamAssassin >> threshold set to 6 (default I believe), and following are a couple of >> examples of the spam report (email from different domains/IP's): >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, >> MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, >> URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10) >> X-cospringsitcom-MailScanner-SpamScore: 7 >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, >> URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) >> X-cospringsitcom-MailScanner-SpamScore: 9 >> >> The commonality that I am seeing is that the URIBL_BLACK is 1.77 for >> almost all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure >> what has changed (nothing should have). >> >> I'd much appreciate any debugging steps recommended by experts on this > list. > > either ALL your mail has blacklisted URLs in it (highly unlikely) or you > have a DNS issue. Are you using a local resolver or your ISP's recursor? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > > > > > This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. > From MailScanner at ecs.soton.ac.uk Wed Mar 23 17:55:03 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Mar 23 17:55:20 2011 Subject: Return-Path header issue causing SA flag RP_8BIT In-Reply-To: <4D89C6E1.209@wenn.com> References: <4D89C6E1.209@wenn.com> <4D8A33F7.4070204@ecs.soton.ac.uk> Message-ID: I have just published an update to MailScanner which resolves this problem. Thanks to Steve Freegard for his invaluable help! Cheers, Jules. On 23/03/2011 10:09, Ricardo Branco wrote: > Messages comming though MailScanner are getting checked with SA and > being flagged up with RP_8BIT as the Return-Path is set as follows. > > Return-Path:<<81>g> > > If we then receive the email it shows the Return-Path filled out > correctly but if its quarrantined we can check the file on the server > and we see the Return-Path as above, this is causing issues as all > messages get marked up by SA with RP_8BIT which we have now had to > score to 0. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Mar 23 17:55:15 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Mar 23 17:55:32 2011 Subject: All messages getting marked as Spam In-Reply-To: <4D899636.7080203@alexb.ch> References: <4D899636.7080203@alexb.ch> <4D8A3403.6020404@ecs.soton.ac.uk> Message-ID: I have just published an update to MailScanner which resolves this problem. Thanks to Steve Freegard for his invaluable help! Cheers, Jules. On 23/03/2011 06:41, Alex Broens wrote: > On 2011-03-23 1:47, Sumit Bhattacharjee wrote: >> Hello All, >> >> I have been using MailScanner for several months now and it has been >> working >> very well. However, since yesterday, almost all inbound messages are >> getting marked marked as Spam. I have the SpamAssassin threshold set >> to 6 >> (default I believe), and following are a couple of examples of the spam >> report (email from different domains/IP's): >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, >> MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, >> URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10) >> X-cospringsitcom-MailScanner-SpamScore: 7 >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, >> URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) >> X-cospringsitcom-MailScanner-SpamScore: 9 >> >> The commonality that I am seeing is that the URIBL_BLACK is 1.77 for >> almost >> all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not sure what has >> changed (nothing should have). >> >> I'd much appreciate any debugging steps recommended by experts on >> this list. > > either ALL your mail has blacklisted URLs in it (highly unlikely) or > you have a DNS issue. Are you using a local resolver or your ISP's > recursor? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at vidadigital.com.pa Wed Mar 23 20:27:37 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Wed Mar 23 20:28:09 2011 Subject: All messages getting marked as Spam In-Reply-To: <4D8A12DC.4000601@alexb.ch> References: <4D899636.7080203@alexb.ch> <4D8A12DC.4000601@alexb.ch> Message-ID: <4D8A57B9.80805@vidadigital.com.pa> You may want to install BIND and run a caching resolver on your own box. Helps a lot, reduces latency and increases your overall resiliency. On 3/23/2011 10:33 AM, Alex Broens wrote: > It's practice to use a recursor under your control. -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From jonas at vrt.dk Thu Mar 24 11:16:46 2011 From: jonas at vrt.dk (Jonas) Date: Thu Mar 24 11:17:00 2011 Subject: Max spam check size In-Reply-To: <5A3F1C070C66DB4F9C71950D33E91CA515A9D2@tor_nt01.harperdda.com> References: <09F23668E315FD4597C13D73E5123ADF5BD379@SCTSBS.sct.dk> <5A3F1C070C66DB4F9C71950D33E91CA515A9D2@tor_nt01.harperdda.com> Message-ID: <09F23668E315FD4597C13D73E5123ADF5BD4A5@SCTSBS.sct.dk> Ya the only ones I have seen this big are these asian ones, but then again we got him bad by them, so I just upped it to 2.5MB, since our systems can take the extra load. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax: 7020 0978 Web: www.techbiz.dk From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Naz Snidanko Sent: 22. marts 2011 21:30 To: MailScanner discussion Subject: RE: Max spam check size Jonas, I assume you are referring to spamassassin checks. If so I have it currently set up at 750kb but we have plenty of recourses to spare, our servers have load of 0.35 on average. 1.4mb that is extreme for spam message; the biggest one that scored below 10 in the past 60 days is 196kb. I guess someone has plenty of recourses and bandwidth to spare as well, haha Regards, Naz Snidanko Desktop & Network Support Harper Power Products Inc. (p) 416 201- 7506 nsnidanko@harperpowerproducts.com ________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110324/f994bf90/attachment.html From hkeasytech at gmail.com Fri Mar 25 04:08:08 2011 From: hkeasytech at gmail.com (Barry Kwok) Date: Fri Mar 25 04:08:19 2011 Subject: email duplicate suppression In-Reply-To: References: Message-ID: On Wed, Mar 23, 2011 at 7:15 PM, Barry Kwok wrote: > Hi, > > MTA: postfix 2.3.3 > > We are using MailScanner's archive rules to auto forward email. > e.g > FromOrTo: abc@def.com supervisor@def.com > > But if someone send an email to abc@def.com and cc to supervisor@def.com, > supervisor@def.com will then get two copies of emails. > > Is there any way in Postfix or MailScanner to suppress the duplication. > > > --barry > I read a recent discussion in postfix group and found some hints. http://tech.groups.yahoo.com/group/postfix-users/message/275247 By setting enable_original_recipient = no in postfix main.cf http://www.postfix.org/postconf.5.html#enable_original_recipient postfix will do duplicate elimination on the rewritten recipient address. And this will eliminate the duplication such as alias expansion effectively. But in my case above, for archive mail forwarding rule, It will only do partly: For rule From: abc@def.com supervisor@def.com It will still work But for rule To: abc@def.com supervisor@def.com will not work. I think the reason for that is because MailScanner loss the original Envelope-To info after setting enable_original_recipient = no --barry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110325/a479b265/attachment.html From sumit at cospringsit.com Fri Mar 25 14:13:15 2011 From: sumit at cospringsit.com (Sumit Bhattacharjee) Date: Fri Mar 25 14:13:43 2011 Subject: All messages getting marked as Spam In-Reply-To: References: <4D899636.7080203@alexb.ch> <4D8A3403.6020404@ecs.soton.ac.uk> Message-ID: The problem has disappeared on its own two days after starting. Jules, I had downloaded the tarball for the 4.83.4-1 build, but didn't get the chance to upgrade before the issue corrected itself. I am thinking that it could be an issue with DNS resolution as Alex had earlier pointed out (although that seems unlikely to me because none of my other machines/services had any DNS issues) or that SpamAssassin update process picked up some bad file which for a couple of days kept reporting spam for practically every message, until it got rewritten in a subsequent update. Thanks for your suggestions and help folks! Cheers, Sumit -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jules Field Sent: Wednesday, March 23, 2011 11:55 AM To: MailScanner discussion Subject: {Spam?} Re: All messages getting marked as Spam I have just published an update to MailScanner which resolves this problem. Thanks to Steve Freegard for his invaluable help! Cheers, Jules. On 23/03/2011 06:41, Alex Broens wrote: > On 2011-03-23 1:47, Sumit Bhattacharjee wrote: >> Hello All, >> >> I have been using MailScanner for several months now and it has been >> working very well. However, since yesterday, almost all inbound >> messages are getting marked marked as Spam. I have the SpamAssassin >> threshold set to 6 (default I believe), and following are a couple of >> examples of the spam report (email from different domains/IP's): >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=7.983, required 6, FREEMAIL_FROM 0.00, HTML_MESSAGE 0.00, >> MIME_QP_LONG_LINE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> T_TO_NO_BRKTS_FREEMAIL 0.01, URIBL_BLACK 1.77, URIBL_RED 0.00, >> URIBL_RHS_DOB 0.28, URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10) >> X-cospringsitcom-MailScanner-SpamScore: 7 >> >> X-cospringsitcom-MailScanner-SpamCheck: spam, SpamAssassin (not cached, >> score=9.235, required 6, HTML_MESSAGE 0.00, RCVD_IN_DNSWL_NONE -0.00, >> URIBL_BLACK 1.77, URIBL_RED 0.00, URIBL_RHS_DOB 0.28, URIBL_SEM 1.26, >> URIBL_SEM_FRESH 0.81, URIBL_SEM_FRESH_10 1.01, >> URIBL_SEM_FRESH_15 4.10, URIBL_SEM_RED 0.00) >> X-cospringsitcom-MailScanner-SpamScore: 9 >> >> The commonality that I am seeing is that the URIBL_BLACK is 1.77 for >> almost all messages and URIBL_SEM_FRESH_15 is 4.10. But I am not >> sure what has changed (nothing should have). >> >> I'd much appreciate any debugging steps recommended by experts on >> this list. > > either ALL your mail has blacklisted URLs in it (highly unlikely) or > you have a DNS issue. Are you using a local resolver or your ISP's > recursor? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply email so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you. From alex at vidadigital.com.pa Sat Mar 26 13:32:43 2011 From: alex at vidadigital.com.pa (Alex Neuman van der Hans) Date: Sat Mar 26 13:33:22 2011 Subject: All messages getting marked as Spam In-Reply-To: References: <4D899636.7080203@alexb.ch> <4D8A3403.6020404@ecs.soton.ac.uk> Message-ID: <4D8DEAFB.5080500@vidadigital.com.pa> The fact that your other machines didn't *notice* any DNS issues does not exclude the possibility that the *were having* DNS issues. You should really look into local DNS caching. It benefits everyone. On 3/25/2011 9:13 AM, Sumit Bhattacharjee wrote: > although > that seems unlikely to me because none of my other machines/services had any > DNS issues -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From achim+mailwatch at qustodium.net Tue Mar 29 15:23:27 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Tue Mar 29 15:23:42 2011 Subject: MailScanner: Could not analyze message In-Reply-To: References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> Message-ID: <4D91EB5F.90701@qustodium.net> Good afternoon: Did this issue get resolved? I am seeing exactly the same issue today with emails that are generated by sendgrid.info. I found a couple of support articles [1, 2], but they address MailScanners anti-phishing rather than the MIME parser. At the same time, I tried to disable all content checks (first via rules file, now completely like so): Dangerous Content Scanning = no and still the messages get scanned and ultimately bounced with "Could not analyze message". Is there a way to fix this, or at least turn the checks off? Is "Dangerous Content Scanning" perhaps the wrong setting for this behaviour? Thanks, Achim [1] [2] On 21/05/2010 15:55, Julian Field wrote: > You can get it if you have Raw Queue Files switched on, straight from > the quarantine. > > On 21/05/2010 14:44, Gary Faith wrote: >> I can get the message in the spam quarantine folder but how do I get >> the raw message? Do I need to shutdown MailScanner and only have >> sendmail running until after they say it was sent or is there some >> other way to get it? >> Gary >> >> >>> Julian Field 5/21/2010 5:33 AM >>> >> Can you send me a URL of a sample message (raw queue files preferred) so >> that I can try this out for you please? >> >> Jules. >> >> On 19/05/2010 21:12, Gary Faith wrote: >> > I have some e-mail being sent by one individual to MailScanner >> running ver 4.79.11 and the messages are getting tagged as {Dangerous >> Content?}. I am running MailScanner with clamav& sanesecurity >> signatures, scamnailer, razor, pyzor& dcc. Mailwatch reports that it >> isn't a virus it is "Other Infection": >> > >> > Anti-Virus/Dangerous Content Protection >> > Virus: N >> > Blocked File: N >> > Other Infection: Y >> > Report:MailScanner: Could not analyze message >> > >> > The message has contains this: >> > >> > Warning: This message has had one or more attachments removed >> > Warning: (the entire message). >> > Warning: Please read the "XXX-Attachment-Warning.txt" attachment(s) >> for more information. >> > >> > This is a message from the MailScanner E-Mail Virus Protection Service >> > ---------------------------------------------------------------------- >> > The original e-mail message contained potentially dangerous content, >> > which has been removed for your safety. >> > >> > At Wed May 19 15:36:22 2010 the content filters said: >> > MailScanner: Could not analyze message >> > >> > The sender uses Maximizer to generate the e-mail with a PDF >> attachment. I had the sender use Maximizer and send only the message >> without the attachment and it comes in fine. I had them send only the >> attachment via Outlook and it comes in fine. It seems the problem is >> with Mazimizer but I am not sure why. >> > >> > I can send the quarantined message or whatever is needed to >> determine the problem off list. >> > >> > I need help in tracking down where the problem is and getting it fixed. >> > >> > Thanks, >> > >> > Gary Faith -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From achim+mailwatch at qustodium.net Tue Mar 29 15:39:09 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Tue Mar 29 15:39:28 2011 Subject: MailScanner: Could not analyze message In-Reply-To: <4D91EB5F.90701@qustodium.net> References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> Message-ID: <4D91EF0D.6040104@qustodium.net> In case I was not clear enough, I also use version 4.79.11 like the original poster (from the Debian repositories), and a sample message looks like this (including the 4 dashes at the end): Received: from o1.heroku.sendgrid.net (o1.heroku.sendgrid.net [67.228.50.54]) by mail.domain.tld (Postfix) with SMTP id 64C31100B59 for ; Tue, 29 Mar 2011 12:57:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=date:from :to:message-id:subject:mime-version:content-type :content-transfer-encoding:sender; s=smtpapi; bh=cjVxj8SvXqfJ+OD 0qUgOCS/ZHMk=; b=lMMNyUB/AD8iwYNLB7J1466jdpZt9PD8aE1G270rqblp5OE Z+nnMvIxDP7bXPZ51k6ur8Qcot8Fg6YsQbsYKtQh4+dO3ncoZWrQr8y/YmiPUoKI KLajypfLIBHzF3FvKlb1WvtPI1/Xg27c/njC9BkYj/bxlBuYXdrEVMMVSBqo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=sendgrid.info; h=date:from :to:message-id:subject:mime-version:content-type :content-transfer-encoding:sender; q=dns; s=smtpapi; b=tt7Xxp5bx +hVEMhzOMZTtnD+loZcvTHTqopuSZb14cr54FqU7bvWupRYJPqHzgn/ceiv35QBY ki90PTJnOecJaneKHTaTMYB3IgGS/Mj3AqSisxnjd2PP8/GasL5FRfH8cF/phPMQ SypEcAQWSAL5Ii2vcesHlWlx4U6mUvdiTA= Date: Tue, 29 Mar 2011 03:57:19 -0700 From: recipient To: recipient@domain.tld Message-ID: <4d91bb0f59202_75034194989558c@railgun64.53306.mail> Subject: New inquiry from your website Mime-Version: 1.0 Content-Type: multipart/alternative Content-Transfer-Encoding: 7bit X-Sendgrid-EID: fg9kZZpXkJUwMfpjPNokyRcJeLbgGU+lau0B86ToVheEbpM2VsYILCZyk/AwQFhbDumpBXedgS9rtQaAAdDd7yFRvdye8ScGSNRG5dePguMLKXugPBLSMvx6+tHMZxOm0YMP2Tp1jpPuopwwCEEn7w== Sender: recipient This is a multi-part message in MIME format... ---- On 29/03/2011 16:23, Achim J. Latz wrote: > Good afternoon: > > Did this issue get resolved? I am seeing exactly the same issue today > with emails that are generated by sendgrid.info. I found a couple of > support articles [1, 2], but they address MailScanners anti-phishing > rather than the MIME parser. > > At the same time, I tried to disable all content checks (first via rules > file, now completely like so): > > Dangerous Content Scanning = no > > and still the messages get scanned and ultimately bounced with "Could > not analyze message". > > Is there a way to fix this, or at least turn the checks off? Is > "Dangerous Content Scanning" perhaps the wrong setting for this behaviour? > > Thanks, Achim > > [1] > > > [2] > > > > On 21/05/2010 15:55, Julian Field wrote: >> You can get it if you have Raw Queue Files switched on, straight from >> the quarantine. >> >> On 21/05/2010 14:44, Gary Faith wrote: >>> I can get the message in the spam quarantine folder but how do I get >>> the raw message? Do I need to shutdown MailScanner and only have >>> sendmail running until after they say it was sent or is there some >>> other way to get it? >>> Gary >>> >>> >>> Julian Field 5/21/2010 5:33 AM >>> >>> Can you send me a URL of a sample message (raw queue files preferred) so >>> that I can try this out for you please? >>> >>> Jules. >>> >>> On 19/05/2010 21:12, Gary Faith wrote: >>> > I have some e-mail being sent by one individual to MailScanner >>> running ver 4.79.11 and the messages are getting tagged as {Dangerous >>> Content?}. I am running MailScanner with clamav& sanesecurity >>> signatures, scamnailer, razor, pyzor& dcc. Mailwatch reports that it >>> isn't a virus it is "Other Infection": >>> > >>> > Anti-Virus/Dangerous Content Protection >>> > Virus: N >>> > Blocked File: N >>> > Other Infection: Y >>> > Report:MailScanner: Could not analyze message >>> > >>> > The message has contains this: >>> > >>> > Warning: This message has had one or more attachments removed >>> > Warning: (the entire message). >>> > Warning: Please read the "XXX-Attachment-Warning.txt" attachment(s) >>> for more information. >>> > >>> > This is a message from the MailScanner E-Mail Virus Protection Service >>> > ---------------------------------------------------------------------- >>> > The original e-mail message contained potentially dangerous content, >>> > which has been removed for your safety. >>> > >>> > At Wed May 19 15:36:22 2010 the content filters said: >>> > MailScanner: Could not analyze message >>> > >>> > The sender uses Maximizer to generate the e-mail with a PDF >>> attachment. I had the sender use Maximizer and send only the message >>> without the attachment and it comes in fine. I had them send only the >>> attachment via Outlook and it comes in fine. It seems the problem is >>> with Mazimizer but I am not sure why. >>> > >>> > I can send the quarantined message or whatever is needed to >>> determine the problem off list. >>> > >>> > I need help in tracking down where the problem is and getting it >>> fixed. >>> > >>> > Thanks, >>> > >>> > Gary Faith > > -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From maxsec at gmail.com Tue Mar 29 16:12:29 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Mar 29 16:12:48 2011 Subject: MailScanner: Could not analyze message In-Reply-To: <4D91EF0D.6040104@qustodium.net> References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> Message-ID: upgrade to the latest version (and SA latest version) and see if it's still a problem -- Martin Hepworth Oxford, UK On 29 March 2011 15:39, Achim J. Latz wrote: > In case I was not clear enough, I also use version 4.79.11 like the > original poster (from the Debian repositories), and a sample message looks > like this (including the 4 dashes at the end): > > > Received: from o1.heroku.sendgrid.net (o1.heroku.sendgrid.net[67.228.50.54]) > by mail.domain.tld (Postfix) with SMTP id 64C31100B59 > for ; Tue, 29 Mar 2011 12:57:22 +0200 (CEST) > DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=date:from > :to:message-id:subject:mime-version:content-type > :content-transfer-encoding:sender; s=smtpapi; bh=cjVxj8SvXqfJ+OD > 0qUgOCS/ZHMk=; b=lMMNyUB/AD8iwYNLB7J1466jdpZt9PD8aE1G270rqblp5OE > Z+nnMvIxDP7bXPZ51k6ur8Qcot8Fg6YsQbsYKtQh4+dO3ncoZWrQr8y/YmiPUoKI > KLajypfLIBHzF3FvKlb1WvtPI1/Xg27c/njC9BkYj/bxlBuYXdrEVMMVSBqo= > DomainKey-Signature: a=rsa-sha1; c=nofws; d=sendgrid.info; h=date:from > :to:message-id:subject:mime-version:content-type > :content-transfer-encoding:sender; q=dns; s=smtpapi; b=tt7Xxp5bx > +hVEMhzOMZTtnD+loZcvTHTqopuSZb14cr54FqU7bvWupRYJPqHzgn/ceiv35QBY > ki90PTJnOecJaneKHTaTMYB3IgGS/Mj3AqSisxnjd2PP8/GasL5FRfH8cF/phPMQ > SypEcAQWSAL5Ii2vcesHlWlx4U6mUvdiTA= > Date: Tue, 29 Mar 2011 03:57:19 -0700 > From: recipient > To: recipient@domain.tld > Message-ID: <4d91bb0f59202_75034194989558c@railgun64.53306.mail> > Subject: New inquiry from your website > Mime-Version: 1.0 > Content-Type: multipart/alternative > Content-Transfer-Encoding: 7bit > X-Sendgrid-EID: > fg9kZZpXkJUwMfpjPNokyRcJeLbgGU+lau0B86ToVheEbpM2VsYILCZyk/AwQFhbDumpBXedgS9rtQaAAdDd7yFRvdye8ScGSNRG5dePguMLKXugPBLSMvx6+tHMZxOm0YMP2Tp1jpPuopwwCEEn7w== > Sender: recipient > > This is a multi-part message in MIME format... > ---- > > > > On 29/03/2011 16:23, Achim J. Latz wrote: > >> Good afternoon: >> >> Did this issue get resolved? I am seeing exactly the same issue today >> with emails that are generated by sendgrid.info. I found a couple of >> support articles [1, 2], but they address MailScanners anti-phishing >> rather than the MIME parser. >> >> At the same time, I tried to disable all content checks (first via rules >> file, now completely like so): >> >> Dangerous Content Scanning = no >> >> and still the messages get scanned and ultimately bounced with "Could >> not analyze message". >> >> Is there a way to fix this, or at least turn the checks off? Is >> "Dangerous Content Scanning" perhaps the wrong setting for this behaviour? >> >> Thanks, Achim >> >> [1] >> < >> http://support.sendgrid.com/entries/360112-mailscanner-has-detected-a-possible-fraud-attempt >> > >> >> [2] >> < >> https://www.interspire.com/support/kb/questions/1104/Recipients+are+seeing+phrases+like+%22MailScanner+has+detected+a+possible+fraud+attempt+from...%22 >> > >> >> >> On 21/05/2010 15:55, Julian Field wrote: >> >>> You can get it if you have Raw Queue Files switched on, straight from >>> the quarantine. >>> >>> On 21/05/2010 14:44, Gary Faith wrote: >>> >>>> I can get the message in the spam quarantine folder but how do I get >>>> the raw message? Do I need to shutdown MailScanner and only have >>>> sendmail running until after they say it was sent or is there some >>>> other way to get it? >>>> Gary >>>> >>>> >>> Julian Field 5/21/2010 5:33 AM >>> >>>> Can you send me a URL of a sample message (raw queue files preferred) so >>>> that I can try this out for you please? >>>> >>>> Jules. >>>> >>>> On 19/05/2010 21:12, Gary Faith wrote: >>>> > I have some e-mail being sent by one individual to MailScanner >>>> running ver 4.79.11 and the messages are getting tagged as {Dangerous >>>> Content?}. I am running MailScanner with clamav& sanesecurity >>>> signatures, scamnailer, razor, pyzor& dcc. Mailwatch reports that it >>>> isn't a virus it is "Other Infection": >>>> > >>>> > Anti-Virus/Dangerous Content Protection >>>> > Virus: N >>>> > Blocked File: N >>>> > Other Infection: Y >>>> > Report:MailScanner: Could not analyze message >>>> > >>>> > The message has contains this: >>>> > >>>> > Warning: This message has had one or more attachments removed >>>> > Warning: (the entire message). >>>> > Warning: Please read the "XXX-Attachment-Warning.txt" attachment(s) >>>> for more information. >>>> > >>>> > This is a message from the MailScanner E-Mail Virus Protection Service >>>> > ---------------------------------------------------------------------- >>>> > The original e-mail message contained potentially dangerous content, >>>> > which has been removed for your safety. >>>> > >>>> > At Wed May 19 15:36:22 2010 the content filters said: >>>> > MailScanner: Could not analyze message >>>> > >>>> > The sender uses Maximizer to generate the e-mail with a PDF >>>> attachment. I had the sender use Maximizer and send only the message >>>> without the attachment and it comes in fine. I had them send only the >>>> attachment via Outlook and it comes in fine. It seems the problem is >>>> with Mazimizer but I am not sure why. >>>> > >>>> > I can send the quarantined message or whatever is needed to >>>> determine the problem off list. >>>> > >>>> > I need help in tracking down where the problem is and getting it >>>> fixed. >>>> > >>>> > Thanks, >>>> > >>>> > Gary Faith >>>> >>> >> >> > > -- > Achim J. Latz, Qustodium Internet Security > achim.latz@qustodium.net ? http://www.qustodium.net > Data Encryption ? Backup Automatisation ? E-Mail Protection > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110329/187bd817/attachment.html From ecasarero at gmail.com Tue Mar 29 19:31:46 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Mar 29 19:32:16 2011 Subject: Releasing emails from quarantine with sendmail Message-ID: Hi everybody, does anyone know if it is possible to "release" an email and queue it in the sendmail outbound queue without being processed by MailScanner? I want to avoid MS because it generates a duplicated record in the DB. We used Mailwatch release method for some time and then a custom script to feed the released email to sendmail, but both options makes the email to be reprocesed by MS. I searched and read about sendmails options, but i coudnt find anything usefull. ?How does MScanner send HAM emails to recipients? copying df* and qf* to the outbound queue and firing a sendmail process to deliver that particular email? Any comment/idea would be appreciated. Thanks, Eduardo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110329/cb5d0843/attachment.html From Dstraka at caspercollege.edu Tue Mar 29 20:06:39 2011 From: Dstraka at caspercollege.edu (Daniel Straka) Date: Tue Mar 29 20:07:13 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: Message-ID: <4D91D95F020000000011392C@gw.caspercollege.edu> The command to forward quarantined messages sendmail -toi user@domain.com < o4K6gD5s027824 (where o4K6gD5s027824 is the quarantined message) >>> Eduardo Casarero 3/29/2011 12:31 PM >>> Hi everybody, does anyone know if it is possible to "release" an email and queue it in the sendmail outbound queue without being processed by MailScanner? I want to avoid MS because it generates a duplicated record in the DB. We used Mailwatch release method for some time and then a custom script to feed the released email to sendmail, but both options makes the email to be reprocesed by MS. I searched and read about sendmails options, but i coudnt find anything usefull. ?How does MScanner send HAM emails to recipients? copying df* and qf* to the outbound queue and firing a sendmail process to deliver that particular email? Any comment/idea would be appreciated. Thanks, Eduardo. From ecasarero at gmail.com Tue Mar 29 20:35:12 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Tue Mar 29 20:35:41 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: <4D91D95F020000000011392C@gw.caspercollege.edu> References: <4D91D95F020000000011392C@gw.caspercollege.edu> Message-ID: 2011/3/29 Daniel Straka > The command to forward quarantined messages > sendmail -toi user@domain.com < o4K6gD5s027824 (where o4K6gD5s027824 is > the quarantined message) > I tried that command and that email gets processed by MailScanner. > > > >>> Eduardo Casarero 3/29/2011 12:31 PM >>> > Hi everybody, does anyone know if it is possible to "release" an email > and > queue it in the sendmail outbound queue without being processed by > MailScanner? I want to avoid MS because it generates a duplicated > record in > the DB. We used Mailwatch release method for some time and then a > custom > script to feed the released email to sendmail, but both options makes > the > email to be reprocesed by MS. > > I searched and read about sendmails options, but i coudnt find > anything > usefull. ?How does MScanner send HAM emails to recipients? copying df* > and > qf* to the outbound queue and firing a sendmail process to deliver > that > particular email? > > Any comment/idea would be appreciated. > > Thanks, > > Eduardo. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110329/26477089/attachment.html From achim+mailwatch at qustodium.net Wed Mar 30 11:11:52 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Wed Mar 30 11:12:12 2011 Subject: MailScanner: Could not analyze message In-Reply-To: References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> Message-ID: <4D9301E8.7070801@qustodium.net> Hello Martin: On 29/03/2011 17:12, Martin Hepworth wrote: > upgrade to the latest version (and SA latest version) and see if it's > still a problem 4.79.11 is unfortunately the last version that is available as an official package for Debian/Ubuntu, so several people will stick to that version until somebody resumes packaging for the orphaned MailScanner [1]: maybe I should start doing this? Is anybody else on this list interested in the latest version as DEB? On topic: is there a way to disable the dangerous content checks in 4.79.11? As explained in my last message, even setting: Dangerous Content Scanning = no does not disable the scanning. How can I avoid "Could not analyze message"? Thanks, Achim [1] -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From andrew at topdog.za.net Wed Mar 30 11:23:55 2011 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Wed Mar 30 11:24:42 2011 Subject: MailScanner: Could not analyze message In-Reply-To: <4D9301E8.7070801@qustodium.net> References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> <4D9301E8.7070801@qustodium.net> Message-ID: On 30 Mar 2011, at 12:11 PM, Achim J. Latz wrote: > 4.79.11 is unfortunately the last version that is available as an official package for Debian/Ubuntu, so several people will stick to that version until somebody resumes packaging for the orphaned MailScanner [1]: maybe I should start doing this? Is anybody else on this list interested in the latest version as DEB I am working on an ubuntu ppa for that at the moment. -- Baruwa - www.baruwa.org From achim+mailwatch at qustodium.net Wed Mar 30 11:59:56 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Wed Mar 30 12:00:13 2011 Subject: MailScanner: Could not analyze message In-Reply-To: References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> <4D9301E8.7070801@qustodium.net> Message-ID: <4D930D2C.7070204@qustodium.net> Hello Andrew: On 30/03/2011 12:23, Andrew Colin Kissa wrote: > I am working on an ubuntu ppa for that at the moment. I know about your Baruwa PPA. Are you saying that you will also create a MailScanner DEB in that process? Do you have an estimation of when such an updated package would become available: days, weeks? My problem is rather urgen, as the MailScanner bug related to content scanning prevents one of the users from receiving messages via a webform. Cheers, Achim -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From andrew at topdog.za.net Wed Mar 30 12:44:38 2011 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Wed Mar 30 12:48:04 2011 Subject: MailScanner: Could not analyze message In-Reply-To: <4D930D2C.7070204@qustodium.net> References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> <4D9301E8.7070801@qustodium.net> <4D930D2C.7070204@qustodium.net> Message-ID: On 30 Mar 2011, at 12:59 PM, Achim J. Latz wrote: > Are you saying that you will also create a MailScanner DEB in that process? Yes. > Do you have an estimation of when such an updated package would become available: days, weeks? It would need to under go testing so am looking at a couple of weeks atleast. -- Baruwa - www.baruwa.org From ka at pacific.net Wed Mar 30 14:00:08 2011 From: ka at pacific.net (Ken A) Date: Wed Mar 30 14:00:22 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: Message-ID: <4D932958.2050802@pacific.net> Set MailScanner to quarantine as whole queue files and then just /bin/cp them to the outbound queue to release them. Ken On 3/29/2011 1:31 PM, Eduardo Casarero wrote: > Hi everybody, does anyone know if it is possible to "release" an email and > queue it in the sendmail outbound queue without being processed by > MailScanner? I want to avoid MS because it generates a duplicated record in > the DB. We used Mailwatch release method for some time and then a custom > script to feed the released email to sendmail, but both options makes the > email to be reprocesed by MS. > > I searched and read about sendmails options, but i coudnt find anything > usefull. ?How does MScanner send HAM emails to recipients? copying df* and > qf* to the outbound queue and firing a sendmail process to deliver that > particular email? > > Any comment/idea would be appreciated. > > Thanks, > > Eduardo. > > -- Ken Anderson Pacific Internet - http://www.pacific.net Latest Pacific.Net Status - http://twitter.com/pacnetstatus From steve.freegard at fsl.com Wed Mar 30 14:04:01 2011 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Mar 30 14:04:11 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: <4D91D95F020000000011392C@gw.caspercollege.edu> Message-ID: <4D932A41.6000201@fsl.com> On 29/03/11 20:35, Eduardo Casarero wrote: > > > 2011/3/29 Daniel Straka > > > The command to forward quarantined messages > sendmail -toi user@domain.com < > o4K6gD5s027824 (where o4K6gD5s027824 is > the quarantined message) > > > I tried that command and that email gets processed by MailScanner. > How about this (untested): sendmail -OQueueDirectory=/var/spool/mqueue -toi user@domain.com < message Regards, Steve. From bonivart at opencsw.org Wed Mar 30 15:10:57 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Wed Mar 30 15:20:53 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: <4D932958.2050802@pacific.net> References: <4D932958.2050802@pacific.net> Message-ID: On Wed, Mar 30, 2011 at 3:00 PM, Ken A wrote: > Set MailScanner to quarantine as whole queue files and then just /bin/cp > them to the outbound queue to release them. You may need to fake the Message-ID header to get around Exchange duplicate message protection (if you use Exchange), otherwise the original (technically resent) message will be discarded. I insert the sha1 hash of the df-file there. H??Message-ID: <353001cbee50$f9913ab0$a10ea8c0@home> Becomes: H??Message-ID: I have a script for easy handling of this. /peter From MailScanner at ecs.soton.ac.uk Wed Mar 30 17:15:27 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Wed Mar 30 17:15:48 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: <4D93571F.4040007@ecs.soton.ac.uk> Message-ID: One way to solve this is to not scan mail originating from 127.0.0.1 and then just use sendmail to re-inject the message. As it's from localhost, MailScanner will ignore it once you put that rule in place. On 29/03/2011 19:31, Eduardo Casarero wrote: > Hi everybody, does anyone know if it is possible to "release" an email > and queue it in the sendmail outbound queue without being processed by > MailScanner? I want to avoid MS because it generates a duplicated > record in the DB. We used Mailwatch release method for some time and > then a custom script to feed the released email to sendmail, but both > options makes the email to be reprocesed by MS. > > I searched and read about sendmails options, but i coudnt find > anything usefull. ?How does MScanner send HAM emails to recipients? > copying df* and qf* to the outbound queue and firing a sendmail > process to deliver that particular email? > > Any comment/idea would be appreciated. > > Thanks, > > Eduardo. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Wed Mar 30 17:29:18 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Mar 30 17:30:00 2011 Subject: Clamd install Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net> Yesterday I upgraded MailScanner, SpamAssassin and Clamav using the install files from the MailScanner site. When I started to install the SpamAssassin/Clam software I was cautioned to exit the script and install clamd from an rpm site and then come back to finish the install. I was able to download the 96.5 and 97 code, but I was not able to install them due to missing libraries. Here's a snippet from the SA/CLAM install script: There are 2 recommended ways of installing ClamAV, depending on various factors. If you want to use MailScanners support for Clamd (virus-scanning daemon) then I recommend you cancel this script now (press Ctrl-C) and install the RPMs for clamav, clamav-db and clamd from http://packages.sw.be/clamav/ Then re-run this script and tell me that clamscan is installed in /usr/bin. This will set up your virus.scanners.conf file for you. Using these downloads: http://packages.sw.be/clamav/clamav-0.96.5-1.el6.rf.i686.rpm http://packages.sw.be/clamav/clamav-db-0.96.5-1.el6.rf.i686.rpm http://packages.sw.be/clamav/clamd-0.96.5-1.el6.rf.i686.rpm I received the following errors: # rpm -Uvh clamav-0.96.5-1.el6.rf.i686.rpm clamav-0.96.5-1.el6.rf.i686.rpm clamav-db-0.96.5-1.el6.rf.i686.rpm warning: clamav-0.96.5-1.el6.rf.i686.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6 warning: package clamav = 0.96.5-1.el6.rf was already added, skipping clamav < 0.96.5-1.el6.rf error: Failed dependencies: libltdl.so.7 is needed by clamav-0.96.5-1.el6.rf.i686 rpmlib(FileDigests) <= 4.6.0-1 is needed by clamav-0.96.5-1.el6.rf.i686 rpmlib(PayloadIsXz) <= 5.2-1 is needed by clamav-0.96.5-1.el6.rf.i686 rpmlib(FileDigests) <= 4.6.0-1 is needed by clamav-db-0.96.5-1.el6.rf.i686 rpmlib(PayloadIsXz) <= 5.2-1 is needed by clamav-db-0.96.5-1.el6.rf.i686 Note, I removed the .96.4 version via 'rpm -e'. I am now using ClamAV from the tarball install off of the MailScanner site, but I would prefer to use clamd. Also, I have to remove the clam-related files installed by the tarball if I am going to install clamd, since they are not loaded in the same locations. Please guide me on how I can install clamd. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110330/b7cd7b7b/attachment.html From alex at vidadigital.com.pa Wed Mar 30 17:56:41 2011 From: alex at vidadigital.com.pa (Alex Neuman) Date: Wed Mar 30 17:56:56 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: <4D93571F.4040007@ecs.soton.ac.uk> Message-ID: <6640B804-75F0-429D-B596-B2EE34D27480@vidadigital.com.pa> Might I suggest "not to scan e-mail from 127.0.0.1 and to:yourdomain.com" just to avoid a bad script from being (mis)used to send e-mail out from your server onto third parties? You *usually* don't release mail to third parties, and in such exceptions you might want to make additional exceptions for those third parties. On Mar 30, 2011, at 11:15 AM, Jules Field wrote: > One way to solve this is to not scan mail originating from 127.0.0.1 and then just use sendmail to re-inject the message. As it's from localhost, MailScanner will ignore it once you put that rule in place. > > On 29/03/2011 19:31, Eduardo Casarero wrote: >> Hi everybody, does anyone know if it is possible to "release" an email and queue it in the sendmail outbound queue without being processed by MailScanner? I want to avoid MS because it generates a duplicated record in the DB. We used Mailwatch release method for some time and then a custom script to feed the released email to sendmail, but both options makes the email to be reprocesed by MS. >> >> I searched and read about sendmails options, but i coudnt find anything usefull. ?How does MScanner send HAM emails to recipients? copying df* and qf* to the outbound queue and firing a sendmail process to deliver that particular email? >> >> Any comment/idea would be appreciated. >> >> Thanks, >> >> Eduardo. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'All programs have a desire to be useful' - Tron, 1982 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Alex Neuman van der Hans Reliant Technologies / Vida Digital http://vidadigital.com.pa/ +507-6781-9505 +507-832-6725 +1-440-253-9789 (USA) Follow @AlexNeuman on Twitter http://facebook.com/vidadigital From dyioulos at firstbhph.com Wed Mar 30 17:59:33 2011 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Wed Mar 30 18:00:05 2011 Subject: Clamd install In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net> Message-ID: <201103301259.33723.dyioulos@firstbhph.com> On Wednesday 30 March 2011 12:29:18 pm donald.dawson@bakerbotts.com wrote: > Yesterday I upgraded MailScanner, SpamAssassin > and Clamav using the install files from the > MailScanner site. > > When I started to install the SpamAssassin/Clam > software I was cautioned to exit the script and > install clamd from an rpm site and then come > back to finish the install. > > I was able to download the 96.5 and 97 code, > but I was not able to install them due to > missing libraries. Here's a snippet from the > SA/CLAM install script: > > There are 2 recommended ways of installing > ClamAV, depending on various factors. > If you want to use MailScanners support for > Clamd (virus-scanning > daemon) then I recommend you cancel this > script now (press Ctrl-C) > and install the RPMs for clamav, clamav-db and > clamd from http://packages.sw.be/clamav/ > Then re-run this script and tell me that > clamscan is installed in > /usr/bin. This will set up your > virus.scanners.conf file for you. > > Using these downloads: > http://packages.sw.be/clamav/clamav-0.96.5-1.e >l6.rf.i686.rpm > http://packages.sw.be/clamav/clamav-db-0.96.5-1 >.el6.rf.i686.rpm > http://packages.sw.be/clamav/clamd-0.96.5-1.el6 >.rf.i686.rpm > > I received the following errors: > > # rpm -Uvh clamav-0.96.5-1.el6.rf.i686.rpm > clamav-0.96.5-1.el6.rf.i686.rpm > clamav-db-0.96.5-1.el6.rf.i686.rpm warning: > clamav-0.96.5-1.el6.rf.i686.rpm: Header V3 DSA > signature: NOKEY, key ID 6b8d79e6 > warning: package clamav = 0.96.5-1.el6.rf was > already added, skipping clamav < > 0.96.5-1.el6.rf > error: Failed dependencies: > libltdl.so.7 is needed by > clamav-0.96.5-1.el6.rf.i686 rpmlib(FileDigests) > <= 4.6.0-1 is needed by > clamav-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed > by clamav-0.96.5-1.el6.rf.i686 > rpmlib(FileDigests) <= 4.6.0-1 is > needed by clamav-db-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed > by clamav-db-0.96.5-1.el6.rf.i686 > > Note, I removed the .96.4 version via 'rpm -e'. > > I am now using ClamAV from the tarball install > off of the MailScanner site, but I would prefer > to use clamd. > > Also, I have to remove the clam-related files > installed by the tarball if I am going to > install clamd, since they are not loaded in the > same locations. > > Please guide me on how I can install clamd. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > > Confidentiality Notice: The information > contained in this email and any attachments is > intended only for the recipient[s] listed above > and may be privileged and confidential. Any > dissemination, copying, or use of or reliance > upon such information by or to anyone other > than the recipient[s] listed above is > prohibited. If you have received this message > in error, please notify the sender immediately > at the email address above and destroy any and > all copies of this message. Possibly missing rpm-devel and/or rpm-libs? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Wed Mar 30 18:00:09 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Mar 30 18:00:53 2011 Subject: Performance issues with MS and SA Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D886@BBEXVS04.bakerbotts.net> I would like to get some input from the community on our performance issue. Running 'MailScanner --debug --debug-sa' points to DCC as a bottleneck and Bayes. Turning off Bayes and DCC makes a big difference, but I would like to keep DCC. We are running 4 MX servers each with 4 CPU and 3.5 GB of memory. We process about 150k emails over the 4 MX servers, excluding rejected, aborted and incomplete messages. Software: MailScanner: 4.83.4-1 SpamAssassin: 3.3.1 Scam-Back: 1.5.1-pre2 (checks email recipient against internal Exchange server) OS: Fedora Core 8 (want to upgrade to RedHat Enterprise) DCC: Current version Pyzor: Latest - servers: public.pyzor.org:2444 Razor: 2.84 Sendmail: 8.14.2 with: ClientRate: 3 ClientConn: 3 Here's are our settings in spam.assassin.prefs.conf: dns_available yes bayes_path /var/spool/spamassassin/bayes bayes_ignore_header X-BakerBotts-MailScanner bayes_ignore_header X-BakerBotts-MailScanner-SpamCheck bayes_ignore_header X-BakerBotts-MailScanner-SpamScore bayes_ignore_header X-BakerBotts-MailScanner-Information lock_method flock use_auto_whitelist 0 ifplugin Mail::SpamAssassin::Plugin::DCC dcc_path /usr/local/bin/dccproc endif rbl_timeout 10 razor_timeout 10 pyzor_timeout 10 envelope_sender_header X-BakerBotts-MailScanner-From score BAYES_00 -0.400 score BAYES_05 -0.300 score BAYES_20 -0.200 header __RCVD_IN_ZEN eval:check_rbl('zen', 'zen.dnsbl.', '127.0.0.[124]') header RCVD_IN_XBL eval:check_rbl('sblxbl-lastexternal', 'xbl.dnsbl.', '127.0.0.4') header RCVD_IN_SBL eval:check_rbl_sub('sblxbl', 'zen.dnsbl.', '127.0.0.2') header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.dnsbl.', '127.0.0.10') uridnsbl URIBL_SBL sbl.dnsbl. TXT score RCVD_IN_BSP_TRUSTED -0.5 header __FROM_YOURDOMAIN From =~ /\@bakerbotts\.com\b/i meta SPF_FAIL_YOURDOMAIN (SPF_FAIL && __FROM_YOURDOMAIN) score SPF_FAIL_YOURDOMAIN 1.0 score USER_IN_WHITELIST -1.0 score SUBJECT_IN_WHITELIST -1.0 score USER_IN_SPF_WHITELIST -1.0 score USER_IN_ALL_SPAM_TO -1.0 score FB_GET_MEDS 2.5 score GENERIC_IXHASH 4.5 score NIXSPAM_IXHASH 4.5 score CTYME_IXHASH 4.5 score HOSTEUROPE_IXHASH 4.5 score DRUGS_ERECTILE 1.50 score RCVD_IN_DNSWL -1.00 score LOTTERY_PH_004470 4.0 score ALL_TRUSTED -0.5 internal_networks 204.194.96/21 internal_networks 63.241.249.0/25 internal_networks 10/8 header MS_FOUND_SPAMVIRUS exists:X-BakerBotts-MailScanner-SpamVirus-Report score MS_FOUND_SPAMVIRUS 3.0 Here is our custom MailScanner file in /etc/MailScanner/conf.d: Max Children = 9 Queue Scan Interval = 10 Max Normal Queue Size = 2000 Unrar Command = #/usr/bin/unrar Allow Password-Protected Archives = yes Check Filenames In Password-Protected Archives = no Allowed Sophos Error Messages = Dangerous Content Scanning = no Find Phishing Fraud = no Also Find Numeric Phishing = no Use Stricter Phishing Net = no Highlight Phishing Fraud = no Allow IFrame Tags = yes Allow Form Tags = yes Allow Object Codebase Tags = yes Quarantine Infections = no Information Header Value = Please contact Baker Botts IT Help Desk for more information Always Include SpamAssassin Report = yes Sign Clean Messages = no Mark Infected Messages = no Mark Unscanned Messages = no Notify Senders = no Notify Senders Of Blocked Filenames Or Filetypes = no Notify Senders Of Other Blocked Content = no Virus Modify Subject = no Filename Modify Subject = no Content Modify Subject = no Size Modify Subject = no Disarmed Modify Subject = no Spam Modify Subject = no High Scoring Spam Modify Subject = no Archive Mail = /var/spool/MailScanner/archive Send Notices = no Spam Checks = %rules-dir%/spam.checks.rules Is Definitely Not Spam = &SpamWhiteList('/etc/MailScanner/rules/bb_ms_custom.whitelist') Is Definitely Spam = %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes Ignore Spam Whitelist If Recipients Exceed = 40 Max Spam Check Size = 1500k Use Watermarking = yes Treat Invalid Watermarks With No Sender as Spam = 9 Watermark Secret = %org-name%-TvnSx97qf Required SpamAssassin Score = 5 SpamAssassin Auto Whitelist = no Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = yes High Scoring Spam Actions = delete Log Speed = yes Log Spam = yes Log Non Spam = yes Log Delivery And Non-Delivery = yes SpamAssassin Timeout = 120 Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110330/27727261/attachment.html From ecasarero at gmail.com Wed Mar 30 18:03:37 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Mar 30 18:04:06 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: <6640B804-75F0-429D-B596-B2EE34D27480@vidadigital.com.pa> References: <4D93571F.4040007@ecs.soton.ac.uk> <6640B804-75F0-429D-B596-B2EE34D27480@vidadigital.com.pa> Message-ID: I thought this was a winner, but although the email is not scanned the "Always looked up last" is still triggered and a db record is created. I also retried the sendmail line with -OQueueDirectory=/var/spool/mqueue but i get a rare permission error on the queue, i think that option is not valid using sendmail to send email, it just works when sendmail is a daemon recieving emails (maybe a consecuence of the monolithic architecture). As a last option i will tweak the "Always looked up last" function to avoid logging specific localhost traffic. If i found a workaround with sendmail i will post it, Thanks for all the comments, Eduardo. 2011/3/30 Alex Neuman > Might I suggest "not to scan e-mail from 127.0.0.1 and to:yourdomain.com" > just to avoid a bad script from being (mis)used to send e-mail out from your > server onto third parties? You *usually* don't release mail to third > parties, and in such exceptions you might want to make additional exceptions > for those third parties. > > On Mar 30, 2011, at 11:15 AM, Jules Field wrote: > > > One way to solve this is to not scan mail originating from 127.0.0.1 and > then just use sendmail to re-inject the message. As it's from localhost, > MailScanner will ignore it once you put that rule in place. > > > > On 29/03/2011 19:31, Eduardo Casarero wrote: > >> Hi everybody, does anyone know if it is possible to "release" an email > and queue it in the sendmail outbound queue without being processed by > MailScanner? I want to avoid MS because it generates a duplicated record in > the DB. We used Mailwatch release method for some time and then a custom > script to feed the released email to sendmail, but both options makes the > email to be reprocesed by MS. > >> > >> I searched and read about sendmails options, but i coudnt find anything > usefull. ?How does MScanner send HAM emails to recipients? copying df* and > qf* to the outbound queue and firing a sendmail process to deliver that > particular email? > >> > >> Any comment/idea would be appreciated. > >> > >> Thanks, > >> > >> Eduardo. > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM > > > > 'All programs have a desire to be useful' - Tron, 1982 > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > > Alex Neuman van der Hans > Reliant Technologies / Vida Digital > http://vidadigital.com.pa/ > > +507-6781-9505 > +507-832-6725 > +1-440-253-9789 (USA) > > Follow @AlexNeuman on Twitter > http://facebook.com/vidadigital > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110330/44bbdbdf/attachment.html From prandal at herefordshire.gov.uk Wed Mar 30 18:17:26 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Mar 30 18:17:51 2011 Subject: Clamd install In-Reply-To: <201103301259.33723.dyioulos@firstbhph.com> References: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net> <201103301259.33723.dyioulos@firstbhph.com> Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B853ABC787B@HC-EXMBX02.herefordshire.gov.uk> The smart way to find out would be to add the rpmforge yum repo, configure it to allow clam* only, and then yum install clamd Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council? | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dimitri Yioulos Sent: 30 March 2011 18:00 To: MailScanner discussion Subject: Re: Clamd install On Wednesday 30 March 2011 12:29:18 pm donald.dawson@bakerbotts.com wrote: > Yesterday I upgraded MailScanner, SpamAssassin and Clamav using the > install files from the MailScanner site. > > When I started to install the SpamAssassin/Clam software I was > cautioned to exit the script and install clamd from an rpm site and > then come back to finish the install. > > I was able to download the 96.5 and 97 code, but I was not able to > install them due to missing libraries. Here's a snippet from the > SA/CLAM install script: > > There are 2 recommended ways of installing ClamAV, depending on > various factors. > If you want to use MailScanners support for Clamd (virus-scanning > daemon) then I recommend you cancel this script now (press Ctrl-C) > and install the RPMs for clamav, clamav-db and clamd from > http://packages.sw.be/clamav/ > Then re-run this script and tell me that clamscan is installed in > /usr/bin. This will set up your > virus.scanners.conf file for you. > > Using these downloads: > http://packages.sw.be/clamav/clamav-0.96.5-1.e >l6.rf.i686.rpm > http://packages.sw.be/clamav/clamav-db-0.96.5-1 >.el6.rf.i686.rpm > http://packages.sw.be/clamav/clamd-0.96.5-1.el6 >.rf.i686.rpm > > I received the following errors: > > # rpm -Uvh clamav-0.96.5-1.el6.rf.i686.rpm > clamav-0.96.5-1.el6.rf.i686.rpm clamav-db-0.96.5-1.el6.rf.i686.rpm > warning: > clamav-0.96.5-1.el6.rf.i686.rpm: Header V3 DSA > signature: NOKEY, key ID 6b8d79e6 > warning: package clamav = 0.96.5-1.el6.rf was already added, skipping > clamav < 0.96.5-1.el6.rf > error: Failed dependencies: > libltdl.so.7 is needed by > clamav-0.96.5-1.el6.rf.i686 rpmlib(FileDigests) <= 4.6.0-1 is needed > by > clamav-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed by > clamav-0.96.5-1.el6.rf.i686 > rpmlib(FileDigests) <= 4.6.0-1 is needed by > clamav-db-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed by > clamav-db-0.96.5-1.el6.rf.i686 > > Note, I removed the .96.4 version via 'rpm -e'. > > I am now using ClamAV from the tarball install off of the MailScanner > site, but I would prefer to use clamd. > > Also, I have to remove the clam-related files installed by the tarball > if I am going to install clamd, since they are not loaded in the same > locations. > > Please guide me on how I can install clamd. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > > Confidentiality Notice: The information contained in this email and > any attachments is intended only for the recipient[s] listed above and > may be privileged and confidential. Any dissemination, copying, or use > of or reliance upon such information by or to anyone other than the > recipient[s] listed above is prohibited. If you have received this > message in error, please notify the sender immediately at the email > address above and destroy any and all copies of this message. Possibly missing rpm-devel and/or rpm-libs? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Wed Mar 30 19:50:19 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 30 19:50:28 2011 Subject: Performance issues with MS and SA In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D886@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D886@BBEXVS04.bakerbotts.net> Message-ID: Your also running the spamhaus rules in SA, I'd look at what rbls you want and turn those you don't want off Have a look at performance in the wiki and the bit about getting the most of of spamassassin . For bayes you may find running a different format for bayes, again the wiki will help in howto to change the database format Martin On Wednesday, 30 March 2011, wrote: > > > > > > > > > > > I would like to get some input from the community on our performance issue. > > > Running 'MailScanner --debug --debug-sa' points to DCC as a bottleneck and Bayes. > > > Turning off Bayes and DCC makes a big difference, but I would like to keep DCC. > > > We are running 4 MX servers each with 4 CPU and 3.5 GB of memory.? We process about 150k emails over the 4 MX servers, excluding rejected, aborted and incomplete messages. > > Software: > > > MailScanner:??? 4.83.4-1 > > > SpamAssassin:?? 3.3.1 > > > Scam-Back:????? 1.5.1-pre2 (checks email recipient against internal Exchange server) > > > OS:???? ??????? Fedora Core 8 (want to upgrade to RedHat Enterprise) > > > DCC:??? ??????? Current version > > > Pyzor:? ??????? Latest - servers: public.pyzor.org:2444 > > > Razor:? ??????? 2.84 > > > Sendmail:?????? 8.14.2 with: > > ClientRate:???????????????????? 3 > > > ClientConn:???????????????????? 3 > > > Here's are our settings in spam.assassin.prefs.conf: > > > dns_available yes > > > bayes_path /var/spool/spamassassin/bayes > > > bayes_ignore_header X-BakerBotts-MailScanner > > > bayes_ignore_header X-BakerBotts-MailScanner-SpamCheck > > > bayes_ignore_header X-BakerBotts-MailScanner-SpamScore > > > bayes_ignore_header X-BakerBotts-MailScanner-Information > > > lock_method flock > > > use_auto_whitelist 0 > > > ifplugin Mail::SpamAssassin::Plugin::DCC > > > dcc_path /usr/local/bin/dccproc > > > endif > > > rbl_timeout 10 > > > razor_timeout 10 > > > pyzor_timeout 10 > > > envelope_sender_header X-BakerBotts-MailScanner-From > > > score BAYES_00 -0.400 > > > score BAYES_05 -0.300 > > > score BAYES_20 -0.200 > > > header __RCVD_IN_ZEN??????????? eval:check_rbl('zen', 'zen.dnsbl.', '127.0.0.[124]') > > > header RCVD_IN_XBL????????????? eval:check_rbl('sblxbl-lastexternal', 'xbl.dnsbl.', '127.0.0.4') > > > header RCVD_IN_SBL????????????? eval:check_rbl_sub('sblxbl', 'zen.dnsbl.', '127.0.0.2') > > > header RCVD_IN_PBL????????????? eval:check_rbl('zen-lastexternal', 'zen.dnsbl.', '127.0.0.10') > > > uridnsbl??????? URIBL_SBL?????? sbl.dnsbl.?????? TXT > > > score RCVD_IN_BSP_TRUSTED???? -0.5 > > > header? __FROM_YOURDOMAIN?????? From =~ /\@bakerbotts\.com\b/i > > > meta??? SPF_FAIL_YOURDOMAIN???? (SPF_FAIL && __FROM_YOURDOMAIN) > > > score?? SPF_FAIL_YOURDOMAIN???? 1.0 > > > score USER_IN_WHITELIST -1.0 > > > score SUBJECT_IN_WHITELIST -1.0 > > > score USER_IN_SPF_WHITELIST -1.0 > > > score USER_IN_ALL_SPAM_TO -1.0 > > > score FB_GET_MEDS 2.5 > > > score?? GENERIC_IXHASH 4.5 > > > score?? NIXSPAM_IXHASH 4.5 > > > score?? CTYME_IXHASH 4.5 > > > score?? HOSTEUROPE_IXHASH 4.5 > > > score?? DRUGS_ERECTILE 1.50 > > > score RCVD_IN_DNSWL -1.00 > > > score LOTTERY_PH_004470 4.0 > > > score ALL_TRUSTED -0.5 > > > internal_networks 204.194.96/21 > > > internal_networks 63.241.249.0/25 > > > internal_networks 10/8 > > > header MS_FOUND_SPAMVIRUS exists:X-BakerBotts-MailScanner-SpamVirus-Report > > > score? MS_FOUND_SPAMVIRUS 3.0 > > > Here is our custom MailScanner file in /etc/MailScanner/conf.d: > > > Max Children = 9 > > > Queue Scan Interval = 10 > > > Max Normal Queue Size = 2000 > > > Unrar Command = #/usr/bin/unrar > > > Allow Password-Protected Archives = yes > > > Check Filenames In Password-Protected Archives = no > > > Allowed Sophos Error Messages = > > > Dangerous Content Scanning = no > > > Find Phishing Fraud = no > > > Also Find Numeric Phishing = no > > > Use Stricter Phishing Net = no > > > Highlight Phishing Fraud = no > > > Allow IFrame Tags = yes > > > Allow Form Tags = yes > > > Allow Object Codebase Tags = yes > > > Quarantine Infections = no > > > Information Header Value = Please contact Baker Botts IT Help Desk for more information > > > Always Include SpamAssassin Report = yes > > > Sign Clean Messages = no > > > Mark Infected Messages = no > > > Mark Unscanned Messages = no > > > Notify Senders = no > > > Notify Senders Of Blocked Filenames Or Filetypes = no > > > Notify Senders Of Other Blocked Content = no > > > Virus Modify Subject = no > > > Filename Modify Subject = no > > > Content Modify Subject = no > > > Size Modify Subject = no > > > Disarmed Modify Subject = no > > > Spam Modify Subject = no > > > High Scoring Spam Modify Subject = no > > > Archive Mail = /var/spool/MailScanner/archive > > > Send Notices = no > > > Spam Checks = %rules-dir%/spam.checks.rules > > > Is Definitely Not Spam = &SpamWhiteList('/etc/MailScanner/rules/bb_ms_custom.whitelist') > > > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > > > Definite Spam Is High Scoring = yes > > > Ignore Spam Whitelist If Recipients Exceed = 40 > > > Max Spam Check Size = 1500k > > > Use Watermarking = yes > > > Treat Invalid Watermarks With No Sender as Spam = 9 > > > Watermark Secret = %org-name%-TvnSx97qf > > > Required SpamAssassin Score = 5 > > > SpamAssassin Auto Whitelist = no > > > Rebuild Bayes Every = 86400 > > > Wait During Bayes Rebuild = yes > > > High Scoring Spam Actions = delete > > > Log Speed = yes > > > Log Spam = yes > > > Log Non Spam = yes > > > Log Delivery And Non-Delivery = yes > > > SpamAssassin Timeout = 120 > > > Donald Dawson > > > Security Administrator > > > Baker Botts L.L.P. > > > One Shell Plaza > > > 910 Louisiana > > > Houston, TX 77002 > > > W: 713-229-2183 > > > > Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. > > > -- -- Martin Hepworth Oxford, UK From maxsec at gmail.com Wed Mar 30 19:54:28 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Mar 30 19:54:37 2011 Subject: MailScanner: Could not analyze message In-Reply-To: <4D930D2C.7070204@qustodium.net> References: <4BF40DD90200002D00008EC2@sparky.asdm.net> <4BF65385.1010905@ecs.soton.ac.uk> <4BF656060200002D00008EF3@sparky.asdm.net> <4BF690CC.1030209@ecs.soton.ac.uk> <4D91EB5F.90701@qustodium.net> <4D91EF0D.6040104@qustodium.net> <4D9301E8.7070801@qustodium.net> <4D930D2C.7070204@qustodium.net> Message-ID: Use the generic unix installer rather than waiting for someone to update the port. Even if a fix produced for any bug you'll never a fix for your version as fixes are never backported and you've no one to push the to the deb anyway :-) On Wednesday, 30 March 2011, Achim J. Latz wrote: > Hello Andrew: > > On 30/03/2011 12:23, Andrew Colin Kissa wrote: > > I am working on an ubuntu ppa for that at the moment. > > > I know about your Baruwa PPA. Are you saying that you will also create a MailScanner DEB in that process? Do you have an estimation of when such an updated package would become available: days, weeks? > > My problem is rather urgen, as the MailScanner bug related to content scanning prevents one of the users from receiving messages via a webform. > > Cheers, Achim > > -- > Achim J. Latz, Qustodium Internet Security > achim.latz@qustodium.net?? http://www.qustodium.net > Data Encryption ? Backup Automatisation ? E-Mail Protection > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- -- Martin Hepworth Oxford, UK From donald.dawson at bakerbotts.com Wed Mar 30 19:56:55 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Mar 30 19:57:07 2011 Subject: Clamd install In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B853ABC787B@HC-EXMBX02.herefordshire.gov.uk> References: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net><201103301259.33723.dyioulos@firstbhph.com> <7CA580B59C1ABD45B4614ED90D4C7B853ABC787B@HC-EXMBX02.herefordshire.gov.uk> Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D88D@BBEXVS04.bakerbotts.net> Phil - thanks for the info. To use rpmforge yum repo, I am executing the following steps: (review packages to download: http://packages.sw.be/rpmforge-release/ ) wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el3.rf.i386.rpm rpm -Uvh rpmforge-release-0.5.2-1.rf.src.rpm vi /etc/yum.repos.d/rpmforge.repo (just installed rpm from above) change 'enabled = 1' to 'enabled = 0' (keeps repo from being used unless explicitly chosen) Manually specify the repo, action and package e.g. yum install --enablerepo=rpmforge clamd Please let me know if I am on the right track. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Wednesday, March 30, 2011 12:17 PM To: MailScanner discussion Subject: RE: Clamd install The smart way to find out would be to add the rpmforge yum repo, configure it to allow clam* only, and then yum install clamd Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council? | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dimitri Yioulos Sent: 30 March 2011 18:00 To: MailScanner discussion Subject: Re: Clamd install On Wednesday 30 March 2011 12:29:18 pm donald.dawson@bakerbotts.com wrote: > Yesterday I upgraded MailScanner, SpamAssassin and Clamav using the > install files from the MailScanner site. > > When I started to install the SpamAssassin/Clam software I was > cautioned to exit the script and install clamd from an rpm site and > then come back to finish the install. > > I was able to download the 96.5 and 97 code, but I was not able to > install them due to missing libraries. Here's a snippet from the > SA/CLAM install script: > > There are 2 recommended ways of installing ClamAV, depending on > various factors. > If you want to use MailScanners support for Clamd (virus-scanning > daemon) then I recommend you cancel this script now (press Ctrl-C) > and install the RPMs for clamav, clamav-db and clamd from > http://packages.sw.be/clamav/ > Then re-run this script and tell me that clamscan is installed in > /usr/bin. This will set up your > virus.scanners.conf file for you. > > Using these downloads: > http://packages.sw.be/clamav/clamav-0.96.5-1.e >l6.rf.i686.rpm > http://packages.sw.be/clamav/clamav-db-0.96.5-1 >.el6.rf.i686.rpm > http://packages.sw.be/clamav/clamd-0.96.5-1.el6 >.rf.i686.rpm > > I received the following errors: > > # rpm -Uvh clamav-0.96.5-1.el6.rf.i686.rpm > clamav-0.96.5-1.el6.rf.i686.rpm clamav-db-0.96.5-1.el6.rf.i686.rpm > warning: > clamav-0.96.5-1.el6.rf.i686.rpm: Header V3 DSA > signature: NOKEY, key ID 6b8d79e6 > warning: package clamav = 0.96.5-1.el6.rf was already added, skipping > clamav < 0.96.5-1.el6.rf > error: Failed dependencies: > libltdl.so.7 is needed by > clamav-0.96.5-1.el6.rf.i686 rpmlib(FileDigests) <= 4.6.0-1 is needed > by > clamav-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed by > clamav-0.96.5-1.el6.rf.i686 > rpmlib(FileDigests) <= 4.6.0-1 is needed by > clamav-db-0.96.5-1.el6.rf.i686 > rpmlib(PayloadIsXz) <= 5.2-1 is needed by > clamav-db-0.96.5-1.el6.rf.i686 > > Note, I removed the .96.4 version via 'rpm -e'. > > I am now using ClamAV from the tarball install off of the MailScanner > site, but I would prefer to use clamd. > > Also, I have to remove the clam-related files installed by the tarball > if I am going to install clamd, since they are not loaded in the same > locations. > > Please guide me on how I can install clamd. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > One Shell Plaza > 910 Louisiana > Houston, TX 77002 > W: 713-229-2183 > > > Confidentiality Notice: The information contained in this email and > any attachments is intended only for the recipient[s] listed above and > may be privileged and confidential. Any dissemination, copying, or use > of or reliance upon such information by or to anyone other than the > recipient[s] listed above is prohibited. If you have received this > message in error, please notify the sender immediately at the email > address above and destroy any and all copies of this message. Possibly missing rpm-devel and/or rpm-libs? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard.siddall at elirion.net Wed Mar 30 20:08:38 2011 From: richard.siddall at elirion.net (Richard Siddall) Date: Wed Mar 30 20:08:48 2011 Subject: Clamd install In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D88D@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D883@BBEXVS04.bakerbotts.net><201103301259.33723.dyioulos@firstbhph.com> <7CA580B59C1ABD45B4614ED90D4C7B853ABC787B@HC-EXMBX02.herefordshire.gov.uk> <8FB531F78038DC4497B80CBAE8E927E20831D88D@BBEXVS04.bakerbotts.net> Message-ID: <4D937FB6.5090403@elirion.net> donald.dawson@bakerbotts.com wrote: > Phil - thanks for the info. > > To use rpmforge yum repo, I am executing the following steps: > > (review packages to download: http://packages.sw.be/rpmforge-release/ ) > > wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el3.rf.i386.rpm > [snip] Using these downloads: > http://packages.sw.be/clamav/clamav-0.96.5-1.e >l6.rf.i686.rpm > http://packages.sw.be/clamav/clamav-db-0.96.5-1 >.el6.rf.i686.rpm > http://packages.sw.be/clamav/clamd-0.96.5-1.el6 >.rf.i686.rpm > > I received the following errors: > > # rpm -Uvh clamav-0.96.5-1.el6.rf.i686.rpm Looks like you're using the RPMforge release for EL3 but tried to install RPMs for EL6. That might explain the RPM version mismatch errors. Which distro are you using? Regards, Richard Siddall From steve.freegard at fsl.com Wed Mar 30 20:52:46 2011 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Mar 30 20:52:57 2011 Subject: Performance issues with MS and SA In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D886@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D886@BBEXVS04.bakerbotts.net> Message-ID: <4D938A0E.7080108@fsl.com> On 30/03/11 18:00, donald.dawson@bakerbotts.com wrote: > I would like to get some input from the community on our performance issue. > > Running 'MailScanner --debug --debug-sa' points to DCC as a bottleneck > and Bayes. > > Turning off Bayes and DCC makes a big difference, but I would like to > keep DCC. > > Here's are our settings in spam.assassin.prefs.conf: > > dns_available yes > bayes_path /var/spool/spamassassin/bayes > bayes_ignore_header X-BakerBotts-MailScanner > bayes_ignore_header X-BakerBotts-MailScanner-SpamCheck > bayes_ignore_header X-BakerBotts-MailScanner-SpamScore > bayes_ignore_header X-BakerBotts-MailScanner-Information > lock_method flock Add: bayes_learn_to_journal 1 This will give a big speed boost for file-based bayes. Also add: bayes_auto_expire 0 And see my comment below about running expiry as a cronjob to improve bayes performance. > ifplugin Mail::SpamAssassin::Plugin::DCC > dcc_path /usr/local/bin/dccproc > endif Read up on 'dccifd' and use that instead; it's *far* quicker if you want DCC running. > Always Include SpamAssassin Report = yes Consider setting this to 'No'; it will save some considerable cycles. e.g. for whitelisted messages etc. > Rebuild Bayes Every = 86400 > Wait During Bayes Rebuild = yes Doing a rebuild like this will cause some serious performance issues if your mail servers are busy, leading to backlogs. Set this to no and disable this function entirely; then create a cronjob to run at a quiet hour that runs once per day: sa-learn --force-expire Hope that helps. Kind regards, Steve. From ecasarero at gmail.com Wed Mar 30 22:12:20 2011 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Mar 30 22:12:49 2011 Subject: Releasing emails from quarantine with sendmail In-Reply-To: References: <4D93571F.4040007@ecs.soton.ac.uk> <6640B804-75F0-429D-B596-B2EE34D27480@vidadigital.com.pa> Message-ID: Well, today i've learned something. From: http://www.sendmail.org/~ca/email/doc8.12/op-sh-1.html *For initial mail submission, i.e., if one of the options -bm (default), -bs, or -t is specified, submit.cf is used (if available), for other operations sendmail.cf is used.* So, all the sendmail behaviour was configured in submit.cf not sendmail.cf. I moved submit.cf and created a link between sendmail.cf and submit.cf. So submission will behave the same as the daemon, using the ../mqueue and trying to deliver the email first (to the final MTA), and if it fails it will store it in the regular queue. My first tests went ok, however i will give this further testing to try to find any nasty side efect of this. Eduardo. 2011/3/30 Eduardo Casarero > I thought this was a winner, but although the email is not scanned the > "Always looked up last" is still triggered and a db record is created. > > I also retried the sendmail line with -OQueueDirectory=/var/spool/mqueue > but i get a rare permission error on the queue, i think that option is not > valid using sendmail to send email, it just works when sendmail is a daemon > recieving emails (maybe a consecuence of the monolithic architecture). > > As a last option i will tweak the "Always looked up last" function to avoid > logging specific localhost traffic. If i found a workaround with sendmail i > will post it, > > Thanks for all the comments, > > Eduardo. > > 2011/3/30 Alex Neuman > >> Might I suggest "not to scan e-mail from 127.0.0.1 and to:yourdomain.com" >> just to avoid a bad script from being (mis)used to send e-mail out from your >> server onto third parties? You *usually* don't release mail to third >> parties, and in such exceptions you might want to make additional exceptions >> for those third parties. >> >> On Mar 30, 2011, at 11:15 AM, Jules Field wrote: >> >> > One way to solve this is to not scan mail originating from 127.0.0.1 and >> then just use sendmail to re-inject the message. As it's from localhost, >> MailScanner will ignore it once you put that rule in place. >> > >> > On 29/03/2011 19:31, Eduardo Casarero wrote: >> >> Hi everybody, does anyone know if it is possible to "release" an email >> and queue it in the sendmail outbound queue without being processed by >> MailScanner? I want to avoid MS because it generates a duplicated record in >> the DB. We used Mailwatch release method for some time and then a custom >> script to feed the released email to sendmail, but both options makes the >> email to be reprocesed by MS. >> >> >> >> I searched and read about sendmails options, but i coudnt find anything >> usefull. ?How does MScanner send HAM emails to recipients? copying df* and >> qf* to the outbound queue and firing a sendmail process to deliver that >> particular email? >> >> >> >> Any comment/idea would be appreciated. >> >> >> >> Thanks, >> >> >> >> Eduardo. >> > >> > Jules >> > >> > -- >> > Julian Field MEng CITP CEng >> > www.MailScanner.info >> > >> > Buy the MailScanner book at www.MailScanner.info/store >> > Need help customising MailScanner? Contact me! >> > >> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > Follow me at twitter.com/JulesFM >> > >> > 'All programs have a desire to be useful' - Tron, 1982 >> > >> > >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> >> >> -- >> >> Alex Neuman van der Hans >> Reliant Technologies / Vida Digital >> http://vidadigital.com.pa/ >> >> +507-6781-9505 >> +507-832-6725 >> +1-440-253-9789 (USA) >> >> Follow @AlexNeuman on Twitter >> http://facebook.com/vidadigital >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110330/d272d068/attachment.html From achim+mailwatch at qustodium.net Thu Mar 31 13:00:37 2011 From: achim+mailwatch at qustodium.net (Achim J. Latz) Date: Thu Mar 31 13:01:02 2011 Subject: Mailscanner 4.83.4 now available for Debian/Ubuntu Message-ID: <4D946CE5.8070609@qustodium.net> Hello list: I created a .deb package for the latest stable release of Mailscanner 4.83.4. I am testing it on our servers, but feel free to send me an email if anybody is interested in using it as well. No guarantees by the way, as this is my first packaging attempt. I did have some help from Simon Walter though, the original maintainer. Best regards, Achim -- Achim J. Latz, Qustodium Internet Security achim.latz@qustodium.net ? http://www.qustodium.net Data Encryption ? Backup Automatisation ? E-Mail Protection From donald.dawson at bakerbotts.com Thu Mar 31 17:18:36 2011 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Thu Mar 31 17:19:13 2011 Subject: CENTOS or RHE OS Message-ID: <8FB531F78038DC4497B80CBAE8E927E20831D8AC@BBEXVS04.bakerbotts.net> We are using Fedora Core 8 (mistake) and plan to move to a more stable, Enterprise version of Linux. I don't expect we will need support, but which is better RHE or CENTOS, or other? I understand CENTOS is a close mirror to RHE, but is open source. When I look at MailScanner-related packages to download, I see references to RHE and CENTOS. We have four MX servers running Fedora Core 8 with the latest MS/SA versions. We are contemplating FSL.COM/s MS yum repository for easier builds of the new servers. Any input appreciated. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. One Shell Plaza 910 Louisiana Houston, TX 77002 W: 713-229-2183 Confidentiality Notice: The information contained in this email and any attachments is intended only for the recipient[s] listed above and may be privileged and confidential. Any dissemination, copying, or use of or reliance upon such information by or to anyone other than the recipient[s] listed above is prohibited. If you have received this message in error, please notify the sender immediately at the email address above and destroy any and all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110331/dcb69cfd/attachment.html From bonivart at opencsw.org Thu Mar 31 17:54:39 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Thu Mar 31 17:55:15 2011 Subject: CENTOS or RHE OS In-Reply-To: <8FB531F78038DC4497B80CBAE8E927E20831D8AC@BBEXVS04.bakerbotts.net> References: <8FB531F78038DC4497B80CBAE8E927E20831D8AC@BBEXVS04.bakerbotts.net> Message-ID: On Thu, Mar 31, 2011 at 6:18 PM, wrote: > We are using Fedora Core 8 (mistake) and plan to move to a more stable, > Enterprise version of Linux.? I don't expect we will need support, but which > is better RHE or CENTOS, or other? CentOS is basically RH with all trademark info and logos replaced. Functionality is the same. We use CentOS when there's no requirement for a support contract, e.g. if you're running some business application or Oracle, then we use RH with a license. For MailScanner there's no need for RH. You will also be familiar with the RPM package system from FC. /peter From supunr at lankacom.net Thu Mar 31 18:50:57 2011 From: supunr at lankacom.net (Supun Rathnayake) Date: Thu Mar 31 18:51:22 2011 Subject: Mailscanner 4.83.4 now available for Debian/Ubuntu In-Reply-To: <4D946CE5.8070609@qustodium.net> References: <4D946CE5.8070609@qustodium.net> Message-ID: <4D94BF01.1000303@lankacom.net> Hi Achim, That is a great news, I have been waiting for years to get a .deb , package that is current ( or rather latest stable ) had used alien to convert rpm to deb , but sometimes the process is not smooth and very difficult to manage when it comes to many servers. If you don't mind try to publish it at https://launchpad.net/ so that we can simply use your repository in our apt source list Thanks for the great effort. we would like to test your package. Thanks, Supun. On 03/31/2011 05:30 PM, Achim J. Latz wrote: > Hello list: > > I created a .deb package for the latest stable release of Mailscanner > 4.83.4. I am testing it on our servers, but feel free to send me an > email if anybody is interested in using it as well. > > No guarantees by the way, as this is my first packaging attempt. I did > have some help from Simon Walter though, the original maintainer. > > Best regards, Achim > From jonas at vrt.dk Thu Mar 31 23:49:27 2011 From: jonas at vrt.dk (Jonas) Date: Thu Mar 31 23:49:40 2011 Subject: Performance issues with MS and SA Message-ID: <09F23668E315FD4597C13D73E5123ADF5BD6F3@SCTSBS.sct.dk> Hello Donald Maybe I'm a big thick headed but I don't see you mention what your performance issue is? You say you process 150k mails with 4 servers each with 4 cores (that's how I read it anyway) But what is the problem, are you incoming mail queues too big, or do you expect a quick increase in mail volume in the near future? Or do you simply want to optimize your setup, and don't have a problem per say? Cheers Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk