From mailscanner at joolee.nl Thu Sep 1 08:17:04 2011 From: mailscanner at joolee.nl (Joolee) Date: Thu Sep 1 08:17:52 2011 Subject: MS Doesn't completely block spam with faulty attachments Message-ID: Hallo Everybody, I've experienced a small flood of virus E-mails. These E-mails (subj.: "ACH Payment *random number* Canceled") contain attachments named like: "report_082011-65.pdf.exe" They obviously get blocked by the "no executables" and "No double file extensions" rules. The problem is that after blocking them, an automated E-mail is send to the original recipient and the (faked) sender of the message, informing them of the blocked attachment. Had the E-mails been processed further, they would've probably hit the virusscanner (not tested) or spamassassin (gives a score of 27 when tested) and the E-mail would've silently been discarded as a virus / spam / phishing. Is it possible to let the MailScanner continue it's processing when hitting the file name rules and / or running the filename rule at a later time? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/e4b8d640/attachment.html From MailScanner at ecs.soton.ac.uk Thu Sep 1 10:00:44 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 1 10:01:03 2011 Subject: MailScanner Digest, Vol 68, Issue 20 In-Reply-To: <1314825656.6052.YahooMailNeo@web29715.mail.ird.yahoo.com> References: <201108241100.p7OB0MDF014798@safir.blacknight.ie> <2046762850AF9D4DA8E1EB3B6F2BA19C1031456C@VA3DIAXVS1A1.RED001.local> <1314825656.6052.YahooMailNeo@web29715.mail.ird.yahoo.com> <4E5F49BC.2010703@ecs.soton.ac.uk> Message-ID: Have fixed that one. Will be in the next release. Is there a good collection of the taint problems still outstanding? If so, please can someone email me one? Cheers, Jules. On 31/08/2011 22:20, Fernando Andr?s Moya Leimberg wrote: > Did that command finally solve your problem Jhon? > > Think it's a good to know how it ended, or if you're stilll looking > for an answer... > > Greetings... > ------------------------------------------------------------------------ > *De:* Glenn Steen > *Para:* MailScanner discussion > *Enviado:* viernes 26 de agosto de 2011 15:36 > *Asunto:* Re: RE: MailScanner Digest, Vol 68, Issue 20 > > Right, so you have a taint issue preventing the creation of the date > subdir (or similar) in the quarantine. > Did you try the usual -U thing (google it, or use gmane, I'm tipsy and > would likely get something wrong;-) . > Cheers > -- > -- Glenn > Den 25 aug 2011 19:28 skrev "John Bull" >: > > # MailScanner --debug > > > > In Debugging mode, not forking... > > Trying to setlogsock(unix) > > Building a message batch to scan... > > Insecure dependency in mkdir while running with -T switch at > /usr/lib/MailScanner/MailScanner/Quarantine.pm line 189. > > > > Regards, > > John > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of > mailscanner-request@lists.mailscanner.info > > > Sent: Wednesday, August 24, 2011 4:01 AM > > To: mailscanner@lists.mailscanner.info > > > Subject: MailScanner Digest, Vol 68, Issue 20 > > > > Send MailScanner mailing list submissions to > > mailscanner@lists.mailscanner.info > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > or, via email, send a message with subject or body 'help' to > > mailscanner-request@lists.mailscanner.info > > > > > You can reach the person managing the list at > > mailscanner-owner@lists.mailscanner.info > > > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of MailScanner digest..." > > > > > > Today's Topics: > > > > 1. Re: Spam remaining in hold queue (Glenn Steen) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Wed, 24 Aug 2011 01:59:40 +0200 > > From: Glenn Steen > > > Subject: Re: Spam remaining in hold queue > > To: MailScanner discussion > > > Message-ID: > > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > What is the debug result for a gtube run, not eicar as you showed > that to be fine...? > > The processing db thing kind of indicate that something is killing ms. > > > > Cheers > > -- > > -- Glenn > > Den 23 aug 2011 00:12 skrev "John Bull" >: > >> List, > >> > >> Testing Lab - Installation specifics: > >> MailScanner-4.84.3-1.rpm.tar > >> Postfix 2.6.6 > >> Scientific Linux 6.1, perl 5.10.1 > >> High scoring spam is set to: store and notify > >> > >> Problem: > >> Email with gtube spam test remains in the Postfix hold queue and is > >> not > > delivered to the spam quarantine. > >> > >> # postqueue -p > >> -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- > >> EFF9C4EB9! 755 Mon Aug 22 13:22:51 jbull@esd113.lab > >> tone@test.lab> > >> > >> MailScanner successfully creates > > /var/Spool/MailScanner/quarantine//spam > >> but the email never makes it there. > >> > >> Directory Permissions: > >> chown -R postfix.clamav /var/spool/MailScanner/incoming chmod -R 770 > >> /var/spool/MailScanner/incoming chown postfix.postfix > > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > >> chown postfix.postfix -R > >> /var/spool/MailScanner/incoming/SpamAssassin-Temp > >> chown postfix.postfix /var/spool/MailScanner/incoming/Processing.db > >> > >> chown -R postfix.apache /var/spool/MailScanner/quarantine chmod 770 -R > >> /var/spool/MailScanner/quarantine > >> > >> mkdir /var/spool/MailScanner/spamassassin > >> chown -R postfix:postfix /var/spool/MailScanner/spamassassin > >> chmod -R 770 /var/spool/MailScanner/spamassassin > >> > >> MailScanner Config > >> Run As User = postfix > >> Run As Group = postfix > >> Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = > >> /var/spool/postfix/incoming Incoming Work Dir = > >> /var/spool/MailScanner/incoming MTA = postfix Sendmail = > >> /usr/sbin/sendmail.postfix Incoming Work Group = clamav Incoming Work > >> Permissions = 0644 Quarantine User = postfix Quarantine Group = apache > >> Quarantine Permissions = 0660 Virus Scanners = clamd Quarantine > >> Infections = no Quarantine Whole Message = yes Quarantine Whole > >> Messages As Queue Files = no Keep Spam And MCP Archive Clean = yes > >> Spam Checks = yes Is Definitely Not Spam = > >> %rules-dir%/spam.whitelist.rules Is Definitely Spam = > >> %rules-dir%/spam.blacklist.rules Definite Spam Is High Scoring = yes > >> Use SpamAssassin = yes Required SpamAssassin Score = 4.75 High > >> SpamAssassin Score = 6 Spam Score = yes Spam Actions = deliver High > >> Scoring Spam Actions = store notify > >> > >> > >> Maillog: > >> Spam Checks: Starting > >> Aug 22 13:26:06 opened MailScanner[2548]: Message EFF9C4EB9.A5C23 from > > 192.168.0.110 (jbull@esd113.lab) to test.lab is spam, SpamAssassin > (score=1001.99, required 4.75, autolearn=disabled, ALL_TRUSTED -1.00, > DCC_CHECK 3.00, GTUBE 1000.00, T_RP_MATCHES_RCVD -0.01) > >> Aug 22 13:26:06 opened MailScanner[2548]: Spam Checks: Found 1 spam > > messages > >> Aug 22 13:26:06 opened MailScanner[2548]: Spam Actions: message > > EFF9C4EB9.A5C23 actions are store,notify > >> Aug 22 13:26:06 opened MailScanner[2548]: Spam Actions: Notify > > tone@test.lab> > >> > >> : Warning: skipping message EFF9C4EB9.A5C23 as it has been attempted > >> too > > many times > >> Aug 22 13:46:35 opened MailScanner[3396]: Quarantined message > > EFF9C4EB9.A5C23 as it caused MailScanner to crash several times > >> > >> MailScanner --processing > >> Currently being processed: > >> > >> Number of messages: 1 > >> Tries Message Next Try At > >> ===== ======= =========== > >> 6 EFF9C4EB9.A5C23 Mon Aug 22 13:49:34 2011 > >> > >> # MailScanner --lint --debug > >> Trying to setlogsock(unix) > >> > >> Reading configuration file /etc/MailScanner/MailScanner.conf Reading > >> configuration file /etc/MailScanner/conf.d/README Read 867 hostnames > >> from the phishing whitelist Read 4076 hostnames from the phishing > >> blacklists > >> > >> Checking version numbers... > >> Version number in MailScanner.conf (4.84.3) is correct. > >> MailScanner setting GID to (89) > >> MailScanner setting UID to (89) > >> > >> Checking for SpamAssassin errors (if you use it)... > >> Using SpamAssassin results cache > >> Connected to SpamAssassin cache database SpamAssassin reported no > >> errors. > >> Connected to Processing Attempts Database Created Processing Attempts > >> Database successfully There is 1 message in the Processing Attempts > >> Database Using locktype = posix MailScanner.conf says "Virus Scanners > >> = clamd" > >> Found these virus scanners installed: clamd > >> > > > =========================================================================== > >> Filename Checks: Windows/DOS Executable (1 eicar.com > ) Other Checks: > >> Found 1 problems Virus and Content Scanning: Starting > >> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com > Virus > >> Scanning: Clamd found 2 infections Infected message 1 came from > >> 10.1.1.1 Virus Scanning: Found 2 viruses > >> > > > =========================================================================== > >> Virus Scanner test reports: > >> Clamd said "eicar.com was infected: > Eicar-Test-Signature" > >> > >> If any of your virus scanners (clamd) > >> are not listed there, you should check that they are installed > >> correctly and that MailScanner is finding them correctly via its > > virus.scanners.conf. > >> > >> Thank you, > >> John > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110824/bbe6f83f/attachment-0001.html > > > > ------------------------------ > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read the Wiki (http://wiki.mailscanner.info/). > > > > Support MailScanner development - buy the book off the website! > > > > > > End of MailScanner Digest, Vol 68, Issue 20 > > ******************************************* > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From john at tradoc.fr Thu Sep 1 11:53:28 2011 From: john at tradoc.fr (John Wilcock) Date: Thu Sep 1 11:53:46 2011 Subject: MailScanner Digest, Vol 68, Issue 20 In-Reply-To: References: <201108241100.p7OB0MDF014798@safir.blacknight.ie> <2046762850AF9D4DA8E1EB3B6F2BA19C1031456C@VA3DIAXVS1A1.RED001.local> <1314825656.6052.YahooMailNeo@web29715.mail.ird.yahoo.com> <4E5F49BC.2010703@ecs.soton.ac.uk> Message-ID: <4E5F6428.60909@tradoc.fr> Le 01/09/2011 11:00, Julian Field a ?crit : > Is there a good collection of the taint problems still outstanding? If > so, please can someone email me one? Dunno about a "collection", but I never was able to track down the source of these, which apparently (based on other messages since) only occur with IO::File 1.14 (which is default on gentoo) but not on the version 1.11 used IIRC on perl 5.12 on RHEL6 and similar. > Insecure dependency in open while running with -T switch at /usr/lib64/perl5/vendor_perl/5.12.3/x86_64-linux/IO/File.pm line 185, <$fh> line 6. > Insecure dependency in open while running with -T switch at /usr/lib64/perl5/vendor_perl/5.12.3/x86_64-linux/IO/File.pm line 185. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From maxsec at gmail.com Thu Sep 1 12:32:52 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Thu Sep 1 12:33:02 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: Message-ID: what version of MS? I never inform the sender of junk as you end up with fake messages sent out. -- Martin Hepworth Oxford, UK On 1 September 2011 08:17, Joolee wrote: > Hallo Everybody, > > I've experienced a small flood of virus E-mails. These E-mails (subj.: "ACH > Payment *random number* Canceled") contain attachments named like: > "report_082011-65.pdf.exe" > They obviously get blocked by the "no executables" and "No double file > extensions" rules. The problem is that after blocking them, an automated > E-mail is send to the original recipient and the (faked) sender of the > message, informing them of the blocked attachment. > > Had the E-mails been processed further, they would've probably hit the > virusscanner (not tested) or spamassassin (gives a score of 27 when tested) > and the E-mail would've silently been discarded as a virus / spam / > phishing. > > Is it possible to let the MailScanner continue it's processing when hitting > the file name rules and / or running the filename rule at a later time? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/ae18f72a/attachment.html From MailScanner at ecs.soton.ac.uk Thu Sep 1 15:34:16 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Sep 1 15:34:28 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> Message-ID: He's probably switched on some "Notify Senders" options. Bad idea :-( On 01/09/2011 12:32, Martin Hepworth wrote: > what version of MS? > > I never inform the sender of junk as you end up with fake messages > sent out. > > -- > Martin Hepworth > Oxford, UK > > > On 1 September 2011 08:17, Joolee > wrote: > > Hallo Everybody, > > I've experienced a small flood of virus E-mails. These E-mails > (subj.: "ACH Payment *random number* Canceled") contain > attachments named like: "report_082011-65.pdf.exe" > They obviously get blocked by the "no executables" and "No double > file extensions" rules. The problem is that after blocking them, > an automated E-mail is send to the original recipient and the > (faked) sender of the message, informing them of the blocked > attachment. > > Had the E-mails been processed further, they would've probably hit > the virusscanner (not tested) or spamassassin (gives a score of 27 > when tested) and the E-mail would've silently been discarded as a > virus / spam / phishing. > > Is it possible to let the MailScanner continue it's processing > when hitting the file name rules and / or running the filename > rule at a later time? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Sep 1 16:08:00 2011 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Sep 1 16:08:55 2011 Subject: The host: prefix question Message-ID: <4E5F9FD0.8000802@cnpapers.com> I've got an entry in my blacklist file with the format From: host:blah.blah.blah yes Does this work to blacklist any email that is from a host that DNS says is blah.blah.blah? Even if blah.blah.blah resolves to multiple IP addresses? Didn't seem to work for me as I have it. Thanks steve campbell From mailscanner at joolee.nl Thu Sep 1 16:31:46 2011 From: mailscanner at joolee.nl (Joolee) Date: Thu Sep 1 16:32:35 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> Message-ID: I agree that it isn't a good idea to notify the sender of a spam or virus message I'm not planning to do that, I know the troubles of backscatter. What I've configured is that if a user sends a completely normal (non-virus, non-spam) E-mail but with, for instance, a file named "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The server sends out a warning to sender and the original message stripped of it's attachment to the recipient of the message. Notifying the sender is not strictly necessary but if this is only done for such non-virus, non-spam message, it isn't a problem either. The situation that bugs me is when some spam message with a file named "CurriculumVitae.doc.pdf" is received. The message hits the filename rule and* isn't processed any further to check if its a spam message*. Because it isn't processed any further, the warning messages are send out to both sender and original recipient. As I stated before, I can disable the sender notification. What I can't do is tell my customers (the recipients) that such wrongly named files, most containing important documents, are silently discarded. Sending spam to my customers that could have been recognized isn't an option either. The simplest solution, I think, would be to *continue processing* the message after a file name rule is hit, decide if the E-mail is HAM and in that case, send out the notifications. If the E-mail is spam, silently discard it. It would add a bit of load to the server but stopping spam is what it's all about, isn't it? :P On 1 September 2011 16:34, Julian Field wrote: > He's probably switched on some "Notify Senders" options. Bad idea :-( > > > On 01/09/2011 12:32, Martin Hepworth wrote: > >> what version of MS? >> >> I never inform the sender of junk as you end up with fake messages sent >> out. >> >> -- >> Martin Hepworth >> Oxford, UK >> >> >> On 1 September 2011 08:17, Joolee > mailscanner@joolee.nl>**> wrote: >> >> Hallo Everybody, >> >> I've experienced a small flood of virus E-mails. These E-mails >> (subj.: "ACH Payment *random number* Canceled") contain >> attachments named like: "report_082011-65.pdf.exe" >> They obviously get blocked by the "no executables" and "No double >> file extensions" rules. The problem is that after blocking them, >> an automated E-mail is send to the original recipient and the >> (faked) sender of the message, informing them of the blocked >> attachment. >> >> Had the E-mails been processed further, they would've probably hit >> the virusscanner (not tested) or spamassassin (gives a score of 27 >> when tested) and the E-mail would've silently been discarded as a >> virus / spam / phishing. >> >> Is it possible to let the MailScanner continue it's processing >> when hitting the file name rules and / or running the filename >> rule at a later time? >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.**info >> >> > >> >> http://lists.mailscanner.info/**mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/**posting >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> >> Buy the MailScanner book at www.MailScanner.info/store >> Need help customising MailScanner? Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> Follow me at twitter.com/JulesFM >> >> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >> 'All programs have a desire to be useful' - Tron, 1982 >> > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.**info > http://lists.mailscanner.info/**mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/**posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/d066b0fa/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Sep 1 17:40:10 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 1 17:41:20 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Easiest thing to do in that case is to comment out the line in filename.rules.conf that disallows double extensions. The message will be accepted as normal and go through the additional tests (is it an executable, is it a virus, is it spam, etc.) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Joolee Sent: Thursday, September 01, 2011 7:32 AM To: MailScanner discussion Subject: Re: MS Doesn't completely block spam with faulty attachments I agree that it isn't a good idea to notify the sender of a spam or virus message I'm not planning to do that, I know the troubles of backscatter. What I've configured is that if a user sends a completely normal (non-virus, non-spam) E-mail but with, for instance, a file named "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The server sends out a warning to sender and the original message stripped of it's attachment to the recipient of the message. Notifying the sender is not strictly necessary but if this is only done for such non-virus, non-spam message, it isn't a problem either. The situation that bugs me is when some spam message with a file named "CurriculumVitae.doc.pdf" is received. The message hits the filename rule and isn't processed any further to check if its a spam message. Because it isn't processed any further, the warning messages are send out to both sender and original recipient. As I stated before, I can disable the sender notification. What I can't do is tell my customers (the recipients) that such wrongly named files, most containing important documents, are silently discarded. Sending spam to my customers that could have been recognized isn't an option either. The simplest solution, I think, would be to continue processing the message after a file name rule is hit, decide if the E-mail is HAM and in that case, send out the notifications. If the E-mail is spam, silently discard it. It would add a bit of load to the server but stopping spam is what it's all about, isn't it? :P On 1 September 2011 16:34, Julian Field > wrote: He's probably switched on some "Notify Senders" options. Bad idea :-( On 01/09/2011 12:32, Martin Hepworth wrote: what version of MS? I never inform the sender of junk as you end up with fake messages sent out. -- Martin Hepworth Oxford, UK On 1 September 2011 08:17, Joolee >> wrote: Hallo Everybody, I've experienced a small flood of virus E-mails. These E-mails (subj.: "ACH Payment *random number* Canceled") contain attachments named like: "report_082011-65.pdf.exe" They obviously get blocked by the "no executables" and "No double file extensions" rules. The problem is that after blocking them, an automated E-mail is send to the original recipient and the (faked) sender of the message, informing them of the blocked attachment. Had the E-mails been processed further, they would've probably hit the virusscanner (not tested) or spamassassin (gives a score of 27 when tested) and the E-mail would've silently been discarded as a virus / spam / phishing. Is it possible to let the MailScanner continue it's processing when hitting the file name rules and / or running the filename rule at a later time? -- MailScanner mailing list mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Follow me at twitter.com/JulesFM 'It's okay to live without all the answers' - Charlie Eppes, 2011 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/1ebc28c9/attachment.html From mailscanner at joolee.nl Thu Sep 1 18:06:28 2011 From: mailscanner at joolee.nl (Joolee) Date: Thu Sep 1 18:07:18 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: The problem with the current spam is that they're blocked for containing exe files, not double file extensions (Although they woul've hit that one if exe's were not clocked.) Only quick temporary solution is to disable all file-name validation because this can occur with more than just exe files and double extensions. This is no final solution though. On 1 September 2011 18:40, Kevin Miller wrote: > ** > Easiest thing to do in that case is to comment out the line in > filename.rules.conf that disallows double extensions. The message will be > accepted as normal and go through the additional tests (is it an executable, > is it a virus, is it spam, etc.) > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee > *Sent:* Thursday, September 01, 2011 7:32 AM > *To:* MailScanner discussion > *Subject:* Re: MS Doesn't completely block spam with faulty attachments > > I agree that it isn't a good idea to notify the sender of a spam or virus > message I'm not planning to do that, I know the troubles of backscatter. > > What I've configured is that if a user sends a completely normal > (non-virus, non-spam) E-mail but with, for instance, a file named > "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The > server sends out a warning to sender and the original message stripped of > it's attachment to the recipient of the message. Notifying the sender is not > strictly necessary but if this is only done for such non-virus, non-spam > message, it isn't a problem either. > > The situation that bugs me is when some spam message with a file named > "CurriculumVitae.doc.pdf" is received. The message hits the filename rule > and* isn't processed any further to check if its a spam message*. Because > it isn't processed any further, the warning messages are send out to both > sender and original recipient. > > As I stated before, I can disable the sender notification. What I can't do > is tell my customers (the recipients) that such wrongly named files, most > containing important documents, are silently discarded. Sending spam to my > customers that could have been recognized isn't an option either. > > The simplest solution, I think, would be to *continue processing* the > message after a file name rule is hit, decide if the E-mail is HAM and in > that case, send out the notifications. If the E-mail is spam, silently > discard it. > It would add a bit of load to the server but stopping spam is what it's all > about, isn't it? :P > > On 1 September 2011 16:34, Julian Field wrote: > >> He's probably switched on some "Notify Senders" options. Bad idea :-( >> >> >> On 01/09/2011 12:32, Martin Hepworth wrote: >> >>> what version of MS? >>> >>> I never inform the sender of junk as you end up with fake messages sent >>> out. >>> >>> -- >>> Martin Hepworth >>> Oxford, UK >>> >>> >>> On 1 September 2011 08:17, Joolee >> mailscanner@joolee.nl>**> wrote: >>> >>> Hallo Everybody, >>> >>> I've experienced a small flood of virus E-mails. These E-mails >>> (subj.: "ACH Payment *random number* Canceled") contain >>> attachments named like: "report_082011-65.pdf.exe" >>> They obviously get blocked by the "no executables" and "No double >>> file extensions" rules. The problem is that after blocking them, >>> an automated E-mail is send to the original recipient and the >>> (faked) sender of the message, informing them of the blocked >>> attachment. >>> >>> Had the E-mails been processed further, they would've probably hit >>> the virusscanner (not tested) or spamassassin (gives a score of 27 >>> when tested) and the E-mail would've silently been discarded as a >>> virus / spam / phishing. >>> >>> Is it possible to let the MailScanner continue it's processing >>> when hitting the file name rules and / or running the filename >>> rule at a later time? >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.**info >>> > >>> >>> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/**posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >>> >>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP CEng >>> www.MailScanner.info >>> >>> Buy the MailScanner book at www.MailScanner.info/store >>> Need help customising MailScanner? Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> Follow me at twitter.com/JulesFM >>> >>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >>> 'All programs have a desire to be useful' - Tron, 1982 >>> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.**info >> http://lists.mailscanner.info/**mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/**posting >> >> Support MailScanner development - buy the book off the website! >> > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/5d76e9b2/attachment.html From MailScanner at ecs.soton.ac.uk Thu Sep 1 18:41:35 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Thu Sep 1 18:41:52 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> <4E5FC3CF.50502@ecs.soton.ac.uk> Message-ID: Have you considered using something like "deny+delete" in your filename.rules.conf instead of just "deny"? There are all sorts of clever things you can do in those files. It's all documented at the top of the default files I ship in the distribution. Jules. On 01/09/2011 18:06, Joolee wrote: > The problem with the current spam is that they're blocked for > containing exe files, not double file extensions (Although they > woul've hit that one if exe's were not clocked.) > > Only quick temporary solution is to disable all file-name validation > because this can occur with more than just exe files and double > extensions. This is no final solution though. > > On 1 September 2011 18:40, Kevin Miller > wrote: > > Easiest thing to do in that case is to comment out the line in > filename.rules.conf that disallows double extensions. The message > will be accepted as normal and go through the additional tests (is > it an executable, is it a virus, is it spam, etc.) > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info > ] *On Behalf Of > *Joolee > *Sent:* Thursday, September 01, 2011 7:32 AM > *To:* MailScanner discussion > *Subject:* Re: MS Doesn't completely block spam with faulty > attachments > > I agree that it isn't a good idea to notify the sender of a spam > or virus message I'm not planning to do that, I know the troubles > of backscatter. > > What I've configured is that if a user sends a completely normal > (non-virus, non-spam) E-mail but with, for instance, a file named > "CurriculumVitae.doc.pdf" (default output for a lot of PDF > printers). The server sends out a warning to sender and the > original message stripped of it's attachment to the recipient of > the message. Notifying the sender is not strictly necessary but if > this is only done for such non-virus, non-spam message, it isn't a > problem either. > > The situation that bugs me is when some spam message with a file > named "CurriculumVitae.doc.pdf" is received. The message hits the > filename rule and*isn't processed any further to check if its a > spam message*. Because it isn't processed any further, the warning > messages are send out to both sender and original recipient. > > As I stated before, I can disable the sender notification. What I > can't do is tell my customers (the recipients) that such wrongly > named files, most containing important documents, are silently > discarded. Sending spam to my customers that could have been > recognized isn't an option either. > > The simplest solution, I think, would be to *continue processing* > the message after a file name rule is hit, decide if the E-mail is > HAM and in that case, send out the notifications. If the E-mail is > spam, silently discard it. > It would add a bit of load to the server but stopping spam is what > it's all about, isn't it? :P > > On 1 September 2011 16:34, Julian Field > > > wrote: > > He's probably switched on some "Notify Senders" options. Bad > idea :-( > > > On 01/09/2011 12:32, Martin Hepworth wrote: > > what version of MS? > > I never inform the sender of junk as you end up with fake > messages sent out. > > -- > Martin Hepworth > Oxford, UK > > > On 1 September 2011 08:17, Joolee > >> wrote: > > Hallo Everybody, > > I've experienced a small flood of virus E-mails. These > E-mails > (subj.: "ACH Payment *random number* Canceled") contain > attachments named like: "report_082011-65.pdf.exe" > They obviously get blocked by the "no executables" and > "No double > file extensions" rules. The problem is that after > blocking them, > an automated E-mail is send to the original recipient > and the (faked) sender of the message, informing them > of the blocked > attachment. > > Had the E-mails been processed further, they would've > probably hit > the virusscanner (not tested) or spamassassin (gives a > score of 27 > when tested) and the E-mail would've silently been > discarded as a > virus / spam / phishing. > > Is it possible to let the MailScanner continue it's > processing > when hitting the file name rules and / or running the > filename > rule at a later time? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 > 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie > Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Sep 1 22:07:43 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 1 22:07:52 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: That's not a problem, it's a feature... And a much needed one at that! Why would you want to spend precious resources on a meaningless check, when you already decided to stop the offending attachment?! Don't deliver it at all, if it bothers you;-) Cheers -- -- Glenn Den 1 sep 2011 19:12 skrev "Joolee" : > The problem with the current spam is that they're blocked for containing exe > files, not double file extensions (Although they woul've hit that one if > exe's were not clocked.) > > Only quick temporary solution is to disable all file-name validation because > this can occur with more than just exe files and double extensions. This is > no final solution though. > > On 1 September 2011 18:40, Kevin Miller wrote: > >> ** >> Easiest thing to do in that case is to comment out the line in >> filename.rules.conf that disallows double extensions. The message will be >> accepted as normal and go through the additional tests (is it an executable, >> is it a virus, is it spam, etc.) >> >> >> ...Kevin >> -- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 >> >> >> ------------------------------ >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >> *Sent:* Thursday, September 01, 2011 7:32 AM >> *To:* MailScanner discussion >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >> >> I agree that it isn't a good idea to notify the sender of a spam or virus >> message I'm not planning to do that, I know the troubles of backscatter. >> >> What I've configured is that if a user sends a completely normal >> (non-virus, non-spam) E-mail but with, for instance, a file named >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The >> server sends out a warning to sender and the original message stripped of >> it's attachment to the recipient of the message. Notifying the sender is not >> strictly necessary but if this is only done for such non-virus, non-spam >> message, it isn't a problem either. >> >> The situation that bugs me is when some spam message with a file named >> "CurriculumVitae.doc.pdf" is received. The message hits the filename rule >> and* isn't processed any further to check if its a spam message*. Because >> it isn't processed any further, the warning messages are send out to both >> sender and original recipient. >> >> As I stated before, I can disable the sender notification. What I can't do >> is tell my customers (the recipients) that such wrongly named files, most >> containing important documents, are silently discarded. Sending spam to my >> customers that could have been recognized isn't an option either. >> >> The simplest solution, I think, would be to *continue processing* the >> message after a file name rule is hit, decide if the E-mail is HAM and in >> that case, send out the notifications. If the E-mail is spam, silently >> discard it. >> It would add a bit of load to the server but stopping spam is what it's all >> about, isn't it? :P >> >> On 1 September 2011 16:34, Julian Field wrote: >> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >>> >>> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >>> >>>> what version of MS? >>>> >>>> I never inform the sender of junk as you end up with fake messages sent >>>> out. >>>> >>>> -- >>>> Martin Hepworth >>>> Oxford, UK >>>> >>>> >>>> On 1 September 2011 08:17, Joolee >>> mailscanner@joolee.nl>**> wrote: >>>> >>>> Hallo Everybody, >>>> >>>> I've experienced a small flood of virus E-mails. These E-mails >>>> (subj.: "ACH Payment *random number* Canceled") contain >>>> attachments named like: "report_082011-65.pdf.exe" >>>> They obviously get blocked by the "no executables" and "No double >>>> file extensions" rules. The problem is that after blocking them, >>>> an automated E-mail is send to the original recipient and the >>>> (faked) sender of the message, informing them of the blocked >>>> attachment. >>>> >>>> Had the E-mails been processed further, they would've probably hit >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >>>> when tested) and the E-mail would've silently been discarded as a >>>> virus / spam / phishing. >>>> >>>> Is it possible to let the MailScanner continue it's processing >>>> when hitting the file name rules and / or running the filename >>>> rule at a later time? >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.**info >>>> > >>>> >>>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>>> >>>> Before posting, read http://wiki.mailscanner.info/**posting< http://wiki.mailscanner.info/posting> >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>>> >>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP CEng >>>> www.MailScanner.info >>>> >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> Need help customising MailScanner? Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> Follow me at twitter.com/JulesFM >>>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >>>> 'All programs have a desire to be useful' - Tron, 1982 >>>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.**info >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>> >>> Before posting, read http://wiki.mailscanner.info/**posting< http://wiki.mailscanner.info/posting> >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110901/230b8d7d/attachment.html From mailscanner at joolee.nl Fri Sep 2 11:20:22 2011 From: mailscanner at joolee.nl (Joolee) Date: Fri Sep 2 11:21:13 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: A feature that i would like to be able to disable ;) "Why would you want to spend precious resources on a meaningless check, when you already decided to stop the offending attachment?!" To inform my paying user why the contract he's been waiting for was blocked. I think I already made quite clear why it's not an option for me to completely block them. I can't see why other users can't be bothered by it, maybe they just accept that they can't solve it? (Not my way of handling problems) On 1 September 2011 23:07, Glenn Steen wrote: > That's not a problem, it's a feature... And a much needed one at that! > Why would you want to spend precious resources on a meaningless check, when > you already decided to stop the offending attachment?! > Don't deliver it at all, if it bothers you;-) > > Cheers > -- > -- Glenn > Den 1 sep 2011 19:12 skrev "Joolee" : > > > The problem with the current spam is that they're blocked for containing > exe > > files, not double file extensions (Although they woul've hit that one if > > exe's were not clocked.) > > > > Only quick temporary solution is to disable all file-name validation > because > > this can occur with more than just exe files and double extensions. This > is > > no final solution though. > > > > On 1 September 2011 18:40, Kevin Miller >wrote: > > > >> ** > >> Easiest thing to do in that case is to comment out the line in > >> filename.rules.conf that disallows double extensions. The message will > be > >> accepted as normal and go through the additional tests (is it an > executable, > >> is it a virus, is it spam, etc.) > >> > >> > >> ...Kevin > >> -- > >> Kevin Miller Registered Linux User No: 307357 > >> CBJ MIS Dept. Network Systems Admin., Mail Admin. > >> 155 South Seward Street ph: (907) 586-0242 > >> Juneau, Alaska 99801 fax: (907 586-4500 > >> > >> > >> ------------------------------ > >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee > >> *Sent:* Thursday, September 01, 2011 7:32 AM > >> *To:* MailScanner discussion > >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments > >> > >> I agree that it isn't a good idea to notify the sender of a spam or > virus > >> message I'm not planning to do that, I know the troubles of backscatter. > >> > >> What I've configured is that if a user sends a completely normal > >> (non-virus, non-spam) E-mail but with, for instance, a file named > >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). > The > >> server sends out a warning to sender and the original message stripped > of > >> it's attachment to the recipient of the message. Notifying the sender is > not > >> strictly necessary but if this is only done for such non-virus, non-spam > >> message, it isn't a problem either. > >> > >> The situation that bugs me is when some spam message with a file named > >> "CurriculumVitae.doc.pdf" is received. The message hits the filename > rule > >> and* isn't processed any further to check if its a spam message*. > Because > >> it isn't processed any further, the warning messages are send out to > both > >> sender and original recipient. > >> > >> As I stated before, I can disable the sender notification. What I can't > do > >> is tell my customers (the recipients) that such wrongly named files, > most > >> containing important documents, are silently discarded. Sending spam to > my > >> customers that could have been recognized isn't an option either. > >> > >> The simplest solution, I think, would be to *continue processing* the > >> message after a file name rule is hit, decide if the E-mail is HAM and > in > >> that case, send out the notifications. If the E-mail is spam, silently > >> discard it. > >> It would add a bit of load to the server but stopping spam is what it's > all > >> about, isn't it? :P > >> > >> On 1 September 2011 16:34, Julian Field >wrote: > >> > >>> He's probably switched on some "Notify Senders" options. Bad idea :-( > >>> > >>> > >>> On 01/09/2011 12:32, Martin Hepworth wrote: > >>> > >>>> what version of MS? > >>>> > >>>> I never inform the sender of junk as you end up with fake messages > sent > >>>> out. > >>>> > >>>> -- > >>>> Martin Hepworth > >>>> Oxford, UK > >>>> > >>>> > >>>> On 1 September 2011 08:17, Joolee >>>> mailscanner@joolee.nl>**> wrote: > >>>> > >>>> Hallo Everybody, > >>>> > >>>> I've experienced a small flood of virus E-mails. These E-mails > >>>> (subj.: "ACH Payment *random number* Canceled") contain > >>>> attachments named like: "report_082011-65.pdf.exe" > >>>> They obviously get blocked by the "no executables" and "No double > >>>> file extensions" rules. The problem is that after blocking them, > >>>> an automated E-mail is send to the original recipient and the > >>>> (faked) sender of the message, informing them of the blocked > >>>> attachment. > >>>> > >>>> Had the E-mails been processed further, they would've probably hit > >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 > >>>> when tested) and the E-mail would've silently been discarded as a > >>>> virus / spam / phishing. > >>>> > >>>> Is it possible to let the MailScanner continue it's processing > >>>> when hitting the file name rules and / or running the filename > >>>> rule at a later time? > >>>> -- > >>>> MailScanner mailing list > >>>> mailscanner@lists.mailscanner.**info< > mailscanner@lists.mailscanner.info> > >>>> mailscanner@lists.mailscanner.info>> > >>>> > >>>> > >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< > http://lists.mailscanner.info/mailman/listinfo/mailscanner> > >>>> > >>>> Before posting, read http://wiki.mailscanner.info/**posting< > http://wiki.mailscanner.info/posting> > > >>>> > >>>> Support MailScanner development - buy the book off the website! > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Jules > >>>> > >>>> -- > >>>> Julian Field MEng CITP CEng > >>>> www.MailScanner.info > >>>> > >>>> Buy the MailScanner book at www.MailScanner.info/store > >>>> Need help customising MailScanner? Contact me! > >>>> > >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>>> Follow me at twitter.com/JulesFM > >>>> > >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 > >>>> 'All programs have a desire to be useful' - Tron, 1982 > >>>> > >>> > >>> -- > >>> This message has been scanned for viruses and > >>> dangerous content by MailScanner, and is > >>> believed to be clean. > >>> > >>> -- > >>> MailScanner mailing list > >>> mailscanner@lists.mailscanner.**info < > mailscanner@lists.mailscanner.info> > >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< > http://lists.mailscanner.info/mailman/listinfo/mailscanner> > >>> > >>> Before posting, read http://wiki.mailscanner.info/**posting< > http://wiki.mailscanner.info/posting> > > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > >> > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/7c260b7f/attachment-0001.html From noel.butler at ausics.net Fri Sep 2 11:41:07 2011 From: noel.butler at ausics.net (Noel Butler) Date: Fri Sep 2 11:41:21 2011 Subject: Process did not exit cleanly. In-Reply-To: <1293662621.5468.10.camel@tardis> References: <4D1ADA82.9070002@tartan.co.za> <1293662621.5468.10.camel@tardis> Message-ID: <1314960067.26522.4.camel@tardis> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/5c2b7590/attachment.bin From maxsec at gmail.com Fri Sep 2 12:18:43 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 2 12:18:52 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: How can you tell if it's a good double extension file (ie what the server THINKS NOW is non-spam/non-malware) vs what is actually bad vs a new virus signature that comes after the event that would flag the file as problematic. The double extn trap is designed to solve a particular trick the bad guys started playing years ago and the AV's weren't picking them up fast enough. drop the double extn check and let them through if this is causing too many issues (false positives) - you can even do this on a per recipient/domain level ( http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading) for common recipients of this stuff, or educate the users that it's bad and wrong and they should cleanup the filenames before sending. or both! Either -- Martin Hepworth Oxford, UK On 2 September 2011 11:20, Joolee wrote: > A feature that i would like to be able to disable ;) > > > "Why would you want to spend precious resources on a meaningless check, > when you already decided to stop the offending attachment?!" > To inform my paying user why the contract he's been waiting for was > blocked. > > I think I already made quite clear why it's not an option for me to > completely block them. I can't see why other users can't be bothered by it, > maybe they just accept that they can't solve it? (Not my way of handling > problems) > > > On 1 September 2011 23:07, Glenn Steen wrote: > >> That's not a problem, it's a feature... And a much needed one at that! >> Why would you want to spend precious resources on a meaningless check, >> when you already decided to stop the offending attachment?! >> Don't deliver it at all, if it bothers you;-) >> >> Cheers >> -- >> -- Glenn >> Den 1 sep 2011 19:12 skrev "Joolee" : >> >> > The problem with the current spam is that they're blocked for containing >> exe >> > files, not double file extensions (Although they woul've hit that one if >> > exe's were not clocked.) >> > >> > Only quick temporary solution is to disable all file-name validation >> because >> > this can occur with more than just exe files and double extensions. This >> is >> > no final solution though. >> > >> > On 1 September 2011 18:40, Kevin Miller > >wrote: >> > >> >> ** >> >> Easiest thing to do in that case is to comment out the line in >> >> filename.rules.conf that disallows double extensions. The message will >> be >> >> accepted as normal and go through the additional tests (is it an >> executable, >> >> is it a virus, is it spam, etc.) >> >> >> >> >> >> ...Kevin >> >> -- >> >> Kevin Miller Registered Linux User No: 307357 >> >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> >> 155 South Seward Street ph: (907) 586-0242 >> >> Juneau, Alaska 99801 fax: (907 586-4500 >> >> >> >> >> >> ------------------------------ >> >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >> >> *Sent:* Thursday, September 01, 2011 7:32 AM >> >> *To:* MailScanner discussion >> >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >> >> >> >> I agree that it isn't a good idea to notify the sender of a spam or >> virus >> >> message I'm not planning to do that, I know the troubles of >> backscatter. >> >> >> >> What I've configured is that if a user sends a completely normal >> >> (non-virus, non-spam) E-mail but with, for instance, a file named >> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). >> The >> >> server sends out a warning to sender and the original message stripped >> of >> >> it's attachment to the recipient of the message. Notifying the sender >> is not >> >> strictly necessary but if this is only done for such non-virus, >> non-spam >> >> message, it isn't a problem either. >> >> >> >> The situation that bugs me is when some spam message with a file named >> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename >> rule >> >> and* isn't processed any further to check if its a spam message*. >> Because >> >> it isn't processed any further, the warning messages are send out to >> both >> >> sender and original recipient. >> >> >> >> As I stated before, I can disable the sender notification. What I can't >> do >> >> is tell my customers (the recipients) that such wrongly named files, >> most >> >> containing important documents, are silently discarded. Sending spam to >> my >> >> customers that could have been recognized isn't an option either. >> >> >> >> The simplest solution, I think, would be to *continue processing* the >> >> message after a file name rule is hit, decide if the E-mail is HAM and >> in >> >> that case, send out the notifications. If the E-mail is spam, silently >> >> discard it. >> >> It would add a bit of load to the server but stopping spam is what it's >> all >> >> about, isn't it? :P >> >> >> >> On 1 September 2011 16:34, Julian Field > >wrote: >> >> >> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >> >>> >> >>> >> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >> >>> >> >>>> what version of MS? >> >>>> >> >>>> I never inform the sender of junk as you end up with fake messages >> sent >> >>>> out. >> >>>> >> >>>> -- >> >>>> Martin Hepworth >> >>>> Oxford, UK >> >>>> >> >>>> >> >>>> On 1 September 2011 08:17, Joolee > >>>> mailscanner@joolee.nl>**> wrote: >> >>>> >> >>>> Hallo Everybody, >> >>>> >> >>>> I've experienced a small flood of virus E-mails. These E-mails >> >>>> (subj.: "ACH Payment *random number* Canceled") contain >> >>>> attachments named like: "report_082011-65.pdf.exe" >> >>>> They obviously get blocked by the "no executables" and "No double >> >>>> file extensions" rules. The problem is that after blocking them, >> >>>> an automated E-mail is send to the original recipient and the >> >>>> (faked) sender of the message, informing them of the blocked >> >>>> attachment. >> >>>> >> >>>> Had the E-mails been processed further, they would've probably hit >> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >> >>>> when tested) and the E-mail would've silently been discarded as a >> >>>> virus / spam / phishing. >> >>>> >> >>>> Is it possible to let the MailScanner continue it's processing >> >>>> when hitting the file name rules and / or running the filename >> >>>> rule at a later time? >> >>>> -- >> >>>> MailScanner mailing list >> >>>> mailscanner@lists.mailscanner.**info< >> mailscanner@lists.mailscanner.info> >> >>>> > mailscanner@lists.mailscanner.info>> >> >>>> >> >>>> >> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >> >>>> >> >>>> Before posting, read http://wiki.mailscanner.info/**posting< >> http://wiki.mailscanner.info/posting> >> >> >>>> >> >>>> Support MailScanner development - buy the book off the website! >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> Jules >> >>>> >> >>>> -- >> >>>> Julian Field MEng CITP CEng >> >>>> www.MailScanner.info >> >>>> >> >>>> Buy the MailScanner book at www.MailScanner.info/store >> >>>> Need help customising MailScanner? Contact me! >> >>>> >> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>>> Follow me at twitter.com/JulesFM >> >>>> >> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >> >>>> 'All programs have a desire to be useful' - Tron, 1982 >> >>>> >> >>> >> >>> -- >> >>> This message has been scanned for viruses and >> >>> dangerous content by MailScanner, and is >> >>> believed to be clean. >> >>> >> >>> -- >> >>> MailScanner mailing list >> >>> mailscanner@lists.mailscanner.**info < >> mailscanner@lists.mailscanner.info> >> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >> >>> >> >>> Before posting, read http://wiki.mailscanner.info/**posting< >> http://wiki.mailscanner.info/posting> >> >> >>> >> >>> Support MailScanner development - buy the book off the website! >> >>> >> >> >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/d315369a/attachment.html From maxsec at gmail.com Fri Sep 2 12:24:45 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 2 12:24:55 2011 Subject: Process did not exit cleanly. In-Reply-To: <1314960067.26522.4.camel@tardis> References: <4D1ADA82.9070002@tartan.co.za> <1293662621.5468.10.camel@tardis> <1314960067.26522.4.camel@tardis> Message-ID: you checked the change log?? http://mailscanner.info/ChangeLog not been that many updates during the last twelve months..there's been a fair amount of work done on taint issues and Jule's was seen working on some of the last ones a couple of days ago. -- Martin Hepworth Oxford, UK On 2 September 2011 11:41, Noel Butler wrote: > ** > Well, it's been some time now (2010) since we've used mailscanner given the > below issues and many months since I've bothered to read this list, just > curious if this bug was ever seriously looked into, and resolved ? or still > broken? > > Cheers > > (PS - dont ask for more log debug output and modules lists etc, Julian was > given all this October 2010) > > > > On Thu, 2010-12-30 at 08:43 +1000, Noel Butler wrote: > > Paul, > On Wed, 2010-12-29 at 08:51 +0200, Paul Malherbe wrote: > > Hello > > I am continually getting the following messages in my messages file: > > Dec 29 02:44:20 server MailScanner: Process did not exit cleanly, returned 1 with signal 0 > Dec 29 02:44:35 server last message repeated 3 times > Dec 29 02:44:40 server MailScanner: Process did not exit cleanly, returned 0 with signal 13 > > How can I find out what is causing them? > > > > If you disable spamassassin it will go away? > It seems related to OS's with a modern perl, I saw this on an install of > Slackware 13.1, where as 13.0 was fine. Perl changed from 5.10.0. to 5.10.1 > > I did report this to Julian over a month ago, he could not reproduce it, I > sent him a list of installed perl modules, but being this time of year > wasn't going to prod him again until mid January (getting over festive > season and all) to see if he had found a suspected culprit. > > But if you can do as Hugo suggested, as the more info from different people > should help, as I predicted, this would become more of an issue as more > people stopped using old OS's and moved to modern times. :) > > Noel > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/e974d7b7/attachment.html From mailscanner at joolee.nl Fri Sep 2 12:42:33 2011 From: mailscanner at joolee.nl (Joolee) Date: Fri Sep 2 12:43:23 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: "How can you tell if it's a good double extension file (ie what the server THINKS NOW is non-spam/non-malware)" You can't, that's my whole point. I think the behavior to just replace the file with a warning message and send the mail through is the perfect solution. My only problem is that this method should NOT be used when the mail hits other spam traps. (Virus Scanner, Spamassassin) In that case, the message should just be handled like any other spam message. What happens now is that the file with double extension (or other stuff hitting the file name rules like ridiculously long file names) gets replaced with a warning message and directly send to the recipient. Mailscanner doesn't care if it's a spam message or not. This places phishing or spam messages in my users mailboxes. The harmful attachments are stripped but the message should have been blocked because it woul've hit other spam traps IF Mailscanner would take the trouble of processing the message further. I could just block all E-mails completely that hit such rules but with the amount of false positives, that's not an option. Disabling these rules altogether is possible but not a long term solution. I'm trying to revert the 20090730 changes in the MailScanner binary. That will probably solve it but isn't very convenient with future updates. On 2 September 2011 13:18, Martin Hepworth wrote: > How can you tell if it's a good double extension file (ie what the server > THINKS NOW is non-spam/non-malware) vs what is actually bad vs a new virus > signature that comes after the event that would flag the file as > problematic. The double extn trap is designed to solve a particular trick > the bad guys started playing years ago and the AV's weren't picking them up > fast enough. > > drop the double extn check and let them through if this is causing too > many issues (false positives) - you can even do this on a per > recipient/domain level ( > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading) > for common recipients of this stuff, or educate the users that it's bad and > wrong and they should cleanup the filenames before sending. or both! > > Either > > -- > Martin Hepworth > Oxford, UK > > > > On 2 September 2011 11:20, Joolee wrote: > >> A feature that i would like to be able to disable ;) >> >> >> "Why would you want to spend precious resources on a meaningless check, >> when you already decided to stop the offending attachment?!" >> To inform my paying user why the contract he's been waiting for was >> blocked. >> >> I think I already made quite clear why it's not an option for me to >> completely block them. I can't see why other users can't be bothered by it, >> maybe they just accept that they can't solve it? (Not my way of handling >> problems) >> >> >> On 1 September 2011 23:07, Glenn Steen wrote: >> >>> That's not a problem, it's a feature... And a much needed one at that! >>> Why would you want to spend precious resources on a meaningless check, >>> when you already decided to stop the offending attachment?! >>> Don't deliver it at all, if it bothers you;-) >>> >>> Cheers >>> -- >>> -- Glenn >>> Den 1 sep 2011 19:12 skrev "Joolee" : >>> >>> > The problem with the current spam is that they're blocked for >>> containing exe >>> > files, not double file extensions (Although they woul've hit that one >>> if >>> > exe's were not clocked.) >>> > >>> > Only quick temporary solution is to disable all file-name validation >>> because >>> > this can occur with more than just exe files and double extensions. >>> This is >>> > no final solution though. >>> > >>> > On 1 September 2011 18:40, Kevin Miller >> >wrote: >>> > >>> >> ** >>> >> Easiest thing to do in that case is to comment out the line in >>> >> filename.rules.conf that disallows double extensions. The message will >>> be >>> >> accepted as normal and go through the additional tests (is it an >>> executable, >>> >> is it a virus, is it spam, etc.) >>> >> >>> >> >>> >> ...Kevin >>> >> -- >>> >> Kevin Miller Registered Linux User No: 307357 >>> >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >>> >> 155 South Seward Street ph: (907) 586-0242 >>> >> Juneau, Alaska 99801 fax: (907 586-4500 >>> >> >>> >> >>> >> ------------------------------ >>> >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >>> >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >>> >> *Sent:* Thursday, September 01, 2011 7:32 AM >>> >> *To:* MailScanner discussion >>> >> *Subject:* Re: MS Doesn't completely block spam with faulty >>> attachments >>> >> >>> >> I agree that it isn't a good idea to notify the sender of a spam or >>> virus >>> >> message I'm not planning to do that, I know the troubles of >>> backscatter. >>> >> >>> >> What I've configured is that if a user sends a completely normal >>> >> (non-virus, non-spam) E-mail but with, for instance, a file named >>> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). >>> The >>> >> server sends out a warning to sender and the original message stripped >>> of >>> >> it's attachment to the recipient of the message. Notifying the sender >>> is not >>> >> strictly necessary but if this is only done for such non-virus, >>> non-spam >>> >> message, it isn't a problem either. >>> >> >>> >> The situation that bugs me is when some spam message with a file named >>> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename >>> rule >>> >> and* isn't processed any further to check if its a spam message*. >>> Because >>> >> it isn't processed any further, the warning messages are send out to >>> both >>> >> sender and original recipient. >>> >> >>> >> As I stated before, I can disable the sender notification. What I >>> can't do >>> >> is tell my customers (the recipients) that such wrongly named files, >>> most >>> >> containing important documents, are silently discarded. Sending spam >>> to my >>> >> customers that could have been recognized isn't an option either. >>> >> >>> >> The simplest solution, I think, would be to *continue processing* the >>> >> message after a file name rule is hit, decide if the E-mail is HAM and >>> in >>> >> that case, send out the notifications. If the E-mail is spam, silently >>> >> discard it. >>> >> It would add a bit of load to the server but stopping spam is what >>> it's all >>> >> about, isn't it? :P >>> >> >>> >> On 1 September 2011 16:34, Julian Field >> >wrote: >>> >> >>> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >>> >>> >>> >>> >>> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >>> >>> >>> >>>> what version of MS? >>> >>>> >>> >>>> I never inform the sender of junk as you end up with fake messages >>> sent >>> >>>> out. >>> >>>> >>> >>>> -- >>> >>>> Martin Hepworth >>> >>>> Oxford, UK >>> >>>> >>> >>>> >>> >>>> On 1 September 2011 08:17, Joolee >> >>>> mailscanner@joolee.nl>**> wrote: >>> >>>> >>> >>>> Hallo Everybody, >>> >>>> >>> >>>> I've experienced a small flood of virus E-mails. These E-mails >>> >>>> (subj.: "ACH Payment *random number* Canceled") contain >>> >>>> attachments named like: "report_082011-65.pdf.exe" >>> >>>> They obviously get blocked by the "no executables" and "No double >>> >>>> file extensions" rules. The problem is that after blocking them, >>> >>>> an automated E-mail is send to the original recipient and the >>> >>>> (faked) sender of the message, informing them of the blocked >>> >>>> attachment. >>> >>>> >>> >>>> Had the E-mails been processed further, they would've probably hit >>> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >>> >>>> when tested) and the E-mail would've silently been discarded as a >>> >>>> virus / spam / phishing. >>> >>>> >>> >>>> Is it possible to let the MailScanner continue it's processing >>> >>>> when hitting the file name rules and / or running the filename >>> >>>> rule at a later time? >>> >>>> -- >>> >>>> MailScanner mailing list >>> >>>> mailscanner@lists.mailscanner.**info< >>> mailscanner@lists.mailscanner.info> >>> >>>> >> mailscanner@lists.mailscanner.info>> >>> >>>> >>> >>>> >>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>> >>>> >>> >>>> Before posting, read http://wiki.mailscanner.info/**posting< >>> http://wiki.mailscanner.info/posting> >>> >>> >>>> >>> >>>> Support MailScanner development - buy the book off the website! >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> Jules >>> >>>> >>> >>>> -- >>> >>>> Julian Field MEng CITP CEng >>> >>>> www.MailScanner.info >>> >>>> >>> >>>> Buy the MailScanner book at www.MailScanner.info/store >>> >>>> Need help customising MailScanner? Contact me! >>> >>>> >>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>>> Follow me at twitter.com/JulesFM >>> >>>> >>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >>> >>>> 'All programs have a desire to be useful' - Tron, 1982 >>> >>>> >>> >>> >>> >>> -- >>> >>> This message has been scanned for viruses and >>> >>> dangerous content by MailScanner, and is >>> >>> believed to be clean. >>> >>> >>> >>> -- >>> >>> MailScanner mailing list >>> >>> mailscanner@lists.mailscanner.**info < >>> mailscanner@lists.mailscanner.info> >>> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>> >>> >>> >>> Before posting, read http://wiki.mailscanner.info/**posting< >>> http://wiki.mailscanner.info/posting> >>> >>> >>> >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> >>> >> >>> >> -- >>> >> MailScanner mailing list >>> >> mailscanner@lists.mailscanner.info >>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >>> >> Before posting, read http://wiki.mailscanner.info/posting >>> >> >>> >> Support MailScanner development - buy the book off the website! >>> >> >>> >> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/e7e527d0/attachment.html From rcooper at dwford.com Fri Sep 2 13:58:07 2011 From: rcooper at dwford.com (Rick Cooper) Date: Fri Sep 2 13:58:24 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk><4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Joolee Sent: Friday, September 02, 2011 6:20 AM To: MailScanner discussion Subject: Re: MS Doesn't completely block spam with faulty attachments A feature that i would like to be able to disable ;) "Why would you want to spend precious resources on a meaningless check, when you already decided to stop the offending attachment?!" To inform my paying user why the contract he's been waiting for was blocked. I think I already made quite clear why it's not an option for me to completely block them. I can't see why other users can't be bothered by it, maybe they just accept that they can't solve it? (Not my way of handling problems) [Rick Cooper] Seems like you need to modify your multiple extension rules to include dangerous extensions and ignore the rest. for instance a rule like /\.(exe|com|bat|vbs)\..+$/ would allow "something.good.doc.pdf" but would catch "something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat) to include extensions that you feel should be blocked in the multiple extension rule. I had to change mine long ago because there are a *lot* of people who create files names like "something.good.09.01.2011.doc". The default rules are there for out of the box functionality but you can modify them as required for your given situation and clearly you need to pass multiple extensions that are not likely to be malware. With MailScanner you can generally solve any issues without accepting the default rules, or asking for something else to be added either. There has been discussion in the past regarding being able to define the order in which the processing events take place but this would require a HUGE change in the core of MailScanner and Julian does have a job that puts food on the table. Unless MailScanner evolves into a programming team or group that is not likely to ever happen. On 1 September 2011 23:07, Glenn Steen wrote: That's not a problem, it's a feature... And a much needed one at that! Why would you want to spend precious resources on a meaningless check, when you already decided to stop the offending attachment?! Don't deliver it at all, if it bothers you;-) Cheers -- -- Glenn Den 1 sep 2011 19:12 skrev "Joolee" : > The problem with the current spam is that they're blocked for containing exe > files, not double file extensions (Although they woul've hit that one if > exe's were not clocked.) > > Only quick temporary solution is to disable all file-name validation because > this can occur with more than just exe files and double extensions. This is > no final solution though. > > On 1 September 2011 18:40, Kevin Miller wrote: > >> ** >> Easiest thing to do in that case is to comment out the line in >> filename.rules.conf that disallows double extensions. The message will be >> accepted as normal and go through the additional tests (is it an executable, >> is it a virus, is it spam, etc.) >> >> >> ...Kevin >> -- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 >> >> >> ------------------------------ >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >> *Sent:* Thursday, September 01, 2011 7:32 AM >> *To:* MailScanner discussion >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >> >> I agree that it isn't a good idea to notify the sender of a spam or virus >> message I'm not planning to do that, I know the troubles of backscatter. >> >> What I've configured is that if a user sends a completely normal >> (non-virus, non-spam) E-mail but with, for instance, a file named >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). The >> server sends out a warning to sender and the original message stripped of >> it's attachment to the recipient of the message. Notifying the sender is not >> strictly necessary but if this is only done for such non-virus, non-spam >> message, it isn't a problem either. >> >> The situation that bugs me is when some spam message with a file named >> "CurriculumVitae.doc.pdf" is received. The message hits the filename rule >> and* isn't processed any further to check if its a spam message*. Because >> it isn't processed any further, the warning messages are send out to both >> sender and original recipient. >> >> As I stated before, I can disable the sender notification. What I can't do >> is tell my customers (the recipients) that such wrongly named files, most >> containing important documents, are silently discarded. Sending spam to my >> customers that could have been recognized isn't an option either. >> >> The simplest solution, I think, would be to *continue processing* the >> message after a file name rule is hit, decide if the E-mail is HAM and in >> that case, send out the notifications. If the E-mail is spam, silently >> discard it. >> It would add a bit of load to the server but stopping spam is what it's all >> about, isn't it? :P >> >> On 1 September 2011 16:34, Julian Field wrote: >> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >>> >>> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >>> >>>> what version of MS? >>>> >>>> I never inform the sender of junk as you end up with fake messages sent >>>> out. >>>> >>>> -- >>>> Martin Hepworth >>>> Oxford, UK >>>> >>>> >>>> On 1 September 2011 08:17, Joolee >>> mailscanner@joolee.nl>**> wrote: >>>> >>>> Hallo Everybody, >>>> >>>> I've experienced a small flood of virus E-mails. These E-mails >>>> (subj.: "ACH Payment *random number* Canceled") contain >>>> attachments named like: "report_082011-65.pdf.exe" >>>> They obviously get blocked by the "no executables" and "No double >>>> file extensions" rules. The problem is that after blocking them, >>>> an automated E-mail is send to the original recipient and the >>>> (faked) sender of the message, informing them of the blocked >>>> attachment. >>>> >>>> Had the E-mails been processed further, they would've probably hit >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >>>> when tested) and the E-mail would've silently been discarded as a >>>> virus / spam / phishing. >>>> >>>> Is it possible to let the MailScanner continue it's processing >>>> when hitting the file name rules and / or running the filename >>>> rule at a later time? >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.**info >>>> > >>>> >>>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/**posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>>> >>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP CEng >>>> www.MailScanner.info >>>> >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> Need help customising MailScanner? Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> Follow me at twitter.com/JulesFM >>>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >>>> 'All programs have a desire to be useful' - Tron, 1982 >>>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.**info >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/**posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110902/bbdfb885/attachment-0001.html From kristofer at cybernetik.net Sat Sep 3 20:19:54 2011 From: kristofer at cybernetik.net (Kristofer Pettijohn) Date: Sat Sep 3 20:19:54 2011 Subject: Disable spam processing for account Message-ID: <3E2526D6-912B-4358-A232-6884FA0A26F6@cybernetik.net> Hello, Is it possible to disable spam scanning for an account, or a list of accounts? I have a few backup accounts where I want it to skip spam scanning and simply just deliver everything. I was thinking that "SpamAssassin Rule Actions" would be an ideal place for this, but I don't quite understand the ruleset enough to know how to accomplish this. I am currently having MailScanner set a header in the email and deliver, and then my mail server filters it into a "Junk" folder. I would like it to not add this header for a certain list of accounts. Spam Actions = deliver header "X-Organization-Spam-Status: Yes" Thanks in advance From maxsec at gmail.com Sat Sep 3 20:52:00 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Sat Sep 3 20:52:09 2011 Subject: Disable spam processing for account In-Reply-To: <3E2526D6-912B-4358-A232-6884FA0A26F6@cybernetik.net> References: <3E2526D6-912B-4358-A232-6884FA0A26F6@cybernetik.net> Message-ID: The mailscanner.conf setting u want to hang the ruleset of is "spam checks". Look in the rules dir and you'll see plenty of examples of how to set this up. Also check the wiki for more examples Martin On Saturday, 3 September 2011, Kristofer Pettijohn wrote: > Hello, > > Is it possible to disable spam scanning for an account, or a list of accounts? I have a few backup accounts where I want it to skip spam scanning and simply just deliver everything. > > I was thinking that "SpamAssassin Rule Actions" would be an ideal place for this, but I don't quite understand the ruleset enough to know how to accomplish this. > > I am currently having MailScanner set a header in the email and deliver, and then my mail server filters it into a "Junk" folder. I would like it to not add this header for a certain list of accounts. > > Spam Actions = deliver header "X-Organization-Spam-Status: Yes" > > Thanks in advance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110903/c9015df8/attachment.html From kristofer at cybernetik.net Sat Sep 3 21:23:28 2011 From: kristofer at cybernetik.net (Kristofer Pettijohn) Date: Sat Sep 3 21:23:38 2011 Subject: Disable spam processing for account In-Reply-To: Message-ID: Ahh, I missed that it can be a rule set. Thank you. ----- Original Message ----- From: "Martin Hepworth" To: "MailScanner discussion" Sent: Saturday, September 3, 2011 2:52:00 PM Subject: Re: Disable spam processing for account The mailscanner.conf setting u want to hang the ruleset of is "spam checks". Look in the rules dir and you'll see plenty of examples of how to set this up. Also check the wiki for more examples Martin On Saturday, 3 September 2011, Kristofer Pettijohn < kristofer@cybernetik.net > wrote: > Hello, > > Is it possible to disable spam scanning for an account, or a list of accounts? I have a few backup accounts where I want it to skip spam scanning and simply just deliver everything. > > I was thinking that "SpamAssassin Rule Actions" would be an ideal place for this, but I don't quite understand the ruleset enough to know how to accomplish this. > > I am currently having MailScanner set a header in the email and deliver, and then my mail server filters it into a "Junk" folder. I would like it to not add this header for a certain list of accounts. > > Spam Actions = deliver header "X-Organization-Spam-Status: Yes" > > Thanks in advance > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110903/d0d33514/attachment.html From MailScanner at ecs.soton.ac.uk Sun Sep 4 11:14:30 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Sep 4 11:14:46 2011 Subject: Disable spam processing for account In-Reply-To: References: <4E634F86.5080102@ecs.soton.ac.uk> Message-ID: Just found one feature I remembered writing but can't find in the docs. If you make a ruleset file that looks like this 1 line: FromOrTo: /etc/my_addresses.txt no Then you put 1 "pattern" (i.e. what would go in the 2nd field in a ruleset line) per line in /etc/my_addresses.txt. Then it just duplicates the "FromOrTo: ..... no" rule for every line read from /etc/my_addresses.txt. The result is this. If you have a lot of entries with the same rule result (such as in a spam whitelist for example), you don't have to generate a ruleset file which looks like FromOrTo: customer@client.com yes FromOrTo: customer2@client.com yes FromOrTo: customer3@client2.com yes ......... All you actually need to do is create the ruleset file to look like this 1 line: FromOrTo: /etc/MailScanner/MyCustomers.txt yes and then generate a file /etc/MailScanner/MyCustomers.txt which contains a list of all your customers' email addresses, like this customer@client.com customer2@client.com customer3@client2.com .......... The advantage is that the code to generate the file is a lot simpler, and you don't have to worry so much about syntax. And maybe you can just copy the file from somewhere else in your system and not have to specifically generate it *at all*. Just thought you might like to know that one. Why I never documented it, I really don't know. Sorry! Cheers, Jules. P.S. In the above message, all the indents at the start of the lines are purely there so you can see what is sample file contents and what are my ramblings. You shouldn't actually put the indents at the start of the lines in the config files! On 03/09/2011 21:23, Kristofer Pettijohn wrote: > Ahh, I missed that it can be a rule set. Thank you. > > > > ------------------------------------------------------------------------ > *From: *"Martin Hepworth" > *To: *"MailScanner discussion" > *Sent: *Saturday, September 3, 2011 2:52:00 PM > *Subject: *Re: Disable spam processing for account > > The mailscanner.conf setting u want to hang the ruleset of is "spam > checks". Look in the rules dir and you'll see plenty of examples of > how to set this up. > > Also check the wiki for more examples > > Martin > > On Saturday, 3 September 2011, Kristofer Pettijohn > > wrote: > > Hello, > > > > Is it possible to disable spam scanning for an account, or a list of > accounts? I have a few backup accounts where I want it to skip spam > scanning and simply just deliver everything. > > > > I was thinking that "SpamAssassin Rule Actions" would be an ideal > place for this, but I don't quite understand the ruleset enough to > know how to accomplish this. > > > > I am currently having MailScanner set a header in the email and > deliver, and then my mail server filters it into a "Junk" folder. I > would like it to not add this header for a certain list of accounts. > > > > Spam Actions = deliver header "X-Organization-Spam-Status: Yes" > > > > Thanks in advance > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > -- > Martin Hepworth > Oxford, UK > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lhaig at haigmail.com Sun Sep 4 12:15:07 2011 From: lhaig at haigmail.com (Lance Haig) Date: Sun Sep 4 12:15:24 2011 Subject: Building MAilscanner without breaking perl Message-ID: <4E635DBB.5030809@haigmail.com> Hi Guys, I myself have suffered the perl breakage after trying to upgrade my MailScanner server OS for security patches. I am now trying to build a new server but I know that it has been mentioned in the past that it is possible to use the built in Perl modules for MailScanner in place of the ones in the install package. Has someone done this and prepared to share how they did it? Thanks Lance -- This message was scanned by Better Hosted and is believed to be clean. http://www.betterhosted.com From MailScanner at ecs.soton.ac.uk Sun Sep 4 16:22:53 2011 From: MailScanner at ecs.soton.ac.uk (Jules Field) Date: Sun Sep 4 16:23:07 2011 Subject: Building MAilscanner without breaking perl In-Reply-To: <4E635DBB.5030809@haigmail.com> References: <4E635DBB.5030809@haigmail.com> <4E6397CD.6050100@ecs.soton.ac.uk> Message-ID: In the end, you can just "rpm -Uvh" the MailScanner*rpm file without installing anything else. On 04/09/2011 12:15, Lance Haig wrote: > Hi Guys, > > I myself have suffered the perl breakage after trying to upgrade my > MailScanner server OS for security patches. > > I am now trying to build a new server but I know that it has been > mentioned in the past that it is possible to use the built in Perl > modules for MailScanner in place of the ones in the install package. > > Has someone done this and prepared to share how they did it? > > Thanks > > Lance > > -- > This message was scanned by Better Hosted and is believed to be clean. > http://www.betterhosted.com > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ak6783 at gmail.com Mon Sep 5 10:53:58 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Mon Sep 5 10:54:27 2011 Subject: I want add to mailscanner archives Message-ID: Hello, I want add to mailscanner archives. How to add it? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110905/60ca8bdd/attachment.html From ak6783 at gmail.com Mon Sep 5 15:49:03 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Mon Sep 5 15:49:32 2011 Subject: I have Sign Clean Messages this problem Message-ID: Hello, My OS is Fedora 13 and install MailScanner 4.84.3 I found Sign Clean Messages this function can't append message to mail. I have set Sign Clean Messages = yes Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt I make sure all file is ok. But I can't see any append message at mail when I send mail. How to fix it? Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110905/1664f172/attachment.html From jeremy at fluxlabs.net Mon Sep 5 15:52:22 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon Sep 5 15:53:16 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: I believe signing takes place in the header. Look for the Signature part of Mailscanner.conf. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 5, 2011, at 9:51 AM, ??? wrote: > Hello, > My OS is Fedora 13 and install MailScanner 4.84.3 > I found Sign Clean Messages this function can't append message to mail. > I have set Sign Clean Messages = yes > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > I make sure all file is ok. > But I can't see any append message at mail when I send mail. > How to fix it? > Thanks a lot. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ak6783 at gmail.com Mon Sep 5 16:21:17 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Mon Sep 5 16:21:49 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: Thank for your respond. I want append Inline HTML Signature to mail end. In previous version. I only set Sign Clean Messages and Inline HTML Signature is all ok. But the same settings in MailScanner 4.84.3. This function can't append Inline HTML Signature in mail end. 2011/9/5 Jeremy McSpadden > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110905/eb722b84/attachment.html From ak6783 at gmail.com Tue Sep 6 01:52:02 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 01:52:33 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: Sign Clean Messages I found no effect. I will not be set to yes at the end of each letter with a description of Inline HTML Signature I'm sure the files inside the folder report exists I MailScanner version 4.84.3 The operating system is Fedora 13 and has been updated to the latest package 2011/9/5 Jeremy McSpadden > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/422ba78e/attachment.html From jeremy at fluxlabs.net Tue Sep 6 02:00:53 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 6 02:01:17 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: Check your language directory. Mailscanner/reports// Inline.sig.html Inline.sig.txt -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of ??? Sent: Monday, September 05, 2011 7:52 PM To: MailScanner discussion Subject: Re: I have Sign Clean Messages this problem Sign Clean Messages I found no effect. I will not be set to yes at the end of each letter with a description of Inline HTML Signature I'm sure the files inside the folder report exists I MailScanner version 4.84.3 The operating system is Fedora 13 and has been updated to the latest package 2011/9/5 Jeremy McSpadden > I believe signing takes place in the header. Look for the Signature part of Mailscanner.conf. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 5, 2011, at 9:51 AM, …ÇÈê„‚ > wrote: > Hello, > My OS is Fedora 13 and install MailScanner 4.84.3 > I found Sign Clean Messages this function can't append message to mail. > I have set Sign Clean Messages = yes > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > I make sure all file is ok. > But I can't see any append message at mail when I send mail. > How to fix it? > Thanks a lot. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- …ÇÈê„‚ ‚€È˾Wí“ http://pc.aspa.idv.tw ‚€ÈËBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ÊÖ™C : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110905/6304cde2/attachment.html From ak6783 at gmail.com Tue Sep 6 01:52:02 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 02:15:19 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: Sign Clean Messages I found no effect. I will not be set to yes at the end of each letter with a description of Inline HTML Signature I'm sure the files inside the folder report exists I MailScanner version 4.84.3 The operating system is Fedora 13 and has been updated to the latest package 2011/9/5 Jeremy McSpadden > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/422ba78e/attachment-0001.html From ak6783 at gmail.com Tue Sep 6 02:18:59 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 02:19:28 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: This my settings. # Set the directory containing all the reports in the required language %report-dir% = /etc/MailScanner/reports/en # Set where to find the HTML and text versions that will be added to the # end of all clean messages, if "Sign Clean Messages" is set. # These can also be the filenames of rulesets. Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt # Add the "Inline HTML Signature" or "Inline Text Signature" to the end # of uninfected messages? # If you add your own signature in your email application, and include the # magic token "_SIGNATURE_" in your email message, the signature will be # inserted just there, rather than at the end of the message. # This can also be the filename of a ruleset. Sign Clean Messages = yes pwd /etc/MailScanner/reports/en ls -la total 136 drwxr-xr-x. 2 root root 4096 Sep 6 09:05 . drwxr-xr-x. 18 root root 4096 Oct 25 2007 .. -rw-r--r-- 1 root root 704 Aug 20 20:32 deleted.content.message.txt -rw-r--r-- 1 root root 579 Aug 20 20:32 deleted.filename.message.txt -rw-r--r-- 1 root root 578 Aug 20 20:32 deleted.size.message.txt -rw-r--r-- 1 root root 672 Aug 20 20:32 deleted.virus.message.txt -rw-r--r-- 1 root root 345 Aug 20 20:32 disinfected.report.txt -rw-r--r-- 1 root root 187 Aug 20 20:32 inline.sig.html -rw-r--r-- 1 root root 113 Aug 20 20:32 inline.sig.txt -rw-r--r-- 1 root root 502 Aug 20 20:32 inline.spam.warning.txt -rw-r--r-- 1 root root 202 Aug 20 20:32 inline.warning.html -rw-r--r-- 1 root root 165 Aug 20 20:32 inline.warning.txt -rw-r--r-- 1 root root 5287 Sep 5 15:24 languages.conf -rw-r--r-- 1 root root 5287 Aug 20 20:32 languages.old -rw-r--r-- 1 root root 720 Aug 20 20:32 recipient.mcp.report.txt -rw-r--r-- 1 root root 956 Aug 20 20:32 recipient.spam.report.txt -rw-r--r-- 1 root root 480 Aug 20 20:32 rejection.report.txt -rw-r--r-- 1 root root 797 Aug 20 20:32 sender.content.report.txt -rw-r--r-- 1 root root 810 Aug 20 20:32 sender.error.report.txt -rw-r--r-- 1 root root 634 Aug 20 20:32 sender.filename.report.txt -rw-r--r-- 1 root root 581 Aug 20 20:32 sender.mcp.report.txt -rw-r--r-- 1 root root 795 Aug 20 20:32 sender.size.report.txt -rw-r--r-- 1 root root 742 Aug 20 20:32 sender.spam.rbl.report.txt -rw-r--r-- 1 root root 817 Aug 20 20:32 sender.spam.report.txt -rw-r--r-- 1 root root 797 Aug 20 20:32 sender.spam.sa.report.txt -rw-r--r-- 1 root root 616 Aug 20 20:32 sender.virus.report.txt -rw-r--r-- 1 root root 869 Aug 20 20:32 stored.content.message.txt -rw-r--r-- 1 root root 746 Aug 20 20:32 stored.filename.message.txt -rw-r--r-- 1 root root 757 Aug 20 20:32 stored.size.message.txt -rw-r--r-- 1 root root 730 Aug 20 20:32 stored.virus.message.txt vi inline.sig.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. All settings should be all right? Jeremy McSpadden ©ó 2011¦~9¤ë6¤é¤W¤È9:00 ¼g¹D¡G > Check your language directory.**** > > Mailscanner/reports//**** > > ** ** > > Inline.sig.html**** > > Inline.sig.txt**** > > ** ** > > --**** > > Jeremy McSpadden**** > > Flux Labs, Inc**** > > http://www.fluxlabs.net > Endless Solutions**** > > *Office* : 850-588-4626**** > > *Cell* : 850-890-2543 > *Fax* : 850-254-2955**** > > ** ** > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *??? > *Sent:* Monday, September 05, 2011 7:52 PM > *To:* MailScanner discussion > *Subject:* Re: I have Sign Clean Messages this problem**** > > ** ** > > Sign Clean Messages I found no effect. > I will not be set to yes at the end of each letter with a description of Inline > HTML Signature > I'm sure the files inside the folder report exists > I MailScanner version 4.84.3 > The operating system is Fedora 13 and has been updated to the latest > package**** > > 2011/9/5 Jeremy McSpadden **** > > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955**** > > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot.**** > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > > > > -- > §d¦¼­è > ­Ó¤Hºô­¶ http://pc.aspa.idv.tw > ­Ó¤HBlog http://ak6783.blogspot.com/ > Twitter http://twitter.com/akong77 > Plurk http://www.plurk.com/akong77 > Facebook http://www.facebook.com/akong77 > Email (1) : akong@aspa.idv.tw > Email (2) : ak6783@gmail.com > ¤â¾÷ : 0960599655**** > > WebRep**** > > **** > > Overall rating**** > > **** > > **** > > **** > > **** > > **** > > ** ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/9e2a651f/attachment.html From ak6783 at gmail.com Tue Sep 6 03:00:05 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 03:00:35 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: Hello, You are using MailScanner version and I was the same? You can send a letter and use the Clean Message this feature? I am using MailScanner 4.84.3 Thank you Jeremy McSpadden ©ó 2011¦~9¤ë6¤é¤W¤È9:00 ¼g¹D¡G > Check your language directory.**** > > Mailscanner/reports//**** > > ** ** > > Inline.sig.html**** > > Inline.sig.txt**** > > ** ** > > --**** > > Jeremy McSpadden**** > > Flux Labs, Inc**** > > http://www.fluxlabs.net > Endless Solutions**** > > *Office* : 850-588-4626**** > > *Cell* : 850-890-2543 > *Fax* : 850-254-2955**** > > ** ** > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *??? > *Sent:* Monday, September 05, 2011 7:52 PM > *To:* MailScanner discussion > *Subject:* Re: I have Sign Clean Messages this problem**** > > ** ** > > Sign Clean Messages I found no effect. > I will not be set to yes at the end of each letter with a description of Inline > HTML Signature > I'm sure the files inside the folder report exists > I MailScanner version 4.84.3 > The operating system is Fedora 13 and has been updated to the latest > package**** > > 2011/9/5 Jeremy McSpadden **** > > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955**** > > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot.**** > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > > > > -- > §d¦¼­è > ­Ó¤Hºô­¶ http://pc.aspa.idv.tw > ­Ó¤HBlog http://ak6783.blogspot.com/ > Twitter http://twitter.com/akong77 > Plurk http://www.plurk.com/akong77 > Facebook http://www.facebook.com/akong77 > Email (1) : akong@aspa.idv.tw > Email (2) : ak6783@gmail.com > ¤â¾÷ : 0960599655**** > > WebRep**** > > **** > > Overall rating**** > > **** > > **** > > **** > > **** > > **** > > ** ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/885799f5/attachment.html From ak6783 at gmail.com Tue Sep 6 05:06:48 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 05:07:17 2011 Subject: MailScanner 4.84.3 can't block set deny file. Message-ID: I found a very strange thing Mailscanner default will block scr file extension I also checked to confirm set to deny But I check the maillog that MailScanner, and is not blocking the file What is MailScanner 4.84.3 problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/4e2d6e37/attachment.html From jeremy at fluxlabs.net Tue Sep 6 05:13:08 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 6 05:14:53 2011 Subject: MailScanner 4.84.3 can't block set deny file. In-Reply-To: References: Message-ID: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> Are you sure your editing the right files? Seems nothing your doing is working. Reloaded mailscanners process? -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 5, 2011, at 11:08 PM, ??? wrote: > I found a very strange thing > Mailscanner default will block scr file extension > I also checked to confirm set to deny > But I check the maillog that MailScanner, and is not blocking the file > What is MailScanner 4.84.3 problem? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ak6783 at gmail.com Tue Sep 6 05:49:06 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 05:49:36 2011 Subject: MailScanner 4.84.3 can't block set deny file. In-Reply-To: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> References: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> Message-ID: I set the following deny \. scr $ Possible virus hidden in a screensaver These are the MailScanner configuration after installation I have to restart the MailScanner But still can not file blocking 2011/9/6 Jeremy McSpadden > Are you sure your editing the right files? Seems nothing your doing is > working. Reloaded mailscanners process? > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 11:08 PM, §d¦¼­è wrote: > > > I found a very strange thing > > Mailscanner default will block scr file extension > > I also checked to confirm set to deny > > But I check the maillog that MailScanner, and is not blocking the file > > What is MailScanner 4.84.3 problem? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/6d4f75ec/attachment.html From ak6783 at gmail.com Tue Sep 6 05:50:05 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 05:50:36 2011 Subject: MailScanner 4.84.3 can't block set deny file. In-Reply-To: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> References: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> Message-ID: I set the following deny \.scr$ Possible virus hidden in a screensaver These are the MailScanner configuration after installation I have to restart the MailScanner But still can not file blocking 2011/9/6 Jeremy McSpadden > Are you sure your editing the right files? Seems nothing your doing is > working. Reloaded mailscanners process? > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 11:08 PM, §d¦¼­è wrote: > > > I found a very strange thing > > Mailscanner default will block scr file extension > > I also checked to confirm set to deny > > But I check the maillog that MailScanner, and is not blocking the file > > What is MailScanner 4.84.3 problem? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/7511f96e/attachment.html From talklists at elive.net Tue Sep 6 11:33:41 2011 From: talklists at elive.net (Elive) Date: Tue Sep 6 11:33:54 2011 Subject: whitelist by subject Message-ID: <4E65F705.7020105@elive.net> Sorry if this has been asked before, but is there any easy way to do Whitelist/Blacklist by Subject in MailScanner using ByDomain setup? I dont want to do this using header checks in the MTA. Thanks Sean From homyang4u at gmail.com Tue Sep 6 13:04:48 2011 From: homyang4u at gmail.com (homyang cha) Date: Tue Sep 6 13:04:57 2011 Subject: Not Allowing Multiple HTML Signatures Message-ID: Hello Experts I have been trying to avoid multiple html signatures from being attached to replied and forwarded mails with no success. Can anyone who has done this before or have any idea on this help me. My Configuration are as follows: 1. MailScanner.conf Allow Multiple HTML Signatures = no 2. inline.sig.html
--
MailScanner Signature CompanyName
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 Thank you in advance. -- homyang (aka puran) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/85660ba3/attachment.html From ak6783 at gmail.com Tue Sep 6 13:19:36 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 13:20:05 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: References: Message-ID: I think that is the signature feature can not be used in the 4.84.3 version I originally set Sign Clean Message is not available 2011/9/6 homyang cha > Hello Experts > I have been trying to avoid multiple html signatures from being attached to > replied and forwarded mails with no success. Can anyone who has done this > before or have any idea on this help me. My Configuration are as follows: > > 1. MailScanner.conf > Allow Multiple HTML Signatures = no > > 2. inline.sig.html > >
-- >
MailScanner Signature CompanyName >
This message has been scanned for viruses and >
dangerous content by > MailScanner, and is >
believed to be clean. > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 > > Thank you in advance. > > -- > homyang (aka puran) > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/296ce6ee/attachment.html From MailScanner at ecs.soton.ac.uk Tue Sep 6 13:49:44 2011 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Sep 6 13:49:58 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: References: <4E6616E8.1010302@ecs.soton.ac.uk> Message-ID: Please read the comments given to you in the MailScanner.conf file. Immediately above the "Allow Multiple HTML Signatures" setting is this text, which explains what you need to put in "inline.sig.html" for this feature to work: # If the "alt" tag appears, and contains the word "MailScanner" and the # word "Signature" and the %org-name% you specified at the top of this file, # then the message is considered to already be signed. If this option is # also set to "no", then it will not be signed again. On 06/09/2011 13:04, homyang cha wrote: > Hello Experts > I have been trying to avoid multiple html signatures from being > attached to replied and forwarded mails with no success. Can anyone > who has done this before or have any idea on this help me. My > Configuration are as follows: > > 1. MailScanner.conf > Allow Multiple HTML Signatures = no > > 2. inline.sig.html > >
-- >
MailScanner Signature CompanyName >
This message has been scanned for viruses and >
dangerous content by > MailScanner, and is >
believed to be clean. > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 > > Thank you in advance. > > -- > homyang (aka puran) > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > Need help customising MailScanner? Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > Follow me at twitter.com/JulesFM > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > 'All programs have a desire to be useful' - Tron, 1982 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From markus at markusoft.se Tue Sep 6 14:42:26 2011 From: markus at markusoft.se (Markus Nilsson) Date: Tue Sep 6 14:42:43 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: Message-ID: <4e0b5894-6041-4b86-9620-3e0784d9368b@cronlabworkstation0> I actually beleive there is a bug preventing this from working, I submitted a patch for this some time ago, which works fine for me! http://permalink.gmane.org/gmane.mail.virus.mailscanner/76454 /Markus ----- Ursprungligt meddelande ----- > Fr?n: "Julian Field" > Till: "MailScanner discussion" > Skickat: tisdag, 6 sep 2011 14:49:44 > ?mne: Re: Not Allowing Multiple HTML Signatures > Please read the comments given to you in the MailScanner.conf file. > Immediately above the "Allow Multiple HTML Signatures" setting is > this > text, which explains what you need to put in "inline.sig.html" for > this > feature to work: > # If the "alt" tag appears, and contains the word "MailScanner" and > the > # word "Signature" and the %org-name% you specified at the top of > this file, > # then the message is considered to already be signed. If this option > is > # also set to "no", then it will not be signed again. > On 06/09/2011 13:04, homyang cha wrote: > > Hello Experts > > I have been trying to avoid multiple html signatures from being > > attached to replied and forwarded mails with no success. Can anyone > > who has done this before or have any idea on this help me. My > > Configuration are as follows: > > > > 1. MailScanner.conf > > Allow Multiple HTML Signatures = no > > > > 2. inline.sig.html > > > >
-- > >
MailScanner Signature CompanyName > >
This message has been scanned for viruses and > >
dangerous content by > > MailScanner, and > > is > >
believed to be clean. > > > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 > > > > Thank you in advance. > > > > -- > > homyang (aka puran) > > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM > > > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > > 'All programs have a desire to be useful' - Tron, 1982 > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > Before posting, read http://wiki.mailscanner.info/posting > Support MailScanner development - buy the book off the website! > -- > CronLab scanned this message. We don't think it was spam. If it was, > please report by copying this link into your browser: > https://swe02.antispam.cronlab.com/mail/index.php?id=10C494D7805F.A42AD-&learn=spam&host=46.22.116.99 -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. From ak6783 at gmail.com Tue Sep 6 16:43:30 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 16:44:00 2011 Subject: MailScanner 4.84.3 can't block set deny file. In-Reply-To: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> References: <38C51BB4-AE30-4F6D-891B-E7A4DB7FDFA5@fluxlabs.net> Message-ID: No way to solve this problem do?? Still need time to solve it?? 2011/9/6 Jeremy McSpadden > Are you sure your editing the right files? Seems nothing your doing is > working. Reloaded mailscanners process? > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955 > > > On Sep 5, 2011, at 11:08 PM, §d¦¼­è wrote: > > > I found a very strange thing > > Mailscanner default will block scr file extension > > I also checked to confirm set to deny > > But I check the maillog that MailScanner, and is not blocking the file > > What is MailScanner 4.84.3 problem? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/4a40ac9c/attachment.html From ak6783 at gmail.com Tue Sep 6 16:43:54 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Tue Sep 6 16:44:28 2011 Subject: I have Sign Clean Messages this problem In-Reply-To: References: Message-ID: No way to solve this problem do?? Still need time to solve it?? Jeremy McSpadden ©ó 2011¦~9¤ë6¤é¤W¤È9:00 ¼g¹D¡G > Check your language directory.**** > > Mailscanner/reports//**** > > ** ** > > Inline.sig.html**** > > Inline.sig.txt**** > > ** ** > > --**** > > Jeremy McSpadden**** > > Flux Labs, Inc**** > > http://www.fluxlabs.net > Endless Solutions**** > > *Office* : 850-588-4626**** > > *Cell* : 850-890-2543 > *Fax* : 850-254-2955**** > > ** ** > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *??? > *Sent:* Monday, September 05, 2011 7:52 PM > *To:* MailScanner discussion > *Subject:* Re: I have Sign Clean Messages this problem**** > > ** ** > > Sign Clean Messages I found no effect. > I will not be set to yes at the end of each letter with a description of Inline > HTML Signature > I'm sure the files inside the folder report exists > I MailScanner version 4.84.3 > The operating system is Fedora 13 and has been updated to the latest > package**** > > 2011/9/5 Jeremy McSpadden **** > > I believe signing takes place in the header. Look for the Signature part of > Mailscanner.conf. > > -- > Jeremy McSpadden > Flux Labs, Inc > http://www.fluxlabs.net > Endless Solutions > Office : 850-588-4626 > Cell : 850-890-2543 > Fax : 850-254-2955**** > > > > On Sep 5, 2011, at 9:51 AM, §d¦¼­è wrote: > > > Hello, > > My OS is Fedora 13 and install MailScanner 4.84.3 > > I found Sign Clean Messages this function can't append message to mail. > > I have set Sign Clean Messages = yes > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > I make sure all file is ok. > > But I can't see any append message at mail when I send mail. > > How to fix it? > > Thanks a lot.**** > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website!**** > > > > > -- > §d¦¼­è > ­Ó¤Hºô­¶ http://pc.aspa.idv.tw > ­Ó¤HBlog http://ak6783.blogspot.com/ > Twitter http://twitter.com/akong77 > Plurk http://www.plurk.com/akong77 > Facebook http://www.facebook.com/akong77 > Email (1) : akong@aspa.idv.tw > Email (2) : ak6783@gmail.com > ¤â¾÷ : 0960599655**** > > WebRep**** > > **** > > Overall rating**** > > **** > > **** > > **** > > **** > > **** > > ** ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/dacb631f/attachment.html From glenn.steen at gmail.com Tue Sep 6 22:36:30 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 6 22:36:41 2011 Subject: whitelist by subject In-Reply-To: <4E65F705.7020105@elive.net> References: <4E65F705.7020105@elive.net> Message-ID: Depends on your defenition of easy;-) . Try constructing an SA rule, perhaps give it a hefty negative score, then perhaps add a Sa rule hit action . ... Might give the effect you want. Whitelist by subject... Could be problematic from a security standpoint, but I'm sure you've considered that already. Cheers -- -- Glenn Den 6 sep 2011 12:42 skrev "Elive" : > Sorry if this has been asked before, but is there any easy way to do > Whitelist/Blacklist by Subject in MailScanner using ByDomain setup? > > I dont want to do this using header checks in the MTA. > > Thanks > Sean > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110906/1591286d/attachment.html From ms-list at alexb.ch Tue Sep 6 22:57:05 2011 From: ms-list at alexb.ch (Alex Broens) Date: Tue Sep 6 22:57:20 2011 Subject: whitelist by subject In-Reply-To: References: <4E65F705.7020105@elive.net> Message-ID: <4E669731.6010606@alexb.ch> On 2011-09-06 23:36, Glenn Steen wrote: > Depends on your defenition of easy;-) . > Try constructing an SA rule, perhaps give it a hefty negative score, then > perhaps add a Sa rule hit action . ... Might give the effect you want. > Whitelist by subject... Could be problematic from a security standpoint, but > I'm sure you've considered that already. > Cheers FTR: An often forgotten SA feature: header SUBJECT_IN_WHITELIST eval:check_subject_in_whitelist() header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist() score SUBJECT_IN_WHITELIST -100 score SUBJECT_IN_BLACKLIST 100 whitelist_subject [Bug *] blacklist_subject Make Money Fast http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_WhiteListSubject.txt From ak6783 at gmail.com Wed Sep 7 03:59:57 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Wed Sep 7 04:00:27 2011 Subject: I have two problem... Message-ID: Hello: I sort out my problems now Environment is as follows: Fedora 13 and the system is updated to the latest package MailScanner version 4.84.3 1 When I set the Sign Clean Messages = yes, but also to determine the Inline HTML Signature file path to determine the existence, sent a letter to no additional content Inline HTML Signature 2. I set there in filename.rules.conf deny \.scr$ line set, but when I send a letter and attached from the outside .scr files, MailScanner is not blocked, this function fails completely Can be tested in such an environment, not the first day I use MailScanner, in previous versions of these functions on my server is using, is to upgrade to 4.84.3 it can not be used Please ~ ~ Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110907/590107ef/attachment.html From homyang4u at gmail.com Wed Sep 7 06:19:39 2011 From: homyang4u at gmail.com (homyang cha) Date: Wed Sep 7 06:19:48 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: <4e0b5894-6041-4b86-9620-3e0784d9368b@cronlabworkstation0> References: <4e0b5894-6041-4b86-9620-3e0784d9368b@cronlabworkstation0> Message-ID: Dear Jules I already tried the way it was mentioned in the comment in MailScanner.conf file. I also tried again after your feedback again with no success. Could there be a bug as mentioned by Mr. Markus. This is my inline.sig.html file content: ********************************************************** MailScanner Signature MyCompany
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. *************************************************************** MyCompany above in html is the %org-name% value. Dear Markus. How can I apply that patch you mentioned above in my MailScanner configuration. Thanks again for your valuable help and supported. On Tue, Sep 6, 2011 at 7:42 PM, Markus Nilsson wrote: > I actually beleive there is a bug preventing this from working, > I submitted a patch for this some time ago, which works fine for me! > > http://permalink.gmane.org/gmane.mail.virus.mailscanner/76454 > > /Markus > > > ----- Ursprungligt meddelande ----- > > > Fr?n: "Julian Field" > > Till: "MailScanner discussion" > > Skickat: tisdag, 6 sep 2011 14:49:44 > > ?mne: Re: Not Allowing Multiple HTML Signatures > > > Please read the comments given to you in the MailScanner.conf file. > > Immediately above the "Allow Multiple HTML Signatures" setting is > > this > > text, which explains what you need to put in "inline.sig.html" for > > this > > feature to work: > > > # If the "alt" tag appears, and contains the word "MailScanner" and > > the > > # word "Signature" and the %org-name% you specified at the top of > > this file, > > # then the message is considered to already be signed. If this option > > is > > # also set to "no", then it will not be signed again. > > > On 06/09/2011 13:04, homyang cha wrote: > > > Hello Experts > > > I have been trying to avoid multiple html signatures from being > > > attached to replied and forwarded mails with no success. Can anyone > > > who has done this before or have any idea on this help me. My > > > Configuration are as follows: > > > > > > 1. MailScanner.conf > > > Allow Multiple HTML Signatures = no > > > > > > 2. inline.sig.html > > > > > >
-- > > >
MailScanner Signature CompanyName > > >
This message has been scanned for viruses and > > >
dangerous content by > > > MailScanner, and > > > is > > >
believed to be clean. > > > > > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 > > > > > > Thank you in advance. > > > > > > -- > > > homyang (aka puran) > > > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP CEng > > > www.MailScanner.info > > > > > > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? Contact me! > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > Follow me at twitter.com/JulesFM > > > > > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > > > 'All programs have a desire to be useful' - Tron, 1982 > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > > -- > > > CronLab scanned this message. We don't think it was spam. If it was, > > please report by copying this link into your browser: > > > https://swe02.antispam.cronlab.com/mail/index.php?id=10C494D7805F.A42AD-&learn=spam&host=46.22.116.99 > > > > -- > This message has been scanned for viruses and dangerous content by CronLab > (www.cronlab.com), and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- homyang (aka puran) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110907/eec1aeea/attachment.html From glenn.steen at gmail.com Wed Sep 7 07:57:44 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 7 07:57:54 2011 Subject: whitelist by subject In-Reply-To: <4E669731.6010606@alexb.ch> References: <4E65F705.7020105@elive.net> <4E669731.6010606@alexb.ch> Message-ID: On 6 September 2011 23:57, Alex Broens wrote: > On 2011-09-06 23:36, Glenn Steen wrote: >> >> Depends on your defenition of easy;-) . >> Try constructing an SA rule, perhaps give it a hefty negative score, then >> perhaps add a Sa rule hit action . ... Might give the effect you want. >> Whitelist by subject... Could be problematic from a security standpoint, >> but >> I'm sure you've considered that already. >> Cheers > > FTR: > > An often forgotten SA feature: > > > ?header SUBJECT_IN_WHITELIST eval:check_subject_in_whitelist() > ?header SUBJECT_IN_BLACKLIST eval:check_subject_in_blacklist() > > ?score SUBJECT_IN_WHITELIST -100 > ?score SUBJECT_IN_BLACKLIST 100 > > ?whitelist_subject [Bug *] > ?blacklist_subject Make Money Fast > > http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_WhiteListSubject.txt > Thanks Alex. And if you'd like to trigger specific MailScanner behaviour, then just use those two rule names in the MS config (if you want to go from a pointbased thing, to an absolute course of action). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From markus at markusoft.se Wed Sep 7 08:15:00 2011 From: markus at markusoft.se (Markus Nilsson) Date: Wed Sep 7 08:15:17 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Message.pm.patch Type: text/x-patch Size: 1221 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110907/036978ec/Message.pm.bin From sbanderson at impromed.com Wed Sep 7 16:54:50 2011 From: sbanderson at impromed.com (Scott B. Anderson) Date: Wed Sep 7 16:55:35 2011 Subject: spamassassin issues after upgrading from 4.83.4 to 4.84.3 Message-ID: <7D95F4DE708E0948892128F41A25073816A32ECA@ES2.impromed.com> After I upgraded MS the other day spamassassin started scoring 0 on all emails that it was checking. so I Googled and ran a manual sa-update...no luck. I did some more digging and sure enough, spamassassin --lint --debug showed it was looking at /usr/local/share/spamassassin instead of /usr/share/spamassassin, so I figured a quick symlink would take care of it for now and future releases. ( ln -s /usr/share/spamassassin /usr/local/share/spamassassin ) but spam score still has remained at 0 even though spamassassin --lint now finds all the default config files. ? I am out of ideas, and it is probably something simple that I'm overlooking. To troubleshoot I also re-installed the Clam-SA easy install package, but it didn't make a difference. OS is Fedora 12 (yes, I plan on moving to centos or Ubuntu next time I set up a MS server) and pretty much up to date. I am using sendmail as MTA. Am I looking at Perl module hell, file permission issues or something else? If you need more information, just ask and I'll send it. MS Lint and MS -v follow: Trying to setlogsock(unix) Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 867 hostnames from the phishing whitelist Read 4525 hostnames from the phishing blacklists Config: calling custom init function SQLLogging Initialising SQL Logging temp files Checking version numbers... Version number in MailScanner.conf (4.84.3) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-ImproMed-MailScanner-From Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 3 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = esets clamav" Found these virus scanners installed: clamavmodule, esets =========================================================================== Virus and Content Scanning: Starting name="./1/eicar.com", threat="Eicar test file", action="", info="" Virus Scanning: esets found 1 infections LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** LibClamAV Warning: *********************************************************** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *********************************************************** ./1/eicar.com: Eicar-Test-Signature FOUND Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 3 viruses Content Checks: Need to convert HTML to plain text in 1 messages =========================================================================== Virus Scanner test reports: esets said "Found virus Eicar test file in eicar.com" ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamavmodule,esets) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLLogging Ending SQL Logging temp output and flushing to database Database flush completed here's MailScanner -v This is Fedora release 12 (Constantine) This is Perl version 5.010000 (5.10.0) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.08 Carp 2.037 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.131 Data::Dumper 2.30 Date::Parse 1.01 DirHandle 1.06 Fcntl 2.77 File::Basename 2.11 File::Copy 2.01 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.68 HTML::Entities 3.68 HTML::Parser 3.57 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.08 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.13 MIME::Base64 5.502 MIME::Decoder 5.502 MIME::Decoder::UU 5.502 MIME::Head 5.502 MIME::Parser 3.13 MIME::QuotedPrint 5.502 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.19 Pod::Simple 1.16 POSIX 1.23 Scalar::Util 1.81 Socket 2.30 Storable 1.4 Sys::Hostname::Long 0.29 Sys::Syslog 1.45 Test::Pod 0.98 Test::Simple 1.9724 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.76 Archive::Tar 0.23 bignum 2.05 Business::ISBN 20081208 Business::ISBN::Data 1.19 Data::Dump 1.824 DB_File 1.33 DBD::SQLite 1.616 DBI 1.16 Digest 1.03 Digest::HMAC 2.51 Digest::MD5 2.13 Digest::SHA1 1.01 Encode::Detect 0.17016 Error 0.18 ExtUtils::CBuilder 3.04 ExtUtils::ParseXS 2.38 Getopt::Long 0.48 Inline 1.08 IO::String 1.10 IO::Zlib 2.27 IP::Country 0.29 Mail::ClamAV 3.003002 Mail::SpamAssassin v2.007 Mail::SPF 1.999001 Mail::SPF::Query 0.3603 Module::Build 0.21 Net::CIDR::Lite 0.66 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.044 NetAddr::IP 1.965001 Parse::RecDescent missing SAVI 3.17 Test::Harness 1.23 Test::Manifest 2.02 Text::Balanced 1.59 URI 0.82 version 0.73 YAML Scott Anderson sbanderson at impromed.com -- ImproMed, LLC. -- From homyang4u at gmail.com Thu Sep 8 09:44:45 2011 From: homyang4u at gmail.com (homyang cha) Date: Thu Sep 8 09:44:54 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: References: Message-ID: Dear Markus, thanks very much for the help. It worked like a charm. Your patch and the command. I would like to bother you and other experts with some more questions if I may. 1. Will the effect be felt if I use plain text messaging? 2. What ever I put in the "alt" tag it gets appears in the signature part. Is there a way to avoid this? Thanks once again. /Homyang On Wed, Sep 7, 2011 at 1:15 PM, Markus Nilsson wrote: > To apply the patch, run the command > > patch -p1 -i Message.pm.patch MailScanner/Message.pm > > On the file Message.pm, this file can be located in different locations > depending on your distribution > > /usr/share/MailScanner/ > /var/lib/MailScanner > > /Markus > > ------------------------------ > *Fr?n: *"homyang cha" > > *Till: *"MailScanner discussion" > *Skickat: *onsdag, 7 sep 2011 7:19:39 > > *?mne: *Re: Not Allowing Multiple HTML Signatures > > Dear Jules > I already tried the way it was mentioned in the comment in MailScanner.conf > file. I also tried again after your feedback again with no success. Could > there be a bug as mentioned by Mr. Markus. This is my inline.sig.html file > content: > ********************************************************** > MailScanner Signature MyCompany >
-- >
This message has been scanned for viruses and >
dangerous content by > MailScanner, and is >
believed to be clean. > *************************************************************** > MyCompany above in html is the %org-name% value. > > Dear Markus. > How can I apply that patch you mentioned above in my MailScanner > configuration. > > Thanks again for your valuable help and supported. > > > On Tue, Sep 6, 2011 at 7:42 PM, Markus Nilsson wrote: > >> I actually beleive there is a bug preventing this from working, >> I submitted a patch for this some time ago, which works fine for me! >> >> http://permalink.gmane.org/gmane.mail.virus.mailscanner/76454 >> >> /Markus >> >> >> ----- Ursprungligt meddelande ----- >> >> > Fr?n: "Julian Field" >> > Till: "MailScanner discussion" >> > Skickat: tisdag, 6 sep 2011 14:49:44 >> > ?mne: Re: Not Allowing Multiple HTML Signatures >> >> > Please read the comments given to you in the MailScanner.conf file. >> > Immediately above the "Allow Multiple HTML Signatures" setting is >> > this >> > text, which explains what you need to put in "inline.sig.html" for >> > this >> > feature to work: >> >> > # If the "alt" tag appears, and contains the word "MailScanner" and >> > the >> > # word "Signature" and the %org-name% you specified at the top of >> > this file, >> > # then the message is considered to already be signed. If this option >> > is >> > # also set to "no", then it will not be signed again. >> >> > On 06/09/2011 13:04, homyang cha wrote: >> > > Hello Experts >> > > I have been trying to avoid multiple html signatures from being >> > > attached to replied and forwarded mails with no success. Can anyone >> > > who has done this before or have any idea on this help me. My >> > > Configuration are as follows: >> > > >> > > 1. MailScanner.conf >> > > Allow Multiple HTML Signatures = no >> > > >> > > 2. inline.sig.html >> > > >> > >
-- >> > >
MailScanner Signature CompanyName >> > >
This message has been scanned for viruses and >> > >
dangerous content by >> > > MailScanner, and >> > > is >> > >
believed to be clean. >> > > >> > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 >> > > >> > > Thank you in advance. >> > > >> > > -- >> > > homyang (aka puran) >> > > >> > > >> > > >> > > Jules >> > > >> > > -- >> > > Julian Field MEng CITP CEng >> > > www.MailScanner.info >> > > >> > > Buy the MailScanner book at www.MailScanner.info/store >> > > Need help customising MailScanner? Contact me! >> > > >> > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > > Follow me at twitter.com/JulesFM >> > > >> > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 >> > > 'All programs have a desire to be useful' - Tron, 1982 >> >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> > Before posting, read http://wiki.mailscanner.info/posting >> >> > Support MailScanner development - buy the book off the website! >> >> > -- >> >> > CronLab scanned this message. We don't think it was spam. If it was, >> > please report by copying this link into your browser: >> > >> https://swe02.antispam.cronlab.com/mail/index.php?id=10C494D7805F.A42AD-&learn=spam&host=46.22.116.99 >> >> >> >> -- >> This message has been scanned for viruses and dangerous content by CronLab >> (www.cronlab.com), and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > -- > homyang (aka puran) > > > [image: MailScanner CronLabAntiSpamAppliance Signature] CronLab > scanned this message. We don't think it was spam. Was it? Report here! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- homyang (aka puran) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110908/082b9a44/attachment.html From noel.butler at ausics.net Thu Sep 8 10:00:02 2011 From: noel.butler at ausics.net (Noel Butler) Date: Thu Sep 8 10:00:15 2011 Subject: Process did not exit cleanly. In-Reply-To: References: <4D1ADA82.9070002@tartan.co.za> <1293662621.5468.10.camel@tardis> <1314960067.26522.4.camel@tardis> Message-ID: <1315472403.22378.1.camel@tardis> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110908/213bf71b/attachment.bin From markus at markusoft.se Thu Sep 8 11:38:58 2011 From: markus at markusoft.se (Markus Nilsson) Date: Thu Sep 8 11:39:17 2011 Subject: Not Allowing Multiple HTML Signatures In-Reply-To: Message-ID: <9977692e-a163-4d8f-bea7-27407f8d3c20@cronlabworkstation0> 1) Nope, you can not prevent multiple signatures in text mails 2) Yes, it's the normal alt-tag behaviour, the text will be visible if the image can't be shown http://www.w3schools.com/tags/att_img_alt.asp I mainly use the function to prevent attaching several images to the mail, so I don't see the ALT-text unless the image has been removed by someone! /Markus ----- Ursprungligt meddelande ----- Fr?n: "homyang cha" Till: "MailScanner discussion" Skickat: torsdag, 8 sep 2011 10:44:45 ?mne: Re: Not Allowing Multiple HTML Signatures Dear Markus, thanks very much for the help. It worked like a charm. Your patch and the command. I would like to bother you and other experts with some more questions if I may. 1. Will the effect be felt if I use plain text messaging? 2. What ever I put in the "alt" tag it gets appears in the signature part. Is there a way to avoid this? Thanks once again. /Homyang On Wed, Sep 7, 2011 at 1:15 PM, Markus Nilsson < markus@markusoft.se > wrote: To apply the patch, run the command patch -p1 -i Message.pm.patch MailScanner/Message.pm On the file Message.pm, this file can be located in different locations depending on your distribution /usr/share/MailScanner/ /var/lib/MailScanner /Markus Fr?n: "homyang cha" < homyang4u@gmail.com > Till: "MailScanner discussion" < mailscanner@lists.mailscanner.info > Skickat: onsdag, 7 sep 2011 7:19:39 ?mne: Re: Not Allowing Multiple HTML Signatures Dear Jules I already tried the way it was mentioned in the comment in MailScanner.conf file. I also tried again after your feedback again with no success. Could there be a bug as mentioned by Mr. Markus. This is my inline.sig.html file content: ********************************************************** MailScanner Signature MyCompany
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. *************************************************************** MyCompany above in html is the %org-name% value. Dear Markus. How can I apply that patch you mentioned above in my MailScanner configuration. Thanks again for your valuable help and supported. On Tue, Sep 6, 2011 at 7:42 PM, Markus Nilsson < markus@markusoft.se > wrote:
I actually beleive there is a bug preventing this from working, I submitted a patch for this some time ago, which works fine for me! http://permalink.gmane.org/gmane.mail.virus.mailscanner/76454 /Markus ----- Ursprungligt meddelande ----- > Fr?n: "Julian Field" < MailScanner@ecs.soton.ac.uk > > Till: "MailScanner discussion" < mailscanner@lists.mailscanner.info > > Skickat: tisdag, 6 sep 2011 14:49:44 > ?mne: Re: Not Allowing Multiple HTML Signatures > Please read the comments given to you in the MailScanner.conf file. > Immediately above the "Allow Multiple HTML Signatures" setting is > this > text, which explains what you need to put in "inline.sig.html" for > this > feature to work: > # If the "alt" tag appears, and contains the word "MailScanner" and > the > # word "Signature" and the %org-name% you specified at the top of > this file, > # then the message is considered to already be signed. If this option > is > # also set to "no", then it will not be signed again. > On 06/09/2011 13:04, homyang cha wrote: > > Hello Experts > > I have been trying to avoid multiple html signatures from being > > attached to replied and forwarded mails with no success. Can anyone > > who has done this before or have any idea on this help me. My > > Configuration are as follows: > > > > 1. MailScanner.conf > > Allow Multiple HTML Signatures = no > > > > 2. inline.sig.html > > > >
-- > >
MailScanner Signature CompanyName > >
This message has been scanned for viruses and > >
dangerous content by > > MailScanner, and > > is > >
believed to be clean. > > > > 3. I am using CentOS 5.6 , MailScanner-4.84.3 with postfix-2.3 > > > > Thank you in advance. > > > > -- > > homyang (aka puran) > > > > > > > > Jules > > > > -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > > > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > Follow me at twitter.com/JulesFM > > > > 'It's okay to live without all the answers' - Charlie Eppes, 2011 > > 'All programs have a desire to be useful' - Tron, 1982 > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > Before posting, read http://wiki.mailscanner.info/posting > Support MailScanner development - buy the book off the website! > -- > CronLab scanned this message. We don't think it was spam. If it was, > please report by copying this link into your browser: > https://swe02.antispam.cronlab.com/mail/index.php?id=10C494D7805F.A42AD-&learn=spam&host=46.22.116.99 -- This message has been scanned for viruses and dangerous content by CronLab ( www.cronlab.com ), and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- homyang (aka puran) MailScanner CronLabAntiSpamAppliance Signature CronLab scanned this message. We don't think it was spam. Was it? Report here! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!
-- homyang (aka puran) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110908/87ae05fd/attachment.html From paul at blacknight.com Sun Sep 11 21:59:02 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Sun Sep 11 21:59:11 2011 Subject: Spam Attacks Message-ID: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> Hi Guys, Has anyone noticed a huge increase in smtp slamming recently? We have a busy mail cluster that has about 80k users. In the last 10 days or so we've seen a huge increase in IPs slamming the mail servers. The really odd thing is that it happens a few times a day and it's really intensive. Mostly the traffic hops off of RBL lookups. As an experiment today I moved 8 domains MX records to a stand alone Postfix box with just zen.spamhaus.org configured on it. The results are _insane_, a snippet from just today. Per-Hour Traffic Summary ------------------------ time received delivered deferred bounced rejected -------------------------------------------------------------------- 1000-1100 12 0 0 19 1776 1100-1200 26 1 0 112 2851 1200-1300 25 5 0 54 3256 1300-1400 66 1 0 200 13509 1400-1500 241 0 0 501 61974 1500-1600 229 3 0 520 55902 1600-1700 38 1 0 74 3750 1700-1800 197 2 0 441 47213 1800-1900 302 3 0 638 77602 1900-2000 134 6 0 248 38728 2000-2100 23 1 0 63 4482 2100-2200 169 4 0 216 2786 Is anyone else seeing this? Cheers, Paul Paul Kelly Technical Director Microsoft Certified Partner Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353(0)599183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.com web: http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From rabellino at di.unito.it Sun Sep 11 22:40:54 2011 From: rabellino at di.unito.it (Sergio Rabellino) Date: Sun Sep 11 22:41:24 2011 Subject: Spam Attacks In-Reply-To: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> Message-ID: <4E6D2AE6.2050302@di.unito.it> I've no analitics to share with you, but the i can confirm that i'm viewing an increase in spamming operations in the last 3 weeks. Mostly of these spams are translated into the language of the receiver, so (i think) more difficult to be tagged. Il 11/09/2011 22:59, Paul Kelly :: Blacknight ha scritto: > Hi Guys, > > Has anyone noticed a huge increase in smtp slamming recently? > > We have a busy mail cluster that has about 80k users. In the last 10 days or so we've seen a huge increase in IPs slamming the mail servers. The really odd thing is that it happens a few times a day and it's really intensive. Mostly the traffic hops off of RBL lookups. As an experiment today I moved 8 domains MX records to a stand alone Postfix box with just zen.spamhaus.org configured on it. > > The results are _insane_, a snippet from just today. > > Per-Hour Traffic Summary > ------------------------ > time received delivered deferred bounced rejected > -------------------------------------------------------------------- > > 1000-1100 12 0 0 19 1776 > 1100-1200 26 1 0 112 2851 > 1200-1300 25 5 0 54 3256 > 1300-1400 66 1 0 200 13509 > 1400-1500 241 0 0 501 61974 > 1500-1600 229 3 0 520 55902 > 1600-1700 38 1 0 74 3750 > 1700-1800 197 2 0 441 47213 > 1800-1900 302 3 0 638 77602 > 1900-2000 134 6 0 248 38728 > 2000-2100 23 1 0 63 4482 > 2100-2200 169 4 0 216 2786 > > Is anyone else seeing this? > > Cheers, > > Paul > > Paul Kelly > Technical Director > Microsoft Certified Partner > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353(0)599183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.com > web: http://www.blacknight.com > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > -- ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From peter at farrows.org Sun Sep 11 22:50:59 2011 From: peter at farrows.org (Peter Farrow) Date: Sun Sep 11 22:51:12 2011 Subject: Spam Attacks In-Reply-To: <4E6D2AE6.2050302@di.unito.it> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6D2AE6.2050302@di.unito.it> Message-ID: <4E6D2D43.2070803@farrows.org> My clutch of systems run about 20k messages per day so not very many, with regard to slamming each machine in the array (and there are four) sees about 300 emails rejected due to slamming per day, and its been more or less constant for at least the last month. Pete On 11/09/2011 22:40, Sergio Rabellino wrote: > I've no analitics to share with you, but the i can confirm that i'm > viewing an increase in spamming operations in the last 3 weeks. Mostly > of these spams are translated into the language of the receiver, so (i > think) more difficult to be tagged. > > Il 11/09/2011 22:59, Paul Kelly :: Blacknight ha scritto: >> Hi Guys, >> >> Has anyone noticed a huge increase in smtp slamming recently? >> >> We have a busy mail cluster that has about 80k users. In the last 10 days or so we've seen a huge increase in IPs slamming the mail servers. The really odd thing is that it happens a few times a day and it's really intensive. Mostly the traffic hops off of RBL lookups. As an experiment today I moved 8 domains MX records to a stand alone Postfix box with just zen.spamhaus.org configured on it. >> >> The results are _insane_, a snippet from just today. >> >> Per-Hour Traffic Summary >> ------------------------ >> time received delivered deferred bounced rejected >> -------------------------------------------------------------------- >> >> 1000-1100 12 0 0 19 1776 >> 1100-1200 26 1 0 112 2851 >> 1200-1300 25 5 0 54 3256 >> 1300-1400 66 1 0 200 13509 >> 1400-1500 241 0 0 501 61974 >> 1500-1600 229 3 0 520 55902 >> 1600-1700 38 1 0 74 3750 >> 1700-1800 197 2 0 441 47213 >> 1800-1900 302 3 0 638 77602 >> 1900-2000 134 6 0 248 38728 >> 2000-2100 23 1 0 63 4482 >> 2100-2200 169 4 0 216 2786 >> >> Is anyone else seeing this? >> >> Cheers, >> >> Paul >> >> Paul Kelly >> Technical Director >> Microsoft Certified Partner >> Blacknight Internet Solutions ltd >> Hosting, Colocation, Dedicated servers >> IP Transit Services >> Tel: +353(0)599183072 >> Lo-call: 1850 929 929 >> DDI: +353 (0) 59 9183091 >> >> e-mail:paul@blacknight.com >> web:http://www.blacknight.com >> >> Blacknight Internet Solutions Ltd, >> Unit 12A,Barrowside Business Park, >> Sleaty Road, >> Graiguecullen, >> Carlow, >> Ireland >> >> Company No.: 370845 >> > > -- > ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > > > -- > This message has been scanned for viruses and > dangerous content by the *Togethia MailScanner* > , and is > believed to be clean. > Scanner:local > > -- horizontal ruler Peter Farrow avatar ______________________ Home: 01249 654183 Fax: 01249 461 548 Mobile: 07799605617 Skype: peter_farrow Web: www.peterfarrow.com -------------- next part -------------- Skipped content of type multipart/related From brent.addis at nsp.co.nz Sun Sep 11 23:20:51 2011 From: brent.addis at nsp.co.nz (Brent Addis) Date: Sun Sep 11 23:21:08 2011 Subject: ScamNailer Message-ID: <71EE5816EB7C4D4C9DEA1003EB79470F29228798@nspexch01.nsp.local> Hey Is there a problem with the scamnailer.ndb generator? The file downloaded from the website is 0 bytes, which went and broke clam?s daemon on several fairly important mail processors. I have disabled the download and removed the file for the moment. Not too sure if this has broken anyone else, however since we are prettywell first into the new week because of our timezone, it may also be breaking others that use it in this way. Brent Addis Systems Integration Specialist Network Service Providers Ltd. Unit 1, 13 Farnham St, Parnell, Auckland 1052 PO Box 90208, Victoria West, Auckland Email: brent.addis@nsp.co.nz | Customer Service: cs@nsp.co.nz | Web: http://www.nsp.co.nz Tel: +64-9-306-0230 | Support: +64-9-306-0234 | Fax: +64-9-306-0239 This email message and any accompanying attachments may contain legally priveliged and confidential information intended for the addressee only. If you are not the addressee your use of this information is strictly prohibited. NSP - 2011 Managed Services Rookie of the Year Award - Australasia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110911/bdb32157/attachment.html From twiztar at gmail.com Mon Sep 12 08:02:30 2011 From: twiztar at gmail.com (Erik Weber) Date: Mon Sep 12 08:02:40 2011 Subject: Spam Attacks In-Reply-To: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> Message-ID: On Sun, Sep 11, 2011 at 10:59 PM, Paul Kelly :: Blacknight wrote: > Hi Guys, > > Has anyone noticed a huge increase in smtp slamming recently? > > We have a busy mail cluster that has about 80k users. In the last 10 days or so we've seen a huge increase in IPs slamming the mail servers. The really odd thing is that it happens a few times a day and it's really intensive. Mostly the traffic hops off of RBL lookups. As an experiment today I moved 8 domains MX records to a stand alone Postfix box with just zen.spamhaus.org configured on it. > > The results are _insane_, a snippet from just today. > > Per-Hour Traffic Summary > ------------------------ > ? ?time ? ? ? ? ?received ?delivered ? deferred ? ?bounced ? ? rejected > ? ?-------------------------------------------------------------------- > > ? ?1000-1100 ? ? ? ? ?12 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ? 19 ? ? ? 1776 > ? ?1100-1200 ? ? ? ? ?26 ? ? ? ? ?1 ? ? ? ? ?0 ? ? ? ?112 ? ? ? 2851 > ? ?1200-1300 ? ? ? ? ?25 ? ? ? ? ?5 ? ? ? ? ?0 ? ? ? ? 54 ? ? ? 3256 > ? ?1300-1400 ? ? ? ? ?66 ? ? ? ? ?1 ? ? ? ? ?0 ? ? ? ?200 ? ? ?13509 > ? ?1400-1500 ? ? ? ? 241 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?501 ? ? ?61974 > ? ?1500-1600 ? ? ? ? 229 ? ? ? ? ?3 ? ? ? ? ?0 ? ? ? ?520 ? ? ?55902 > ? ?1600-1700 ? ? ? ? ?38 ? ? ? ? ?1 ? ? ? ? ?0 ? ? ? ? 74 ? ? ? 3750 > ? ?1700-1800 ? ? ? ? 197 ? ? ? ? ?2 ? ? ? ? ?0 ? ? ? ?441 ? ? ?47213 > ? ?1800-1900 ? ? ? ? 302 ? ? ? ? ?3 ? ? ? ? ?0 ? ? ? ?638 ? ? ?77602 > ? ?1900-2000 ? ? ? ? 134 ? ? ? ? ?6 ? ? ? ? ?0 ? ? ? ?248 ? ? ?38728 > ? ?2000-2100 ? ? ? ? ?23 ? ? ? ? ?1 ? ? ? ? ?0 ? ? ? ? 63 ? ? ? 4482 > ? ?2100-2200 ? ? ? ? 169 ? ? ? ? ?4 ? ? ? ? ?0 ? ? ? ?216 ? ? ? 2786 > > Is anyone else seeing this? > We see the same, namely Wednesday, Thursday and Saturday last week we had some massive attacks quadrupling our incoming smtp traffic (up from ~1200msgs/min to roughly ~4000msgs/min). The typical is that it only lasts for 30-90 minutes but it really mess up our queues during that period. To what I can see they come from random ip addresses, have a from address that clearly looks fraud and the same host connects less than 5 times. -- Erik From J.Ede at birchenallhowden.co.uk Mon Sep 12 09:03:12 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Mon Sep 12 09:12:59 2011 Subject: Spam Attacks In-Reply-To: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> Message-ID: We're seeing similar, although not at those levels, at around 1pm and 6pm each day. Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight > Sent: 11 September 2011 21:59 > To: MailScanner discussion > Subject: Spam Attacks > > Hi Guys, > > Has anyone noticed a huge increase in smtp slamming recently? > > We have a busy mail cluster that has about 80k users. In the last 10 days or so > we've seen a huge increase in IPs slamming the mail servers. The really odd > thing is that it happens a few times a day and it's really intensive. Mostly the > traffic hops off of RBL lookups. As an experiment today I moved 8 domains > MX records to a stand alone Postfix box with just zen.spamhaus.org > configured on it. > > The results are _insane_, a snippet from just today. > > Per-Hour Traffic Summary > ------------------------ > time received delivered deferred bounced rejected > -------------------------------------------------------------------- > > 1000-1100 12 0 0 19 1776 > 1100-1200 26 1 0 112 2851 > 1200-1300 25 5 0 54 3256 > 1300-1400 66 1 0 200 13509 > 1400-1500 241 0 0 501 61974 > 1500-1600 229 3 0 520 55902 > 1600-1700 38 1 0 74 3750 > 1700-1800 197 2 0 441 47213 > 1800-1900 302 3 0 638 77602 > 1900-2000 134 6 0 248 38728 > 2000-2100 23 1 0 63 4482 > 2100-2200 169 4 0 216 2786 > > Is anyone else seeing this? > > Cheers, > > Paul > > Paul Kelly > Technical Director > Microsoft Certified Partner > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353(0)599183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.com > web: http://www.blacknight.com > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From steveb_clamav at sanesecurity.com Mon Sep 12 09:17:57 2011 From: steveb_clamav at sanesecurity.com (Steve Basford) Date: Mon Sep 12 09:18:11 2011 Subject: ScamNailer In-Reply-To: <71EE5816EB7C4D4C9DEA1003EB79470F29228798@nspexch01.nsp.local> References: <71EE5816EB7C4D4C9DEA1003EB79470F29228798@nspexch01.nsp.local> Message-ID: <9a428ab76cef9cf28aaa13a189d8da34.squirrel@saturn.dataflame.net> > Hey > > Is there a problem with the scamnailer.ndb generator? The file downloaded > from the website is 0 bytes, which went and broke clam???s daemon on > several fairly important mail processors. > > I have disabled the download and removed the file for the moment. Not too > sure if this has broken anyone else, however since we are prettywell first > into the new week because of our timezone, it may also be breaking others > that use it in this way. > Hi Brent, Can confirm there is an issue... Normal size: 11/09/2011 09:46 8,326,394 scamnailer.ndb Current size: 12/09/2011 00:56 638,976 scamnailer.ndb The version currently distributed via the Sanesecurity mirrors is ok, as it's checked before uploading. Cheers, Steve Sanesecurity From rabellino at di.unito.it Mon Sep 12 17:43:50 2011 From: rabellino at di.unito.it (Sergio Rabellino) Date: Mon Sep 12 17:44:13 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> Message-ID: <4E6E36C6.9010903@di.unito.it> I've got some numbers about my main mailserver : from 3.00 am to 18.00 pm TODAY (italian hours, GMT+2) we refused 30798 incoming messages from dnsbl listed hosts, 2410 greylist entry timed out (spammers trying to send mail once) and delivered 7658 (possibly) legal messages to our (150) recipients. Bye. Il 12/09/2011 10:03, Jason Ede ha scritto: > We're seeing similar, although not at those levels, at around 1pm and 6pm each day. > > Jason > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight >> Sent: 11 September 2011 21:59 >> To: MailScanner discussion >> Subject: Spam Attacks >> >> Hi Guys, >> >> Has anyone noticed a huge increase in smtp slamming recently? >> >> We have a busy mail cluster that has about 80k users. In the last 10 days or so >> we've seen a huge increase in IPs slamming the mail servers. The really odd >> thing is that it happens a few times a day and it's really intensive. Mostly the >> traffic hops off of RBL lookups. As an experiment today I moved 8 domains >> MX records to a stand alone Postfix box with just zen.spamhaus.org >> configured on it. >> >> The results are _insane_, a snippet from just today. >> >> Per-Hour Traffic Summary >> ------------------------ >> time received delivered deferred bounced rejected >> -------------------------------------------------------------------- >> >> 1000-1100 12 0 0 19 1776 >> 1100-1200 26 1 0 112 2851 >> 1200-1300 25 5 0 54 3256 >> 1300-1400 66 1 0 200 13509 >> 1400-1500 241 0 0 501 61974 >> 1500-1600 229 3 0 520 55902 >> 1600-1700 38 1 0 74 3750 >> 1700-1800 197 2 0 441 47213 >> 1800-1900 302 3 0 638 77602 >> 1900-2000 134 6 0 248 38728 >> 2000-2100 23 1 0 63 4482 >> 2100-2200 169 4 0 216 2786 >> >> Is anyone else seeing this? >> >> Cheers, >> >> Paul >> >> Paul Kelly >> Technical Director >> Microsoft Certified Partner >> Blacknight Internet Solutions ltd >> Hosting, Colocation, Dedicated servers >> IP Transit Services >> Tel: +353(0)599183072 >> Lo-call: 1850 929 929 >> DDI: +353 (0) 59 9183091 >> >> e-mail: paul@blacknight.com >> web: http://www.blacknight.com >> >> Blacknight Internet Solutions Ltd, >> Unit 12A,Barrowside Business Park, >> Sleaty Road, >> Graiguecullen, >> Carlow, >> Ireland >> >> Company No.: 370845 >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From paul at blacknight.com Mon Sep 12 23:29:57 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Mon Sep 12 23:30:07 2011 Subject: Spam Attacks In-Reply-To: <4E6E36C6.9010903@di.unito.it> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> Message-ID: <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Hi All, Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. http://dominion.blacknight.ie/~paul/postfix.txt It's a bit crazy. Paul Paul Kelly Technical Director Microsoft Certified Partner Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353(0)599183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.com web: http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 On 12 Sep 2011, at 17:43, Sergio Rabellino wrote: > I've got some numbers about my main mailserver : > from 3.00 am to 18.00 pm TODAY (italian hours, GMT+2) we refused 30798 incoming messages from dnsbl listed hosts, 2410 greylist entry timed out (spammers trying to send mail once) and delivered 7658 (possibly) legal messages to our (150) recipients. > > Bye. > > Il 12/09/2011 10:03, Jason Ede ha scritto: >> We're seeing similar, although not at those levels, at around 1pm and 6pm each day. >> >> Jason >> >> >>> -----Original Message----- >>> From: >>> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner >>> - >>> >>> bounces@lists.mailscanner.info >>> ] On Behalf Of Paul Kelly :: Blacknight >>> Sent: 11 September 2011 21:59 >>> To: MailScanner discussion >>> Subject: Spam Attacks >>> >>> Hi Guys, >>> >>> Has anyone noticed a huge increase in smtp slamming recently? >>> >>> We have a busy mail cluster that has about 80k users. In the last 10 days or so >>> we've seen a huge increase in IPs slamming the mail servers. The really odd >>> thing is that it happens a few times a day and it's really intensive. Mostly the >>> traffic hops off of RBL lookups. As an experiment today I moved 8 domains >>> MX records to a stand alone Postfix box with just zen.spamhaus.org >>> configured on it. >>> >>> The results are _insane_, a snippet from just today. >>> >>> Per-Hour Traffic Summary >>> ------------------------ >>> time received delivered deferred bounced rejected >>> -------------------------------------------------------------------- >>> >>> 1000-1100 12 0 0 19 1776 >>> 1100-1200 26 1 0 112 2851 >>> 1200-1300 25 5 0 54 3256 >>> 1300-1400 66 1 0 200 13509 >>> 1400-1500 241 0 0 501 61974 >>> 1500-1600 229 3 0 520 55902 >>> 1600-1700 38 1 0 74 3750 >>> 1700-1800 197 2 0 441 47213 >>> 1800-1900 302 3 0 638 77602 >>> 1900-2000 134 6 0 248 38728 >>> 2000-2100 23 1 0 63 4482 >>> 2100-2200 169 4 0 216 2786 >>> >>> Is anyone else seeing this? >>> >>> Cheers, >>> >>> Paul >>> >>> Paul Kelly >>> Technical Director >>> Microsoft Certified Partner >>> Blacknight Internet Solutions ltd >>> Hosting, Colocation, Dedicated servers >>> IP Transit Services >>> Tel: +353(0)599183072 >>> Lo-call: 1850 929 929 >>> DDI: +353 (0) 59 9183091 >>> >>> e-mail: >>> paul@blacknight.com >>> >>> web: >>> http://www.blacknight.com >>> >>> >>> Blacknight Internet Solutions Ltd, >>> Unit 12A,Barrowside Business Park, >>> Sleaty Road, >>> Graiguecullen, >>> Carlow, >>> Ireland >>> >>> Company No.: 370845 >>> >>> -- >>> MailScanner mailing list >>> >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> >>> Before posting, read >>> http://wiki.mailscanner.info/posting >>> >>> >>> Support MailScanner development - buy the book off the website! >>> > > -- > Ing. Sergio Rabellino > > Universit? degli Studi di Torino > Dipartimento di Informatica > ICT Services Director > Tel +39-0116706701 Fax +39-011751603 > C.so Svizzera , 185 - 10149 - Torino > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From dave at KD0YU.COM Mon Sep 12 23:39:32 2011 From: dave at KD0YU.COM (Dave Helton) Date: Mon Sep 12 23:39:52 2011 Subject: Spam Attacks References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com><4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Message-ID: <4398918D4E9DB84BB07FF9EFC4B64B1177C0@dc1.KD0YU.COM> Impressive... and sad... at the same time. Dave Helton 1810 E 32nd Street Davenport, IA 52807 (563) 940-6630 dave@davehelton.com -- two wrongs don't make a right, but 5 or 6 make a convincing RBL. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight > Sent: Monday, September 12, 2011 5:30 PM > To: MailScanner discussion > Subject: Re: Spam Attacks > > Hi All, > > Thanks for your replies. As of today I've pointed 10 domains to a new > gateway and here are some stats. > > http://dominion.blacknight.ie/~paul/postfix.txt > > It's a bit crazy. > > Paul > > > Paul Kelly > Technical Director > Microsoft Certified Partner > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353(0)599183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.com > web: http://www.blacknight.com > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > > On 12 Sep 2011, at 17:43, Sergio Rabellino wrote: > > > I've got some numbers about my main mailserver : > > from 3.00 am to 18.00 pm TODAY (italian hours, GMT+2) we refused 30798 > incoming messages from dnsbl listed hosts, 2410 greylist entry timed out > (spammers trying to send mail once) and delivered 7658 (possibly) legal > messages to our (150) recipients. > > > > Bye. > > > > Il 12/09/2011 10:03, Jason Ede ha scritto: > >> We're seeing similar, although not at those levels, at around 1pm and 6pm > each day. > >> > >> Jason > >> > >> > >>> -----Original Message----- > >>> From: > >>> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner > >>> - > >>> > >>> bounces@lists.mailscanner.info > >>> ] On Behalf Of Paul Kelly :: Blacknight > >>> Sent: 11 September 2011 21:59 > >>> To: MailScanner discussion > >>> Subject: Spam Attacks > >>> > >>> Hi Guys, > >>> > >>> Has anyone noticed a huge increase in smtp slamming recently? > >>> > >>> We have a busy mail cluster that has about 80k users. In the last 10 > >>> days or so we've seen a huge increase in IPs slamming the mail > >>> servers. The really odd thing is that it happens a few times a day > >>> and it's really intensive. Mostly the traffic hops off of RBL > >>> lookups. As an experiment today I moved 8 domains MX records to a > >>> stand alone Postfix box with just zen.spamhaus.org configured on it. > >>> > >>> The results are _insane_, a snippet from just today. > >>> > >>> Per-Hour Traffic Summary > >>> ------------------------ > >>> time received delivered deferred bounced rejected > >>> > >>> -------------------------------------------------------------------- > >>> > >>> 1000-1100 12 0 0 19 1776 > >>> 1100-1200 26 1 0 112 2851 > >>> 1200-1300 25 5 0 54 3256 > >>> 1300-1400 66 1 0 200 13509 > >>> 1400-1500 241 0 0 501 61974 > >>> 1500-1600 229 3 0 520 55902 > >>> 1600-1700 38 1 0 74 3750 > >>> 1700-1800 197 2 0 441 47213 > >>> 1800-1900 302 3 0 638 77602 > >>> 1900-2000 134 6 0 248 38728 > >>> 2000-2100 23 1 0 63 4482 > >>> 2100-2200 169 4 0 216 2786 > >>> > >>> Is anyone else seeing this? > >>> > >>> Cheers, > >>> > >>> Paul > >>> > >>> Paul Kelly > >>> Technical Director > >>> Microsoft Certified Partner > >>> Blacknight Internet Solutions ltd > >>> Hosting, Colocation, Dedicated servers IP Transit Services > >>> Tel: +353(0)599183072 > >>> Lo-call: 1850 929 929 > >>> DDI: +353 (0) 59 9183091 > >>> > >>> e-mail: > >>> paul@blacknight.com > >>> > >>> web: > >>> http://www.blacknight.com > >>> > >>> > >>> Blacknight Internet Solutions Ltd, > >>> Unit 12A,Barrowside Business Park, > >>> Sleaty Road, > >>> Graiguecullen, > >>> Carlow, > >>> Ireland > >>> > >>> Company No.: 370845 > >>> > >>> -- > >>> MailScanner mailing list > >>> > >>> mailscanner@lists.mailscanner.info > >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>> > >>> Before posting, read > >>> http://wiki.mailscanner.info/posting > >>> > >>> > >>> Support MailScanner development - buy the book off the website! > >>> > > > > -- > > Ing. Sergio Rabellino > > > > Universit? degli Studi di Torino > > Dipartimento di Informatica > > ICT Services Director > > Tel +39-0116706701 Fax +39-011751603 > > C.so Svizzera , 185 - 10149 - Torino > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner at KD0YU.COM, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. From glenn.steen at gmail.com Tue Sep 13 08:45:44 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 13 08:45:56 2011 Subject: Spam Attacks In-Reply-To: <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Message-ID: A good thing those rejections are pretty cheap... Imagine having to actually receive all that cr*p and inspecting it with MS.... Cheers! -- -- Glenn Den 13 sep 2011 00:36 skrev "Paul Kelly :: Blacknight" : > Hi All, > > Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. > > http://dominion.blacknight.ie/~paul/postfix.txt > > It's a bit crazy. > > Paul > > > Paul Kelly > Technical Director > Microsoft Certified Partner > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353(0)599183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.com > web: http://www.blacknight.com > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > > On 12 Sep 2011, at 17:43, Sergio Rabellino wrote: > >> I've got some numbers about my main mailserver : >> from 3.00 am to 18.00 pm TODAY (italian hours, GMT+2) we refused 30798 incoming messages from dnsbl listed hosts, 2410 greylist entry timed out (spammers trying to send mail once) and delivered 7658 (possibly) legal messages to our (150) recipients. >> >> Bye. >> >> Il 12/09/2011 10:03, Jason Ede ha scritto: >>> We're seeing similar, although not at those levels, at around 1pm and 6pm each day. >>> >>> Jason >>> >>> >>>> -----Original Message----- >>>> From: >>>> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner >>>> - >>>> >>>> bounces@lists.mailscanner.info >>>> ] On Behalf Of Paul Kelly :: Blacknight >>>> Sent: 11 September 2011 21:59 >>>> To: MailScanner discussion >>>> Subject: Spam Attacks >>>> >>>> Hi Guys, >>>> >>>> Has anyone noticed a huge increase in smtp slamming recently? >>>> >>>> We have a busy mail cluster that has about 80k users. In the last 10 days or so >>>> we've seen a huge increase in IPs slamming the mail servers. The really odd >>>> thing is that it happens a few times a day and it's really intensive. Mostly the >>>> traffic hops off of RBL lookups. As an experiment today I moved 8 domains >>>> MX records to a stand alone Postfix box with just zen.spamhaus.org >>>> configured on it. >>>> >>>> The results are _insane_, a snippet from just today. >>>> >>>> Per-Hour Traffic Summary >>>> ------------------------ >>>> time received delivered deferred bounced rejected >>>> -------------------------------------------------------------------- >>>> >>>> 1000-1100 12 0 0 19 1776 >>>> 1100-1200 26 1 0 112 2851 >>>> 1200-1300 25 5 0 54 3256 >>>> 1300-1400 66 1 0 200 13509 >>>> 1400-1500 241 0 0 501 61974 >>>> 1500-1600 229 3 0 520 55902 >>>> 1600-1700 38 1 0 74 3750 >>>> 1700-1800 197 2 0 441 47213 >>>> 1800-1900 302 3 0 638 77602 >>>> 1900-2000 134 6 0 248 38728 >>>> 2000-2100 23 1 0 63 4482 >>>> 2100-2200 169 4 0 216 2786 >>>> >>>> Is anyone else seeing this? >>>> >>>> Cheers, >>>> >>>> Paul >>>> >>>> Paul Kelly >>>> Technical Director >>>> Microsoft Certified Partner >>>> Blacknight Internet Solutions ltd >>>> Hosting, Colocation, Dedicated servers >>>> IP Transit Services >>>> Tel: +353(0)599183072 >>>> Lo-call: 1850 929 929 >>>> DDI: +353 (0) 59 9183091 >>>> >>>> e-mail: >>>> paul@blacknight.com >>>> >>>> web: >>>> http://www.blacknight.com >>>> >>>> >>>> Blacknight Internet Solutions Ltd, >>>> Unit 12A,Barrowside Business Park, >>>> Sleaty Road, >>>> Graiguecullen, >>>> Carlow, >>>> Ireland >>>> >>>> Company No.: 370845 >>>> >>>> -- >>>> MailScanner mailing list >>>> >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>>> Before posting, read >>>> http://wiki.mailscanner.info/posting >>>> >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >> >> -- >> Ing. Sergio Rabellino >> >> Universit? degli Studi di Torino >> Dipartimento di Informatica >> ICT Services Director >> Tel +39-0116706701 Fax +39-011751603 >> C.so Svizzera , 185 - 10149 - Torino >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110913/ff2be2db/attachment.html From paul at blacknight.com Tue Sep 13 10:11:47 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Tue Sep 13 10:11:57 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Message-ID: <08EEEAD796731546A6662E346C71CA3824BF355E@bkexchmbx01.blacknight.local> Glenn, It's a good thing. Unfortunately for us with Clustered Qmail using NFS they are not cheap at all. Hence the move to a gateway device. Even putting Spamdyke infront of Qmail in the xinetd wasn't good enough because each SMTP connection spawns a qmail-smtpd process which reads the control folder / configs. Getting 2-3 million of these a day was using excessive Read IOPs on the NFS server. I have to wonder what our NFS graphs will look like in a couple of days once we've moved everything over :) Paul From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 13 September 2011 08:46 To: MailScanner discussion Subject: Re: Spam Attacks A good thing those rejections are pretty cheap... Imagine having to actually receive all that cr*p and inspecting it with MS.... Cheers! -- -- Glenn Den 13 sep 2011 00:36 skrev "Paul Kelly :: Blacknight" >: > Hi All, > > Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. > > http://dominion.blacknight.ie/~paul/postfix.txt > > It's a bit crazy. > > Paul > > > Paul Kelly > Technical Director > Microsoft Certified Partner > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > IP Transit Services > Tel: +353(0)599183072 > Lo-call: 1850 929 929 > DDI: +353 (0) 59 9183091 > > e-mail: paul@blacknight.com > web: http://www.blacknight.com > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 > > On 12 Sep 2011, at 17:43, Sergio Rabellino wrote: > >> I've got some numbers about my main mailserver : >> from 3.00 am to 18.00 pm TODAY (italian hours, GMT+2) we refused 30798 incoming messages from dnsbl listed hosts, 2410 greylist entry timed out (spammers trying to send mail once) and delivered 7658 (possibly) legal messages to our (150) recipients. >> >> Bye. >> >> Il 12/09/2011 10:03, Jason Ede ha scritto: >>> We're seeing similar, although not at those levels, at around 1pm and 6pm each day. >>> >>> Jason >>> >>> >>>> -----Original Message----- >>>> From: >>>> mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner >>>> - >>>> >>>> bounces@lists.mailscanner.info >>>> ] On Behalf Of Paul Kelly :: Blacknight >>>> Sent: 11 September 2011 21:59 >>>> To: MailScanner discussion >>>> Subject: Spam Attacks >>>> >>>> Hi Guys, >>>> >>>> Has anyone noticed a huge increase in smtp slamming recently? >>>> >>>> We have a busy mail cluster that has about 80k users. In the last 10 days or so >>>> we've seen a huge increase in IPs slamming the mail servers. The really odd >>>> thing is that it happens a few times a day and it's really intensive. Mostly the >>>> traffic hops off of RBL lookups. As an experiment today I moved 8 domains >>>> MX records to a stand alone Postfix box with just zen.spamhaus.org >>>> configured on it. >>>> >>>> The results are _insane_, a snippet from just today. >>>> >>>> Per-Hour Traffic Summary >>>> ------------------------ >>>> time received delivered deferred bounced rejected >>>> -------------------------------------------------------------------- >>>> >>>> 1000-1100 12 0 0 19 1776 >>>> 1100-1200 26 1 0 112 2851 >>>> 1200-1300 25 5 0 54 3256 >>>> 1300-1400 66 1 0 200 13509 >>>> 1400-1500 241 0 0 501 61974 >>>> 1500-1600 229 3 0 520 55902 >>>> 1600-1700 38 1 0 74 3750 >>>> 1700-1800 197 2 0 441 47213 >>>> 1800-1900 302 3 0 638 77602 >>>> 1900-2000 134 6 0 248 38728 >>>> 2000-2100 23 1 0 63 4482 >>>> 2100-2200 169 4 0 216 2786 >>>> >>>> Is anyone else seeing this? >>>> >>>> Cheers, >>>> >>>> Paul >>>> >>>> Paul Kelly >>>> Technical Director >>>> Microsoft Certified Partner >>>> Blacknight Internet Solutions ltd >>>> Hosting, Colocation, Dedicated servers >>>> IP Transit Services >>>> Tel: +353(0)599183072 >>>> Lo-call: 1850 929 929 >>>> DDI: +353 (0) 59 9183091 >>>> >>>> e-mail: >>>> paul@blacknight.com >>>> >>>> web: >>>> http://www.blacknight.com >>>> >>>> >>>> Blacknight Internet Solutions Ltd, >>>> Unit 12A,Barrowside Business Park, >>>> Sleaty Road, >>>> Graiguecullen, >>>> Carlow, >>>> Ireland >>>> >>>> Company No.: 370845 >>>> >>>> -- >>>> MailScanner mailing list >>>> >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> >>>> Before posting, read >>>> http://wiki.mailscanner.info/posting >>>> >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >> >> -- >> Ing. Sergio Rabellino >> >> Universit? degli Studi di Torino >> Dipartimento di Informatica >> ICT Services Director >> Tel +39-0116706701 Fax +39-011751603 >> C.so Svizzera , 185 - 10149 - Torino >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110913/5c272c7e/attachment.html From Johan at double-l.nl Tue Sep 13 11:36:44 2011 From: Johan at double-l.nl (Johan Hendriks) Date: Tue Sep 13 11:35:05 2011 Subject: Spam Attacks In-Reply-To: <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Message-ID: <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> >Hi All, >Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. >http://dominion.blacknight.ie/~paul/postfix.txt >It's a bit crazy. [OT] How do you get these stats. [/OT] Thanks Regards Johan Hendriks From twiztar at gmail.com Tue Sep 13 12:06:32 2011 From: twiztar at gmail.com (Erik Weber) Date: Tue Sep 13 12:06:42 2011 Subject: Spam Attacks In-Reply-To: <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> Message-ID: On Tue, Sep 13, 2011 at 12:29 AM, Paul Kelly :: Blacknight wrote: > Hi All, > > Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. > > http://dominion.blacknight.ie/~paul/postfix.txt > > It's a bit crazy. We've managed to cope with most of it by making a custom clamav database containing sigantures for these urls[1] for ruby fortune casino or something like that. has anyone else managed to take a look into all the spam to see any similar addresses? -- Erik [1]: http://www.netrubylux.com http://www.netfortinatop.com http://www.ultrarubytop.com http://www.vivarubyluxury.com From glenn.steen at gmail.com Tue Sep 13 16:06:32 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Sep 13 16:06:44 2011 Subject: Spam Attacks In-Reply-To: <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: Looks like pflogsumm excerpts to me. Cheers -- -- Glenn Den 13 sep 2011 12:41 skrev "Johan Hendriks" : > >>Hi All, >>Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. >>http://dominion.blacknight.ie/~paul/postfix.txt >>It's a bit crazy. > > [OT] > How do you get these stats. > [/OT] > > Thanks > Regards > Johan Hendriks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110913/cfca6d85/attachment.html From paul at blacknight.com Tue Sep 13 17:48:57 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Tue Sep 13 17:49:08 2011 Subject: Spam Attacks In-Reply-To: <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: On 13 Sep 2011, at 11:36, Johan Hendriks wrote: > >> Hi All, >> Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. >> http://dominion.blacknight.ie/~paul/postfix.txt >> It's a bit crazy. > > [OT] > How do you get these stats. > [/OT] > As Glenn has said it's pflogsumm and postfix logs. Exact command I use is: # pflogsumm.pl -d today /var/log/mail.log | less Todays stats are higher than yesterdays as we slowly migrate all 43k mail domains over. I think we've got around 12k or so done so far, it's automated but going slowly. Regards, Paul > Thanks > Regards > Johan Hendriks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From J.Ede at birchenallhowden.co.uk Tue Sep 13 19:10:42 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Sep 13 19:16:03 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: Just pulled up the stats for the incoming postfix instance on one of our servers for yesterday, although not quite at the levels you have it still seems to show the same pattern. I've not looked too deeply at what makes up the rejections yet if it is xen or the other rbls or invalid addresses etc... Per-Hour Traffic Summary time received delivered deferred bounced rejected -------------------------------------------------------------------- 0000-0100 79 80 0 0 273 0100-0200 74 75 0 0 261 0200-0300 101 101 0 0 297 0300-0400 115 115 0 0 510 0400-0500 91 91 0 0 327 0500-0600 125 125 0 0 325 0600-0700 103 103 0 0 510 0700-0800 151 154 0 0 597 0800-0900 326 337 0 0 760 0900-1000 443 455 0 0 970 1000-1100 628 644 0 0 1272 1100-1200 655 680 0 0 774 1200-1300 711 724 0 0 2597 1300-1400 630 665 0 0 7021 1400-1500 630 665 0 0 3998 1500-1600 657 674 0 0 946 1600-1700 584 602 0 0 4129 1700-1800 450 459 0 0 6995 1800-1900 264 268 0 0 2401 1900-2000 215 214 0 0 502 2000-2100 200 205 0 0 425 2100-2200 184 191 0 0 477 2200-2300 149 51 4 0 271 2300-2400 137 139 111 0 171 Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Kelly :: Blacknight > Sent: 13 September 2011 17:49 > To: MailScanner discussion > Subject: Re: Spam Attacks > > > On 13 Sep 2011, at 11:36, Johan Hendriks wrote: > > > > >> Hi All, > >> Thanks for your replies. As of today I've pointed 10 domains to a new > gateway and here are some stats. > >> http://dominion.blacknight.ie/~paul/postfix.txt > >> It's a bit crazy. > > > > [OT] > > How do you get these stats. > > [/OT] > > > > As Glenn has said it's pflogsumm and postfix logs. > > Exact command I use is: > > # pflogsumm.pl -d today /var/log/mail.log | less > > Todays stats are higher than yesterdays as we slowly migrate all 43k mail > domains over. I think we've got around 12k or so done so far, it's automated > but going slowly. > > Regards, > > Paul > > > Thanks > > Regards > > Johan Hendriks > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Johan at double-l.nl Wed Sep 14 08:27:33 2011 From: Johan at double-l.nl (Johan Hendriks) Date: Wed Sep 14 08:25:49 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: <6C3F8332272B7D4DA26909F15F1C90E1E6409D@SRV01.double-l.local> Thanks i will look into it. Looks like pflogsumm excerpts to me. Cheers -- -- Glenn Den 13 sep 2011 12:41 skrev "Johan Hendriks" >: > >>Hi All, >>Thanks for your replies. As of today I've pointed 10 domains to a new gateway and here are some stats. >>http://dominion.blacknight.ie/~paul/postfix.txt >>It's a bit crazy. > > [OT] > How do you get these stats. > [/OT] > > Thanks > Regards > Johan Hendriks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110914/969bad82/attachment.html From glenn.steen at gmail.com Wed Sep 14 10:14:16 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 14 10:14:26 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: On 13 September 2011 20:10, Jason Ede wrote: > Just pulled up the stats for the incoming postfix instance on one of our servers for yesterday, although not quite at the levels you have it still seems to show the same pattern. > > I've not looked too deeply at what makes up the rejections yet if it is xen or the other rbls or invalid addresses etc... > > Per-Hour Traffic Summary > ? ?time ? ? ? ? ?received ?delivered ? deferred ? ?bounced ? ? rejected > ? ?-------------------------------------------------------------------- > ? ?0000-0100 ? ? ? ? ?79 ? ? ? ? 80 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?273 > ? ?0100-0200 ? ? ? ? ?74 ? ? ? ? 75 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?261 > ? ?0200-0300 ? ? ? ? 101 ? ? ? ?101 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?297 > ? ?0300-0400 ? ? ? ? 115 ? ? ? ?115 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?510 > ? ?0400-0500 ? ? ? ? ?91 ? ? ? ? 91 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?327 > ? ?0500-0600 ? ? ? ? 125 ? ? ? ?125 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?325 > ? ?0600-0700 ? ? ? ? 103 ? ? ? ?103 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?510 > ? ?0700-0800 ? ? ? ? 151 ? ? ? ?154 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?597 > ? ?0800-0900 ? ? ? ? 326 ? ? ? ?337 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?760 > ? ?0900-1000 ? ? ? ? 443 ? ? ? ?455 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?970 > ? ?1000-1100 ? ? ? ? 628 ? ? ? ?644 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 1272 > ? ?1100-1200 ? ? ? ? 655 ? ? ? ?680 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?774 > ? ?1200-1300 ? ? ? ? 711 ? ? ? ?724 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 2597 > ? ?1300-1400 ? ? ? ? 630 ? ? ? ?665 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 7021 > ? ?1400-1500 ? ? ? ? 630 ? ? ? ?665 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 3998 > ? ?1500-1600 ? ? ? ? 657 ? ? ? ?674 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?946 > ? ?1600-1700 ? ? ? ? 584 ? ? ? ?602 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 4129 > ? ?1700-1800 ? ? ? ? 450 ? ? ? ?459 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 6995 > ? ?1800-1900 ? ? ? ? 264 ? ? ? ?268 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? 2401 > ? ?1900-2000 ? ? ? ? 215 ? ? ? ?214 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?502 > ? ?2000-2100 ? ? ? ? 200 ? ? ? ?205 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?425 > ? ?2100-2200 ? ? ? ? 184 ? ? ? ?191 ? ? ? ? ?0 ? ? ? ? ?0 ? ? ? ?477 > ? ?2200-2300 ? ? ? ? 149 ? ? ? ? 51 ? ? ? ? ?4 ? ? ? ? ?0 ? ? ? ?271 > ? ?2300-2400 ? ? ? ? 137 ? ? ? ?139 ? ? ? ?111 ? ? ? ? ?0 ? ? ? ?171 > > Jason I've got pflogsumm daily reports stored since August -08, and apart from natural differences (layoffs making the total volume drop, temporarily driving up the "no such address"-rejections back in -09) a cursory comparision of a semi-random selection show no real difference during the last months (well, there's always a lull during the summer/vacation period:-). But that might only show quirks of my particular setup, volume and usage patterns of my userbase etc. I suspect an ISP-type organization would be more likely to ... attract ... badness:-). (snip) Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul at blacknight.com Wed Sep 14 11:07:59 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Wed Sep 14 11:08:09 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> > I've got pflogsumm daily reports stored since August -08, and apart > from natural differences (layoffs making the total volume drop, > temporarily driving up the "no such address"-rejections back in -09) a > cursory comparision of a semi-random selection show no real difference > during the last months (well, there's always a lull during the > summer/vacation period:-). > [Paul Kelly] Care to share percentages maybe? :) > But that might only show quirks of my particular setup, volume and > usage patterns of my userbase etc. I suspect an ISP-type organization > would be more likely to ... attract ... badness:-). [Paul Kelly] Believe it or not, 10 domain names from the 43k or so hosted on our Qmail cluster get 94% of all e-mail. One of them is a medical research company. I suspect someone out there doesn't like them :-) Top 10 domains received 20,000,000 (yes 20 million) + spam rejections in the last 10 days. It's a wee bit crazy. Regards, Paul From J.Ede at birchenallhowden.co.uk Wed Sep 14 11:21:25 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Sep 14 11:21:24 2011 Subject: Spam Attacks In-Reply-To: <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> Message-ID: > [Paul Kelly] Believe it or not, 10 domain names from the 43k or so hosted on > our Qmail cluster get 94% of all e-mail. One of them is a medical research > company. I suspect someone out there doesn't like them :-) > > Top 10 domains received 20,000,000 (yes 20 million) + spam rejections in the > last 10 days. > > It's a wee bit crazy. That definitely sounds like a sustained attack... No pattern in the IP's that are being rejected? From maxsec at gmail.com Wed Sep 14 12:13:13 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Wed Sep 14 12:13:24 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: On 14 September 2011 10:14, Glenn Steen wrote: > On 13 September 2011 20:10, Jason Ede > wrote: > > Just pulled up the stats for the incoming postfix instance on one of our > servers for yesterday, although not quite at the levels you have it still > seems to show the same pattern. > > > > I've not looked too deeply at what makes up the rejections yet if it is > xen or the other rbls or invalid addresses etc... > > > > Per-Hour Traffic Summary > > time received delivered deferred bounced rejected > > -------------------------------------------------------------------- > > 0000-0100 79 80 0 0 273 > > 0100-0200 74 75 0 0 261 > > 0200-0300 101 101 0 0 297 > > 0300-0400 115 115 0 0 510 > > 0400-0500 91 91 0 0 327 > > 0500-0600 125 125 0 0 325 > > 0600-0700 103 103 0 0 510 > > 0700-0800 151 154 0 0 597 > > 0800-0900 326 337 0 0 760 > > 0900-1000 443 455 0 0 970 > > 1000-1100 628 644 0 0 1272 > > 1100-1200 655 680 0 0 774 > > 1200-1300 711 724 0 0 2597 > > 1300-1400 630 665 0 0 7021 > > 1400-1500 630 665 0 0 3998 > > 1500-1600 657 674 0 0 946 > > 1600-1700 584 602 0 0 4129 > > 1700-1800 450 459 0 0 6995 > > 1800-1900 264 268 0 0 2401 > > 1900-2000 215 214 0 0 502 > > 2000-2100 200 205 0 0 425 > > 2100-2200 184 191 0 0 477 > > 2200-2300 149 51 4 0 271 > > 2300-2400 137 139 111 0 171 > > > > Jason > > I've got pflogsumm daily reports stored since August -08, and apart > from natural differences (layoffs making the total volume drop, > temporarily driving up the "no such address"-rejections back in -09) a > cursory comparision of a semi-random selection show no real difference > during the last months (well, there's always a lull during the > summer/vacation period:-). > > But that might only show quirks of my particular setup, volume and > usage patterns of my userbase etc. I suspect an ISP-type organization > would be more likely to ... attract ... badness:-). > > (snip) > Cheers! > -- > -- Glenn > seeing similar increases in spam (bursts) myself all to unknown recipients and we're not an ISP, but only to one of the 4 domains I handle. -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110914/ac9ecad3/attachment.html From ak6783 at gmail.com Wed Sep 14 14:10:54 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Wed Sep 14 14:11:23 2011 Subject: I have two problem... In-Reply-To: References: Message-ID: Anyone who does not is the question? MailScanner 4.84.3 really can not deny the file block has been set Even within the message content has not Clean Message I have the setting set If the problem is MailScanner tell me? Please... 2011/9/7 §d¦¼­è > Hello: > I sort out my problems now > Environment is as follows: > Fedora 13 and the system is updated to the latest package > MailScanner version 4.84.3 > > 1 When I set the Sign Clean Messages = yes, but also to determine the Inline > HTML Signature file path to determine the existence, sent a letter to no > additional content Inline HTML Signature > > 2. I set there in filename.rules.conf deny \.scr$ line set, but when I send > a letter and attached from the outside .scr files, MailScanner is not > blocked, this function fails completely > > Can be tested in such an environment, not the first day I use MailScanner, in > previous versions of these functions on my server is using, is to upgrade > to 4.84.3 it can not be used > > Please ~ ~ Thank you -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110914/4d6fb4ca/attachment.html From glenn.steen at gmail.com Wed Sep 14 16:32:55 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 14 16:33:04 2011 Subject: Spam Attacks In-Reply-To: <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> Message-ID: On 14 September 2011 12:07, Paul Kelly :: Blacknight wrote: > > >> I've got pflogsumm daily reports stored since August -08, and apart >> from natural differences (layoffs making the total volume drop, >> temporarily driving up the "no such address"-rejections back in -09) a >> cursory comparision of a semi-random selection show no real difference >> during the last months (well, there's always a lull during the >> summer/vacation period:-). >> > > [Paul Kelly] Care to share percentages maybe? :) :-) Well, over the entire period, all rejections seem to lie within the span 30-60% of all incoming delivery attempts, and for the last couple of months... closer to 30 than anything. I don't have the legal ability to use RBLs for rejections, only points in SA, due to specific Swedish legislation, so all rejections come from "RFC strictness", relaying attempts, fraud (pretending to be a local sender) and recipient verification. As Martin notes, the last bit seem to grab what you're seeing, so I should be seeing the same increase, but match on different rejection criteria. Since the layoffs (reduced the workforce by a third), our domain (ap1.se) is real low volume, and ... luckily has escaped attention so far:-). >> But that ?might only show quirks of my particular setup, volume and >> usage patterns of my userbase etc. I suspect an ISP-type organization >> would be more likely to ... attract ... badness:-). > > ?[Paul Kelly] Believe it or not, 10 domain names from the 43k or so hosted on our Qmail cluster get 94% of all e-mail. One of them is a medical research company. I suspect someone out there doesn't like them :-) :-) > > Top 10 domains received 20,000,000 (yes 20 million) + spam rejections in the last 10 days. > .... Oh ... > It's a wee bit crazy. > Yep, real crazy. How is the PF things holding up under the deluge? > Regards, > > Paul > Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul at blacknight.com Wed Sep 14 23:34:39 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Wed Sep 14 23:34:48 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> Message-ID: <3B914A0F-4235-4E6A-82D9-29F44A41C7B8@blacknight.com> A full days logs here I think. http://dominion.blacknight.ie/~paul/postfix-Sep14.txt It's not as bad as I thought it was going to be. But I can clearly see the first 10 domains we moved over were indeed getting most of the traffic. At least now we've got proper logging, unlike Qmail which is just a MAJOR pita to get any information from. I suppose if you use a 10 year old car in a race, you're going to loose. Paul Paul Kelly Technical Director Microsoft Certified Partner Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353(0)599183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.com web: http://www.blacknight.com Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 On 14 Sep 2011, at 16:32, Glenn Steen wrote: > On 14 September 2011 12:07, Paul Kelly :: Blacknight > wrote: >> >> >>> I've got pflogsumm daily reports stored since August -08, and apart >>> from natural differences (layoffs making the total volume drop, >>> temporarily driving up the "no such address"-rejections back in -09) a >>> cursory comparision of a semi-random selection show no real difference >>> during the last months (well, there's always a lull during the >>> summer/vacation period:-). >>> >> >> [Paul Kelly] Care to share percentages maybe? :) > > :-) > Well, over the entire period, all rejections seem to lie within the > span 30-60% of all incoming delivery attempts, and for the last couple > of months... closer to 30 than anything. > I don't have the legal ability to use RBLs for rejections, only points > in SA, due to specific Swedish legislation, so all rejections come > from "RFC strictness", relaying attempts, fraud (pretending to be a > local sender) and recipient verification. As Martin notes, the last > bit seem to grab what you're seeing, so I should be seeing the same > increase, but match on different rejection criteria. > Since the layoffs (reduced the workforce by a third), our domain > (ap1.se) is real low volume, and ... luckily has escaped attention so > far:-). > >>> But that might only show quirks of my particular setup, volume and >>> usage patterns of my userbase etc. I suspect an ISP-type organization >>> would be more likely to ... attract ... badness:-). >> >> [Paul Kelly] Believe it or not, 10 domain names from the 43k or so hosted on our Qmail cluster get 94% of all e-mail. One of them is a medical research company. I suspect someone out there doesn't like them :-) > :-) >> >> Top 10 domains received 20,000,000 (yes 20 million) + spam rejections in the last 10 days. >> > .... Oh ... >> It's a wee bit crazy. >> > Yep, real crazy. How is the PF things holding up under the deluge? > >> Regards, >> >> Paul >> > > Cheers! > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From eli at orbsky.homelinux.org Thu Sep 15 06:28:36 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Thu Sep 15 06:29:26 2011 Subject: Spam Attacks In-Reply-To: <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> Message-ID: <201109150828.36538.eli@orbsky.homelinux.org> Hi I'm using good old fashioned sendmail as my mta.... It has a feature called "greet_pause" "Dunnno if qmail or postfix has this feature, but what this does is delay sending banners out for a specified amount of time (usually configured for between 1 -5 seconds). If a spammer / slammer starts sending before the acknowledgement from sendmail, the connection is summarily dropped. Hope this helps all who have run into the slamming phenomenon. Eli On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: > >Hi All, > >Thanks for your replies. As of today I've pointed 10 domains to a new > >gateway and here are some stats. > >http://dominion.blacknight.ie/~paul/postfix.txt > >It's a bit crazy. > > [OT] > How do you get these stats. > [/OT] > > Thanks > Regards > Johan Hendriks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Sep 15 07:04:58 2011 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 15 07:05:43 2011 Subject: Spam Attacks In-Reply-To: <201109150828.36538.eli@orbsky.homelinux.org> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org> Message-ID: <4E71958A.2080707@alexb.ch> On 2011-09-15 7:28, Eli Wapniarski wrote: > Hi > > I'm using good old fashioned sendmail as my mta.... It has a feature called > "greet_pause" "Dunnno if qmail or postfix has this feature, but what this does > is delay sending banners out for a specified amount of time (usually > configured for between 1 -5 seconds). If a spammer / slammer starts sending > before the acknowledgement from sendmail, the connection is summarily dropped. In Postfix it's called postscreen. Pretty efficient indeed. From glenn.steen at gmail.com Thu Sep 15 07:40:42 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 15 07:40:51 2011 Subject: Spam Attacks In-Reply-To: References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <4E6E36C6.9010903@di.unito.it> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <08EEEAD796731546A6662E346C71CA3824C54581@bkexchmbx01.blacknight.local> <3B914A0F-4235-4E6A-82D9-29F44A41C7B8@blacknight.com> Message-ID: Hmm, 2.7 mega-rejections... What does the detailed breakdown tell... All BLs? Best would be if they were at helo-stage-rejections (rfc strictness type of thing), since that wouldn't even cost you a name lookup. Anyway, a lot of traffic attempts, indeed:-) Cheers! -- -- Glenn Den 15 sep 2011 00:41 skrev "Paul Kelly :: Blacknight" : -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/b0ba073a/attachment.html From glenn.steen at gmail.com Thu Sep 15 07:51:34 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 15 07:51:44 2011 Subject: Spam Attacks Message-ID: In general, I agree... Usually pretty effective. But... In a ddos-like situation, one has to have a bit of care with the actual sleep/pause length... So that it doesn't create a net resource problem;-) I'm not calling Pauls situation ddos-like, just ... A bit hectic;-) Cheers! -- -- Glenn Den 15 sep 2011 08:09 skrev "Alex Broens" : -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/0d0378c7/attachment.html From paul at blacknight.com Thu Sep 15 12:53:31 2011 From: paul at blacknight.com (Paul Kelly :: Blacknight) Date: Thu Sep 15 12:53:40 2011 Subject: Spam Attacks In-Reply-To: References: Message-ID: <08EEEAD796731546A6662E346C71CA3824C8F1BE@bkexchmbx02.blacknight.local> Yes indeed. We'd probably run out of sockets / tcp src ports at the 6000 / messages / minute mark so it's not safe to use greet pause type solutions. I considered it and we use it on low traffic sendmail installs but for this I thought the kernel may explode. Regards, Paul From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 15 September 2011 07:52 To: MailScanner discussion Subject: Re: Spam Attacks In general, I agree... Usually pretty effective. But... In a ddos-like situation, one has to have a bit of care with the actual sleep/pause length... So that it doesn't create a net resource problem;-) I'm not calling Pauls situation ddos-like, just ... A bit hectic;-) Cheers! -- -- Glenn Den 15 sep 2011 08:09 skrev "Alex Broens" >: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/a04dc693/attachment.html From Amelein at dantumadiel.eu Thu Sep 15 13:28:09 2011 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Thu Sep 15 13:28:42 2011 Subject: Betr.: RE: Spam Attacks In-Reply-To: <08EEEAD796731546A6662E346C71CA3824C8F1BE@bkexchmbx02.blacknight.local> References: <08EEEAD796731546A6662E346C71CA3824C8F1BE@bkexchmbx02.blacknight.local> Message-ID: <4E720B790200008E0001B0D2@10.1.0.206> What about grey listing ? We only get about 14K connections a day (as opposed to 20M =p) and about 12K of those get rejected by a greylist which leaves about 50-100 spam e-mails for MS to grab on a daily basis and the rest is like >99% legit e-mail. I'm not sure how grey listing would hold up with that kind of volume but I'd go for an sql based grey list with a dedicated (my)sql server. We had a sudden increase about 2 years ago where we went from about 2k e-mails daily (including spam) to ~15K over night that at points made our MS red hot and backlogged like 15 minutes. To add what everyone else is experiencing, right now I'm seeing a spam spike between 9am and 10am GMT+1/CET, this peaks at around 70-80 per minute and after that it settles at around 5/min again that get rejected. - Arjan From mogens at fumlersoft.dk Thu Sep 15 15:45:10 2011 From: mogens at fumlersoft.dk (Mogens Melander) Date: Thu Sep 15 15:45:25 2011 Subject: Spam Attacks In-Reply-To: <201109150828.36538.eli@orbsky.homelinux.org> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org> Message-ID: <4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> Hi Guys sendmail + smfgray + mailscaner has served flawless for years. On Thu, September 15, 2011 07:28, Eli Wapniarski wrote: > Hi > > I'm using good old fashioned sendmail as my mta.... It has a feature called > "greet_pause" "Dunnno if qmail or postfix has this feature, but what this does > is delay sending banners out for a specified amount of time (usually > configured for between 1 -5 seconds). If a spammer / slammer starts sending > before the acknowledgement from sendmail, the connection is summarily dropped. > > Hope this helps all who have run into the slamming phenomenon. > > Eli > > > On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: >> >Hi All, >> >Thanks for your replies. As of today I've pointed 10 domains to a new >> >gateway and here are some stats. >> >http://dominion.blacknight.ie/~paul/postfix.txt >> >It's a bit crazy. >> >> [OT] >> How do you get these stats. >> [/OT] -- Later Mogens Melander -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rabellino at di.unito.it Thu Sep 15 16:42:36 2011 From: rabellino at di.unito.it (Sergio Rabellino) Date: Thu Sep 15 16:43:17 2011 Subject: Spam Attacks In-Reply-To: <4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org> <4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> Message-ID: <4E721CEC.8050705@di.unito.it> [maybe OT] This summer i've got a better solution for sendmail greylisting : milter-greylist (http://hcpnet.free.fr/milter-greylist/). The 'too' old smf-grey do not work with ipv6 adresses ! [end OT] Il 15/09/2011 16:45, Mogens Melander ha scritto: > Hi Guys > > sendmail + smfgray + mailscaner has served flawless for years. > > On Thu, September 15, 2011 07:28, Eli Wapniarski wrote: >> Hi >> >> I'm using good old fashioned sendmail as my mta.... It has a feature called >> "greet_pause" "Dunnno if qmail or postfix has this feature, but what this does >> is delay sending banners out for a specified amount of time (usually >> configured for between 1 -5 seconds). If a spammer / slammer starts sending >> before the acknowledgement from sendmail, the connection is summarily dropped. >> >> Hope this helps all who have run into the slamming phenomenon. >> >> Eli >> >> >> On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: >>>> Hi All, >>>> Thanks for your replies. As of today I've pointed 10 domains to a new >>>> gateway and here are some stats. >>>> http://dominion.blacknight.ie/~paul/postfix.txt >>>> It's a bit crazy. >>> [OT] >>> How do you get these stats. >>> [/OT] > -- Ing. Sergio Rabellino Universit? degli Studi di Torino Dipartimento di Informatica ICT Services Director Tel +39-0116706701 Fax +39-011751603 C.so Svizzera , 185 - 10149 - Torino -------------- next part -------------- Skipped content of type multipart/related From dave at KD0YU.COM Thu Sep 15 17:26:19 2011 From: dave at KD0YU.COM (Dave Helton) Date: Thu Sep 15 17:26:44 2011 Subject: Spam Attacks References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org><4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> <4E721CEC.8050705@di.unito.it> Message-ID: <4398918D4E9DB84BB07FF9EFC4B64B1177C5@dc1.KD0YU.COM> We're all fighting spam. Even if it is a bit off topic, it's relevant ;) mailfromd: (http://puszcza.gnu.org/projects/mailfromd) which I use as my front end, makes sure all senders/headers/mail/etc is rfc compliant before it gets passed to MS. The scripting language is a real joy to use also. --Dave From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Sergio Rabellino Sent: Thursday, September 15, 2011 10:43 AM To: MailScanner discussion Subject: Re: Spam Attacks [maybe OT] This summer i've got a better solution for sendmail greylisting : milter-greylist (http://hcpnet.free.fr/milter-greylist/). The 'too' old smf-grey do not work with ipv6 adresses ! [end OT] -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/08ece62d/attachment.html From jeremy at fluxlabs.net Thu Sep 15 17:35:31 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu Sep 15 17:55:02 2011 Subject: Spam Attacks In-Reply-To: <4398918D4E9DB84BB07FF9EFC4B64B1177C5@dc1.KD0YU.COM> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org><4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> <4E721CEC.8050705@di.unito.it> <4398918D4E9DB84BB07FF9EFC4B64B1177C5@dc1.KD0YU.COM> Message-ID: <1E13A1E2-0A81-4C70-93B3-00235953169E@fluxlabs.net> dead link -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 15, 2011, at 11:26 AM, Dave Helton wrote: mailfromd: (http://puszcza.gnu.org/projects/mailfromd) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/076db027/attachment.html From dave at KD0YU.COM Thu Sep 15 18:15:23 2011 From: dave at KD0YU.COM (Dave Helton) Date: Thu Sep 15 18:15:48 2011 Subject: Spam Attacks References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com><57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com><6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local><201109150828.36538.eli@orbsky.homelinux.org><4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk><4E721CEC.8050705@di.unito.it><4398918D4E9DB84BB07FF9EFC4B64B1177C5@dc1.KD0YU.COM> <1E13A1E2-0A81-4C70-93B3-00235953169E@fluxlabs.net> Message-ID: <4398918D4E9DB84BB07FF9EFC4B64B1177C6@dc1.KD0YU.COM> mailfromd: (http://puszcza.gnu.org.ua/projects/mailfromd) corrected. From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: Thursday, September 15, 2011 11:36 AM To: MailScanner discussion Subject: Re: Spam Attacks dead link -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 15, 2011, at 11:26 AM, Dave Helton wrote: mailfromd: (http://puszcza.gnu.org/projects/mailfromd) -- This message has been scanned for viruses and dangerous content by MailScanner running on mail server KD0YU.COM , and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110915/ebc89210/attachment.html From dudi at kolcore.com Thu Sep 15 18:12:18 2011 From: dudi at kolcore.com (Dudi Goldenberg) Date: Thu Sep 15 18:16:35 2011 Subject: Spam Attacks In-Reply-To: <1E13A1E2-0A81-4C70-93B3-00235953169E@fluxlabs.net> References: <9669F83C-0C5E-463E-8EAA-F5BBC1F27E6C@blacknight.com> <57E04080-71D8-46CA-A04F-B55147A2CFC4@blacknight.com> <6C3F8332272B7D4DA26909F15F1C90E1E63C13@SRV01.double-l.local> <201109150828.36538.eli@orbsky.homelinux.org><4674f61b9c6ec2311a309cc54e6c302a.squirrel@mail.fumlersoft.dk> <4E721CEC.8050705@di.unito.it> <4398918D4E9DB84BB07FF9EFC4B64B1177C5@dc1.KD0YU.COM> <1E13A1E2-0A81-4C70-93B3-00235953169E@fluxlabs.net> Message-ID: <9A4085B7A6E42849838BFCD1672A732A0FC4665768@IE2RD2XVS101.red002.local> >dead link > >mailfromd:? ?(http://puszcza.gnu.org/projects/mailfromd) This one works: http://puszcza.gnu.org.ua/projects/mailfromd D. From eli at orbsky.homelinux.org Thu Sep 15 21:38:00 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Thu Sep 15 21:38:45 2011 Subject: Spam Attacks Message-ID: <201109152338.00610.eli@orbsky.homelinux.org> Greylisting works great, but it still processes the mail. And eventually, the bot will break through the timeout. So greylisting only works so far with the slamming kind of attack and it will bring your server to a dead stop. I would seriously recommend great_pause for sendmail and postscreen for postfix. I hope that their is an equivalent for qmail.... etc. Seriously does a great job Eli On Thursday 15 September 2011 18:42:36 Sergio Rabellino wrote: > [maybe OT] > This summer i've got a better solution for sendmail greylisting : > milter-greylist (http://hcpnet.free.fr/milter-greylist/). > The 'too' old smf-grey do not work with ipv6 adresses ! > [end OT] > > Il 15/09/2011 16:45, Mogens Melander ha scritto: > > Hi Guys > > > > sendmail + smfgray + mailscaner has served flawless for years. > > > > On Thu, September 15, 2011 07:28, Eli Wapniarski wrote: > >> Hi > >> > >> I'm using good old fashioned sendmail as my mta.... It has a feature > >> called "greet_pause" "Dunnno if qmail or postfix has this feature, but > >> what this does is delay sending banners out for a specified amount of > >> time (usually configured for between 1 -5 seconds). If a spammer / > >> slammer starts sending before the acknowledgement from sendmail, the > >> connection is summarily dropped. > >> > >> Hope this helps all who have run into the slamming phenomenon. > >> > >> Eli > >> > >> On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: > >>>> Hi All, > >>>> Thanks for your replies. As of today I've pointed 10 domains to a new > >>>> gateway and here are some stats. > >>>> http://dominion.blacknight.ie/~paul/postfix.txt > >>>> It's a bit crazy. > >>> > >>> [OT] > >>> How do you get these stats. > >>> [/OT] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From michael at huntley.net Thu Sep 15 21:58:45 2011 From: michael at huntley.net (Michael Huntley) Date: Thu Sep 15 21:59:01 2011 Subject: Spam Attacks In-Reply-To: <201109152338.00610.eli@orbsky.homelinux.org> References: <201109152338.00610.eli@orbsky.homelinux.org> Message-ID: <4E726705.1070207@huntley.net> I use fail2ban and drop those suckers at the firewall after x number of rejections. I have never failed to stop an attack. michael huntley On 9/15/2011 1:38 PM, Eli Wapniarski wrote: > Greylisting works great, but it still processes the mail. And eventually, the > bot will break through the timeout. So greylisting only works so far with the > slamming kind of attack and it will bring your server to a dead stop. > > I would seriously recommend great_pause for sendmail and postscreen for > postfix. I hope that their is an equivalent for qmail.... etc. Seriously does > a great job > > Eli > > On Thursday 15 September 2011 18:42:36 Sergio Rabellino wrote: >> [maybe OT] >> This summer i've got a better solution for sendmail greylisting : >> milter-greylist (http://hcpnet.free.fr/milter-greylist/). >> The 'too' old smf-grey do not work with ipv6 adresses ! >> [end OT] >> >> Il 15/09/2011 16:45, Mogens Melander ha scritto: >>> Hi Guys >>> >>> sendmail + smfgray + mailscaner has served flawless for years. >>> >>> On Thu, September 15, 2011 07:28, Eli Wapniarski wrote: >>>> Hi >>>> >>>> I'm using good old fashioned sendmail as my mta.... It has a feature >>>> called "greet_pause" "Dunnno if qmail or postfix has this feature, but >>>> what this does is delay sending banners out for a specified amount of >>>> time (usually configured for between 1 -5 seconds). If a spammer / >>>> slammer starts sending before the acknowledgement from sendmail, the >>>> connection is summarily dropped. >>>> >>>> Hope this helps all who have run into the slamming phenomenon. >>>> >>>> Eli >>>> >>>> On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: >>>>>> Hi All, >>>>>> Thanks for your replies. As of today I've pointed 10 domains to a new >>>>>> gateway and here are some stats. >>>>>> http://dominion.blacknight.ie/~paul/postfix.txt >>>>>> It's a bit crazy. >>>>> [OT] >>>>> How do you get these stats. >>>>> [/OT] From ms-list at alexb.ch Thu Sep 15 22:08:55 2011 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 15 22:09:11 2011 Subject: Spam Attacks In-Reply-To: <08EEEAD796731546A6662E346C71CA3824C8F1BE@bkexchmbx02.blacknight.local> References: <08EEEAD796731546A6662E346C71CA3824C8F1BE@bkexchmbx02.blacknight.local> Message-ID: <4E726967.8020107@alexb.ch> On 2011-09-15 13:53, Paul Kelly :: Blacknight wrote: > Yes indeed. > > We'd probably run out of sockets / tcp src ports at the 6000 / > messages / minute mark so it's not safe to use greet pause type > solutions. > > I considered it and we use it on low traffic sendmail installs but > for this I thought the kernel may explode. > Dunno about Sendmail, but Postfix caches the "good guys" in a DB and you can use a CIDR file to "whitelist" IP ranges. It's also very good at closing the bad connections. My traffic is pretty much like yours at peak times and haven't run into any issues. Alex From J.Ede at birchenallhowden.co.uk Fri Sep 16 09:30:28 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Sep 16 09:39:07 2011 Subject: Spam Attacks In-Reply-To: <4E726705.1070207@huntley.net> References: <201109152338.00610.eli@orbsky.homelinux.org> <4E726705.1070207@huntley.net> Message-ID: I second fail2ban... With a bit of tweaking of the config script can get it to log (rate limited to prevent flooding) all of the dropped connections so you've a log of what goes on... I only ban for 20 mins at the moment, but it seems amply long enough for them to get the hint and go away. The script for log-rotation needs tweaking though to prevent it hanging at that point. Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Michael Huntley > Sent: 15 September 2011 21:59 > To: MailScanner discussion > Subject: Re: Spam Attacks > > I use fail2ban and drop those suckers at the firewall after x number of > rejections. I have never failed to stop an attack. > > michael huntley > > On 9/15/2011 1:38 PM, Eli Wapniarski wrote: > > Greylisting works great, but it still processes the mail. And > > eventually, the bot will break through the timeout. So greylisting > > only works so far with the slamming kind of attack and it will bring your > server to a dead stop. > > > > I would seriously recommend great_pause for sendmail and postscreen > > for postfix. I hope that their is an equivalent for qmail.... etc. > > Seriously does a great job > > > > Eli > > > > On Thursday 15 September 2011 18:42:36 Sergio Rabellino wrote: > >> [maybe OT] > >> This summer i've got a better solution for sendmail greylisting : > >> milter-greylist (http://hcpnet.free.fr/milter-greylist/). > >> The 'too' old smf-grey do not work with ipv6 adresses ! > >> [end OT] > >> > >> Il 15/09/2011 16:45, Mogens Melander ha scritto: > >>> Hi Guys > >>> > >>> sendmail + smfgray + mailscaner has served flawless for years. > >>> > >>> On Thu, September 15, 2011 07:28, Eli Wapniarski wrote: > >>>> Hi > >>>> > >>>> I'm using good old fashioned sendmail as my mta.... It has a > >>>> feature called "greet_pause" "Dunnno if qmail or postfix has this > >>>> feature, but what this does is delay sending banners out for a > >>>> specified amount of time (usually configured for between 1 -5 > >>>> seconds). If a spammer / slammer starts sending before the > >>>> acknowledgement from sendmail, the connection is summarily > dropped. > >>>> > >>>> Hope this helps all who have run into the slamming phenomenon. > >>>> > >>>> Eli > >>>> > >>>> On Tuesday 13 September 2011 13:36:44 Johan Hendriks wrote: > >>>>>> Hi All, > >>>>>> Thanks for your replies. As of today I've pointed 10 domains to a > >>>>>> new gateway and here are some stats. > >>>>>> http://dominion.blacknight.ie/~paul/postfix.txt > >>>>>> It's a bit crazy. > >>>>> [OT] > >>>>> How do you get these stats. > >>>>> [/OT] > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at joolee.nl Fri Sep 16 16:00:30 2011 From: mailscanner at joolee.nl (Joolee) Date: Fri Sep 16 16:01:20 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: I've found out what the problem is. It wasn't because MailScanner doesn't run the message through Spamassassin when there is an attachment error because it actually does. (Maybe someone can still add an option to skip extra checks when a file name rule is hit for Glenn Steen that thinks of it as "not a problem, it's a feature... And a much needed one at that!" ) The problem is that Mailscanner throws a timeout when Spamassassin is run and sets the score to 0.0 Now the mail is recognized as having "Bad Content" but because the spam score is 0, the mail gets cleaned, a warning is added and the mail is forwarded to the recipient. As for the Spamassassin timeout, I think this is caused by the headers that identify one of the attachments in the mails. This is: > > > ------=_NextPart_000_0006_01CC51AC.63F30F00 > > Content-Type: ; > > name="report_1609.pdf.zip" > > Content-Transfer-Encoding: base64 > > Content-Disposition: attachment; > > filename="report_1609.pdf.zip" > I think that because of the empty "Content-Type" header, the attachment is decoded and used for byasian learning. This takes somewhere between 90 and 200 seconds, exceeding the timeout configured in MailScanner (I already changed that to 150 seconds but a batch of 25 mails can now effectively stop message processing for more than an hour and some messages get through) I've come to this conclusion because when running a manual Spamassassin scan on a message, the following lines are very time consuming: > Sep 16 15:07:12.279 [8264] dbg: bayes: Using userid: 1 0.0004 > > Sep 16 15:08:48.746 [8264] dbg: bayes: seen > (bf76e190b8121487c91051758a402dd20b18eaa6@sa_generated) put > 96.46636 > While that only takes +-4 ms for other mails. When I run sa-learn manually, the timeout is seen in the following lines: > Sep 16 15:34:12.786 [18308] dbg: message: decoding base64 > > Forgot tokens from 1 message(s) (1 message(s) examined) > > Sep 16 15:35:49.764 [18308] dbg: plugin: > Mail::SpamAssassin::Plugin::Bayes=HASH(0x3891ba0) implements > 'learner_close', priority 0 > I'll file a bug report for Spamassassin. In the meantime, I'll just set the timeout to 300 seconds and keep an eye on the Mailscnner queue with collectd or disable autolearning altogether. On 2 September 2011 14:58, Rick Cooper wrote: > ** > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee > *Sent:* Friday, September 02, 2011 6:20 AM > > *To:* MailScanner discussion > *Subject:* Re: MS Doesn't completely block spam with faulty attachments > > A feature that i would like to be able to disable ;) > > "Why would you want to spend precious resources on a meaningless check, > when you already decided to stop the offending attachment?!" > To inform my paying user why the contract he's been waiting for was > blocked. > > I think I already made quite clear why it's not an option for me to > completely block them. I can't see why other users can't be bothered by it, > maybe they just accept that they can't solve it? (Not my way of handling > problems) > [Rick Cooper] > > > Seems like you need to modify your multiple extension rules to include > dangerous extensions and ignore the rest. for instance a rule like > /\.(exe|com|bat|vbs)\..+$/ > > would allow "something.good.doc.pdf" but would catch > "something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat) to > include extensions that you feel should be blocked in the multiple extension > rule. I had to change mine long ago because there are a *lot* of people who > create files names like "something.good.09.01.2011.doc". The default rules > are there for out of the box functionality but you can modify them as > required for your given situation and clearly you need to pass multiple > extensions that are not likely to be malware. With MailScanner you can > generally solve any issues without accepting the default rules, or asking > for something else to be added either. There has been discussion in the past > regarding being able to define the order in which the processing events take > place but this would require a HUGE change in the core of MailScanner and > Julian does have a job that puts food on the table. Unless MailScanner > evolves into a programming team or group that is not likely to ever happen. > > > On 1 September 2011 23:07, Glenn Steen wrote: > >> That's not a problem, it's a feature... And a much needed one at that! >> Why would you want to spend precious resources on a meaningless check, >> when you already decided to stop the offending attachment?! >> Don't deliver it at all, if it bothers you;-) >> >> Cheers >> -- >> -- Glenn >> Den 1 sep 2011 19:12 skrev "Joolee" : >> >> > The problem with the current spam is that they're blocked for containing >> exe >> > files, not double file extensions (Although they woul've hit that one if >> > exe's were not clocked.) >> > >> > Only quick temporary solution is to disable all file-name validation >> because >> > this can occur with more than just exe files and double extensions. This >> is >> > no final solution though. >> > >> > On 1 September 2011 18:40, Kevin Miller > >wrote: >> > >> >> ** >> >> Easiest thing to do in that case is to comment out the line in >> >> filename.rules.conf that disallows double extensions. The message will >> be >> >> accepted as normal and go through the additional tests (is it an >> executable, >> >> is it a virus, is it spam, etc.) >> >> >> >> >> >> ...Kevin >> >> -- >> >> Kevin Miller Registered Linux User No: 307357 >> >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> >> 155 South Seward Street ph: (907) 586-0242 >> >> Juneau, Alaska 99801 fax: (907 586-4500 >> >> >> >> >> >> ------------------------------ >> >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >> >> *Sent:* Thursday, September 01, 2011 7:32 AM >> >> *To:* MailScanner discussion >> >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >> >> >> >> I agree that it isn't a good idea to notify the sender of a spam or >> virus >> >> message I'm not planning to do that, I know the troubles of >> backscatter. >> >> >> >> What I've configured is that if a user sends a completely normal >> >> (non-virus, non-spam) E-mail but with, for instance, a file named >> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). >> The >> >> server sends out a warning to sender and the original message stripped >> of >> >> it's attachment to the recipient of the message. Notifying the sender >> is not >> >> strictly necessary but if this is only done for such non-virus, >> non-spam >> >> message, it isn't a problem either. >> >> >> >> The situation that bugs me is when some spam message with a file named >> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename >> rule >> >> and* isn't processed any further to check if its a spam message*. >> Because >> >> it isn't processed any further, the warning messages are send out to >> both >> >> sender and original recipient. >> >> >> >> As I stated before, I can disable the sender notification. What I can't >> do >> >> is tell my customers (the recipients) that such wrongly named files, >> most >> >> containing important documents, are silently discarded. Sending spam to >> my >> >> customers that could have been recognized isn't an option either. >> >> >> >> The simplest solution, I think, would be to *continue processing* the >> >> message after a file name rule is hit, decide if the E-mail is HAM and >> in >> >> that case, send out the notifications. If the E-mail is spam, silently >> >> discard it. >> >> It would add a bit of load to the server but stopping spam is what it's >> all >> >> about, isn't it? :P >> >> >> >> On 1 September 2011 16:34, Julian Field > >wrote: >> >> >> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >> >>> >> >>> >> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >> >>> >> >>>> what version of MS? >> >>>> >> >>>> I never inform the sender of junk as you end up with fake messages >> sent >> >>>> out. >> >>>> >> >>>> -- >> >>>> Martin Hepworth >> >>>> Oxford, UK >> >>>> >> >>>> >> >>>> On 1 September 2011 08:17, Joolee > >>>> mailscanner@joolee.nl>**> wrote: >> >>>> >> >>>> Hallo Everybody, >> >>>> >> >>>> I've experienced a small flood of virus E-mails. These E-mails >> >>>> (subj.: "ACH Payment *random number* Canceled") contain >> >>>> attachments named like: "report_082011-65.pdf.exe" >> >>>> They obviously get blocked by the "no executables" and "No double >> >>>> file extensions" rules. The problem is that after blocking them, >> >>>> an automated E-mail is send to the original recipient and the >> >>>> (faked) sender of the message, informing them of the blocked >> >>>> attachment. >> >>>> >> >>>> Had the E-mails been processed further, they would've probably hit >> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >> >>>> when tested) and the E-mail would've silently been discarded as a >> >>>> virus / spam / phishing. >> >>>> >> >>>> Is it possible to let the MailScanner continue it's processing >> >>>> when hitting the file name rules and / or running the filename >> >>>> rule at a later time? >> >>>> -- >> >>>> MailScanner mailing list >> >>>> mailscanner@lists.mailscanner.**info< >> mailscanner@lists.mailscanner.info> >> >>>> > mailscanner@lists.mailscanner.info>> >> >>>> >> >>>> >> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >> >>>> >> >>>> Before posting, read http://wiki.mailscanner.info/**posting< >> http://wiki.mailscanner.info/posting> >> >> >>>> >> >>>> Support MailScanner development - buy the book off the website! >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> Jules >> >>>> >> >>>> -- >> >>>> Julian Field MEng CITP CEng >> >>>> www.MailScanner.info >> >>>> >> >>>> Buy the MailScanner book at www.MailScanner.info/store >> >>>> Need help customising MailScanner? Contact me! >> >>>> >> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >>>> Follow me at twitter.com/JulesFM >> >>>> >> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >> >>>> 'All programs have a desire to be useful' - Tron, 1982 >> >>>> >> >>> >> >>> -- >> >>> This message has been scanned for viruses and >> >>> dangerous content by MailScanner, and is >> >>> believed to be clean. >> >>> >> >>> -- >> >>> MailScanner mailing list >> >>> mailscanner@lists.mailscanner.**info < >> mailscanner@lists.mailscanner.info> >> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >> >>> >> >>> Before posting, read http://wiki.mailscanner.info/**posting< >> http://wiki.mailscanner.info/posting> >> >> >>> >> >>> Support MailScanner development - buy the book off the website! >> >>> >> >> >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> >> >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110916/1df1ef60/attachment.html From glenn.steen at gmail.com Fri Sep 16 17:18:54 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 16 17:19:05 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: Short prose, since from phone: Old problem variant (gmane old ml archive for sa timeouts, bayes expiry etc). I set that t/o even higher... It's there in ms to detect hangs, and is by default way to low. Cheers! Den 16 sep 2011 17:07 skrev "Joolee" : > I've found out what the problem is. It wasn't because MailScanner doesn't > run the message through Spamassassin when there is an attachment error > because it actually does. (Maybe someone can still add an option to skip > extra checks when a file name rule is hit for Glenn Steen that thinks of it > as "not a problem, it's a feature... And a much needed one at that!" ) > > > > The problem is that Mailscanner throws a timeout when Spamassassin is run > and sets the score to 0.0 Now the mail is recognized as having "Bad Content" > but because the spam score is 0, the mail gets cleaned, a warning is added > and the mail is forwarded to the recipient. > > > > As for the Spamassassin timeout, I think this is caused by the headers that > identify one of the attachments in the mails. > > This is: > >> >> >> ------=_NextPart_000_0006_01CC51AC.63F30F00 >> >> Content-Type: ; >> >> name="report_1609.pdf.zip" >> >> Content-Transfer-Encoding: base64 >> >> Content-Disposition: attachment; >> >> filename="report_1609.pdf.zip" >> > > > > > I think that because of the empty "Content-Type" header, the attachment is > decoded and used for byasian learning. This takes somewhere between 90 and > 200 seconds, exceeding the timeout configured in MailScanner (I already > changed that to 150 seconds but a batch of 25 mails can now effectively stop > message processing for more than an hour and some messages get through) > > > > I've come to this conclusion because when running a manual Spamassassin scan > on a message, the following lines are very time consuming: > >> Sep 16 15:07:12.279 [8264] dbg: bayes: Using userid: 1 0.0004 >> >> Sep 16 15:08:48.746 [8264] dbg: bayes: seen >> (bf76e190b8121487c91051758a402dd20b18eaa6@sa_generated) put >> 96.46636 >> > While that only takes +-4 ms for other mails. > > > > When I run sa-learn manually, the timeout is seen in the following lines: > >> Sep 16 15:34:12.786 [18308] dbg: message: decoding base64 >> >> Forgot tokens from 1 message(s) (1 message(s) examined) >> >> Sep 16 15:35:49.764 [18308] dbg: plugin: >> Mail::SpamAssassin::Plugin::Bayes=HASH(0x3891ba0) implements >> 'learner_close', priority 0 >> > > > I'll file a bug report for Spamassassin. In the meantime, I'll just set the > timeout to 300 seconds and keep an eye on the Mailscnner queue with collectd > or disable autolearning altogether. > > > On 2 September 2011 14:58, Rick Cooper wrote: > >> ** >> >> >> ------------------------------ >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >> *Sent:* Friday, September 02, 2011 6:20 AM >> >> *To:* MailScanner discussion >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >> >> A feature that i would like to be able to disable ;) >> >> "Why would you want to spend precious resources on a meaningless check, >> when you already decided to stop the offending attachment?!" >> To inform my paying user why the contract he's been waiting for was >> blocked. >> >> I think I already made quite clear why it's not an option for me to >> completely block them. I can't see why other users can't be bothered by it, >> maybe they just accept that they can't solve it? (Not my way of handling >> problems) >> [Rick Cooper] >> >> >> Seems like you need to modify your multiple extension rules to include >> dangerous extensions and ignore the rest. for instance a rule like >> /\.(exe|com|bat|vbs)\..+$/ >> >> would allow "something.good.doc.pdf" but would catch >> "something.bad.doc.exe.pdf". Of course you would want (exe|vbs|com|bat) to >> include extensions that you feel should be blocked in the multiple extension >> rule. I had to change mine long ago because there are a *lot* of people who >> create files names like "something.good.09.01.2011.doc". The default rules >> are there for out of the box functionality but you can modify them as >> required for your given situation and clearly you need to pass multiple >> extensions that are not likely to be malware. With MailScanner you can >> generally solve any issues without accepting the default rules, or asking >> for something else to be added either. There has been discussion in the past >> regarding being able to define the order in which the processing events take >> place but this would require a HUGE change in the core of MailScanner and >> Julian does have a job that puts food on the table. Unless MailScanner >> evolves into a programming team or group that is not likely to ever happen. >> >> >> On 1 September 2011 23:07, Glenn Steen wrote: >> >>> That's not a problem, it's a feature... And a much needed one at that! >>> Why would you want to spend precious resources on a meaningless check, >>> when you already decided to stop the offending attachment?! >>> Don't deliver it at all, if it bothers you;-) >>> >>> Cheers >>> -- >>> -- Glenn >>> Den 1 sep 2011 19:12 skrev "Joolee" : >>> >>> > The problem with the current spam is that they're blocked for containing >>> exe >>> > files, not double file extensions (Although they woul've hit that one if >>> > exe's were not clocked.) >>> > >>> > Only quick temporary solution is to disable all file-name validation >>> because >>> > this can occur with more than just exe files and double extensions. This >>> is >>> > no final solution though. >>> > >>> > On 1 September 2011 18:40, Kevin Miller >> >wrote: >>> > >>> >> ** >>> >> Easiest thing to do in that case is to comment out the line in >>> >> filename.rules.conf that disallows double extensions. The message will >>> be >>> >> accepted as normal and go through the additional tests (is it an >>> executable, >>> >> is it a virus, is it spam, etc.) >>> >> >>> >> >>> >> ...Kevin >>> >> -- >>> >> Kevin Miller Registered Linux User No: 307357 >>> >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >>> >> 155 South Seward Street ph: (907) 586-0242 >>> >> Juneau, Alaska 99801 fax: (907 586-4500 >>> >> >>> >> >>> >> ------------------------------ >>> >> *From:* mailscanner-bounces@lists.mailscanner.info [mailto: >>> >> mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Joolee >>> >> *Sent:* Thursday, September 01, 2011 7:32 AM >>> >> *To:* MailScanner discussion >>> >> *Subject:* Re: MS Doesn't completely block spam with faulty attachments >>> >> >>> >> I agree that it isn't a good idea to notify the sender of a spam or >>> virus >>> >> message I'm not planning to do that, I know the troubles of >>> backscatter. >>> >> >>> >> What I've configured is that if a user sends a completely normal >>> >> (non-virus, non-spam) E-mail but with, for instance, a file named >>> >> "CurriculumVitae.doc.pdf" (default output for a lot of PDF printers). >>> The >>> >> server sends out a warning to sender and the original message stripped >>> of >>> >> it's attachment to the recipient of the message. Notifying the sender >>> is not >>> >> strictly necessary but if this is only done for such non-virus, >>> non-spam >>> >> message, it isn't a problem either. >>> >> >>> >> The situation that bugs me is when some spam message with a file named >>> >> "CurriculumVitae.doc.pdf" is received. The message hits the filename >>> rule >>> >> and* isn't processed any further to check if its a spam message*. >>> Because >>> >> it isn't processed any further, the warning messages are send out to >>> both >>> >> sender and original recipient. >>> >> >>> >> As I stated before, I can disable the sender notification. What I can't >>> do >>> >> is tell my customers (the recipients) that such wrongly named files, >>> most >>> >> containing important documents, are silently discarded. Sending spam to >>> my >>> >> customers that could have been recognized isn't an option either. >>> >> >>> >> The simplest solution, I think, would be to *continue processing* the >>> >> message after a file name rule is hit, decide if the E-mail is HAM and >>> in >>> >> that case, send out the notifications. If the E-mail is spam, silently >>> >> discard it. >>> >> It would add a bit of load to the server but stopping spam is what it's >>> all >>> >> about, isn't it? :P >>> >> >>> >> On 1 September 2011 16:34, Julian Field >> >wrote: >>> >> >>> >>> He's probably switched on some "Notify Senders" options. Bad idea :-( >>> >>> >>> >>> >>> >>> On 01/09/2011 12:32, Martin Hepworth wrote: >>> >>> >>> >>>> what version of MS? >>> >>>> >>> >>>> I never inform the sender of junk as you end up with fake messages >>> sent >>> >>>> out. >>> >>>> >>> >>>> -- >>> >>>> Martin Hepworth >>> >>>> Oxford, UK >>> >>>> >>> >>>> >>> >>>> On 1 September 2011 08:17, Joolee >> >>>> mailscanner@joolee.nl>**> wrote: >>> >>>> >>> >>>> Hallo Everybody, >>> >>>> >>> >>>> I've experienced a small flood of virus E-mails. These E-mails >>> >>>> (subj.: "ACH Payment *random number* Canceled") contain >>> >>>> attachments named like: "report_082011-65.pdf.exe" >>> >>>> They obviously get blocked by the "no executables" and "No double >>> >>>> file extensions" rules. The problem is that after blocking them, >>> >>>> an automated E-mail is send to the original recipient and the >>> >>>> (faked) sender of the message, informing them of the blocked >>> >>>> attachment. >>> >>>> >>> >>>> Had the E-mails been processed further, they would've probably hit >>> >>>> the virusscanner (not tested) or spamassassin (gives a score of 27 >>> >>>> when tested) and the E-mail would've silently been discarded as a >>> >>>> virus / spam / phishing. >>> >>>> >>> >>>> Is it possible to let the MailScanner continue it's processing >>> >>>> when hitting the file name rules and / or running the filename >>> >>>> rule at a later time? >>> >>>> -- >>> >>>> MailScanner mailing list >>> >>>> mailscanner@lists.mailscanner.**info< >>> mailscanner@lists.mailscanner.info> >>> >>>> >> mailscanner@lists.mailscanner.info>> >>> >>>> >>> >>>> >>> >>>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>> >>>> >>> >>>> Before posting, read http://wiki.mailscanner.info/**posting< >>> http://wiki.mailscanner.info/posting> >>> >>> >>>> >>> >>>> Support MailScanner development - buy the book off the website! >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> Jules >>> >>>> >>> >>>> -- >>> >>>> Julian Field MEng CITP CEng >>> >>>> www.MailScanner.info >>> >>>> >>> >>>> Buy the MailScanner book at www.MailScanner.info/store >>> >>>> Need help customising MailScanner? Contact me! >>> >>>> >>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>>> Follow me at twitter.com/JulesFM >>> >>>> >>> >>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011 >>> >>>> 'All programs have a desire to be useful' - Tron, 1982 >>> >>>> >>> >>> >>> >>> -- >>> >>> This message has been scanned for viruses and >>> >>> dangerous content by MailScanner, and is >>> >>> believed to be clean. >>> >>> >>> >>> -- >>> >>> MailScanner mailing list >>> >>> mailscanner@lists.mailscanner.**info < >>> mailscanner@lists.mailscanner.info> >>> >>> http://lists.mailscanner.info/**mailman/listinfo/mailscanner< >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner> >>> >>> >>> >>> Before posting, read http://wiki.mailscanner.info/**posting< >>> http://wiki.mailscanner.info/posting> >>> >>> >>> >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >>> >> >>> >> >>> >> -- >>> >> MailScanner mailing list >>> >> mailscanner@lists.mailscanner.info >>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >> >>> >> Before posting, read http://wiki.mailscanner.info/posting >>> >> >>> >> Support MailScanner development - buy the book off the website! >>> >> >>> >> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110916/c941aabd/attachment.html From stu at spacehopper.org Fri Sep 16 20:10:04 2011 From: stu at spacehopper.org (Stuart Henderson) Date: Fri Sep 16 20:10:26 2011 Subject: Spam Attacks References: <201109152338.00610.eli@orbsky.homelinux.org> Message-ID: On 2011-09-15, Eli Wapniarski wrote: > Greylisting works great, but it still processes the mail. And eventually, the > bot will break through the timeout. Part of the idea of greylisting is that by the time spam makes it through, either the spam source will have been added to RBLs, or a similar-enough message will have hit spamtraps and picked up by some other method (pyzor, dcc, clamav unoffical sigs, etc), so that by the time it is received, it will be scored highly enough to be marked as spam. From eli at orbsky.homelinux.org Fri Sep 16 20:59:47 2011 From: eli at orbsky.homelinux.org (Eli Wapniarski) Date: Fri Sep 16 21:00:38 2011 Subject: Spam Attacks In-Reply-To: References: <201109152338.00610.eli@orbsky.homelinux.org> Message-ID: <201109162259.47659.eli@orbsky.homelinux.org> Correct, but thats not the only thing that you have to worry about. The shear volume of the slams will bring your mail server to a dead stop if its force to have to process the load. The slam attacks simply overwhelm your server. That's where great_pause for sendmail and postscreen for postfix and the method mentioned for fail2ban will handle this kind of attack much much better. On Friday 16 September 2011 22:10:04 Stuart Henderson wrote: > On 2011-09-15, Eli Wapniarski wrote: > > Greylisting works great, but it still processes the mail. And eventually, > > the bot will break through the timeout. > > Part of the idea of greylisting is that by the time spam makes it through, > either the spam source will have been added to RBLs, or a similar-enough > message will have hit spamtraps and picked up by some other method (pyzor, > dcc, clamav unoffical sigs, etc), so that by the time it is received, it > will be scored highly enough to be marked as spam. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Kevin_Miller at ci.juneau.ak.us Sat Sep 17 01:37:19 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Sat Sep 17 01:37:33 2011 Subject: F-secure 9.10 Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07> Noticed today that f-secure went from 7.x to 9.10. Has anyone tried this yet with MailScanner? Any caveats? Always a good idea to upgrade of course. Except when it isn't... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at joolee.nl Sat Sep 17 09:52:17 2011 From: mailscanner at joolee.nl (Joolee) Date: Sat Sep 17 09:53:06 2011 Subject: MS Doesn't completely block spam with faulty attachments In-Reply-To: References: <4E5F97E8.80602@ecs.soton.ac.uk> <4A09477D575C2C4B86497161427DD94C1631BC9906@city-exchange07> Message-ID: If it's a known problem, isn't it possible to ajust mailscanner so it retries running a mail through spamassassin with autolearn turned off when it hits a spamassassin timeout? Probably a good idea to temporarily disable autolearn altogether when the retry works for x emails in x time. I don't think that should be an impossible method to implement for people familiar with the MailScanner source. On 16 September 2011 18:18, Glenn Steen wrote: > gmane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110917/eaec92a1/attachment.html From jonas at vrt.dk Sat Sep 17 15:51:48 2011 From: jonas at vrt.dk (Jonas) Date: Sat Sep 17 15:52:06 2011 Subject: F-secure 9.10 In-Reply-To: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07> Message-ID: <09F23668E315FD4597C13D73E5123ADF68E38F@SCTSBS.sct.dk> Yep been running it for some weeks. Have not noticed much difference, they removed Kaspersky and included a new engine instead. Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: 17. september 2011 02:37 > To: 'MailScanner discussion' > Subject: F-secure 9.10 > > Noticed today that f-secure went from 7.x to 9.10. Has anyone tried this yet > with MailScanner? Any caveats? Always a good idea to upgrade of course. > Except when it isn't... > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 From ja at conviator.com Tue Sep 20 13:46:04 2011 From: ja at conviator.com (Jan Agermose) Date: Tue Sep 20 13:46:23 2011 Subject: MailScanner to crash several times Message-ID: hi one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 what might be the problem - what to look for? MailScanner --lint reports no problems From jeremy at fluxlabs.net Tue Sep 20 13:50:49 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 20 13:55:28 2011 Subject: MailScanner to crash several times In-Reply-To: References: Message-ID: mailscanner --debug-sa ? May also look at your antivirus. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 20, 2011, at 7:49 AM, "Jan Agermose" wrote: > hi > one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times > Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times > Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dave at KD0YU.COM Tue Sep 20 14:02:09 2011 From: dave at KD0YU.COM (Dave Helton) Date: Tue Sep 20 14:02:30 2011 Subject: MailScanner to crash several times References: Message-ID: <4398918D4E9DB84BB07FF9EFC4B64B1177C8@dc1.KD0YU.COM> Jan, Not enough to diagnose... you might try the following: Is your spool dir full? (or corrupt, or fs errors) Did you try spamassassin --lint Are you having this on all mails? Did this start just after an SA update? --dave -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 7:46 AM To: mailscanner@lists.mailscanner.info Subject: MailScanner to crash several times hi one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 what might be the problem - what to look for? MailScanner --lint reports no problems -- -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. From ja at conviator.com Tue Sep 20 14:07:56 2011 From: ja at conviator.com (Jan Agermose) Date: Tue Sep 20 14:08:37 2011 Subject: MailScanner to crash several times In-Reply-To: <4398918D4E9DB84BB07FF9EFC4B64B1177C8@dc1.KD0YU.COM> References: <4398918D4E9DB84BB07FF9EFC4B64B1177C8@dc1.KD0YU.COM> Message-ID: hi no, disks are not full --lint gives no errors yes, on all mails no, nothing has been updated for long :) -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dave Helton Sent: 20. september 2011 15:02 To: MailScanner discussion Subject: RE: MailScanner to crash several times Jan, Not enough to diagnose... you might try the following: Is your spool dir full? (or corrupt, or fs errors) Did you try spamassassin --lint Are you having this on all mails? Did this start just after an SA update? --dave -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 7:46 AM To: mailscanner@lists.mailscanner.info Subject: MailScanner to crash several times hi one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 what might be the problem - what to look for? MailScanner --lint reports no problems -- -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Amelein at dantumadiel.eu Tue Sep 20 14:09:16 2011 From: Amelein at dantumadiel.eu (Arjan Melein) Date: Tue Sep 20 14:09:40 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: References: Message-ID: <4E78AC9C0200008E0001B1A0@10.1.0.206> >>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: > hi > one of our mailscanners has started behaving very strange. its processing no > emails anymore with succes only saying for each mail in the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times > Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as > it caused MailScanner to crash several times > Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems Are there no more messages then these 3 ? I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. - Arjan From ja at conviator.com Tue Sep 20 14:36:16 2011 From: ja at conviator.com (Jan Agermose) Date: Tue Sep 20 14:36:35 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: <4E78AC9C0200008E0001B1A0@10.1.0.206> References: <4E78AC9C0200008E0001B1A0@10.1.0.206> Message-ID: <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> hi there are a lot of the samme messages for each email that it tries to handle and gives up on. Nothing has been updated and it has been running for a long time since last reboot (now I dont know exacly but im guessing months since last reboot). I tried lowering the child count to 4, having retry count = 6 and I even set virusscanner = none still getting the error -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arjan Melein Sent: 20. september 2011 15:09 To: mailscanner@lists.mailscanner.info Subject: Betr.: MailScanner to crash several times >>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: > hi > one of our mailscanners has started behaving very strange. its > processing no emails anymore with succes only saying for each mail in > the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 > mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused > MailScanner to crash several times Sep 20 14:38:15 mx3 > MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems Are there no more messages then these 3 ? I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ken_brady at byu.edu Tue Sep 20 15:18:53 2011 From: ken_brady at byu.edu (Ken Brady) Date: Tue Sep 20 15:19:15 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> References: <4E78AC9C0200008E0001B1A0@10.1.0.206> <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> Message-ID: <0D109B15B10D9D409F0F677885B7B81C0142D582@Carrot.byu.local> I had the same problem and had to disable the Sane Security Definitions in Clamav. Maillog: Quarantined message p7GF1Wuu024997 as it caused MailScanner to crash several times MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Can't call method "CombineReports" on unblessed reference at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 736. Messages log: MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 Clamav log: /opt/mail/incoming/9458/p7BKf75l013289.header: Sanesecurity.Jurlbl.3982.UNOFFICIAL FOUND The above errors would repeat for every message in the queue and quarantine them until I stopped MailScanner and Clamd services and waited 5 minutes. After that I could move all of the messages back into the queue and they would scan and process ok. After disabling Sane Security in Clamav the problem hasn't returned. Before disabling Sane Security I tried updating MailScanner and Clamav, lowering child processes, searching for spaces in virus names in clamav. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 7:36 AM To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times hi there are a lot of the samme messages for each email that it tries to handle and gives up on. Nothing has been updated and it has been running for a long time since last reboot (now I dont know exacly but im guessing months since last reboot). I tried lowering the child count to 4, having retry count = 6 and I even set virusscanner = none still getting the error -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arjan Melein Sent: 20. september 2011 15:09 To: mailscanner@lists.mailscanner.info Subject: Betr.: MailScanner to crash several times >>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: > hi > one of our mailscanners has started behaving very strange. its > processing no emails anymore with succes only saying for each mail in > the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 > mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused > MailScanner to crash several times Sep 20 14:38:15 mx3 > MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems Are there no more messages then these 3 ? I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ja at conviator.com Tue Sep 20 15:51:08 2011 From: ja at conviator.com (Jan Agermose) Date: Tue Sep 20 15:51:30 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: <0D109B15B10D9D409F0F677885B7B81C0142D582@Carrot.byu.local> References: <4E78AC9C0200008E0001B1A0@10.1.0.206> <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> <0D109B15B10D9D409F0F677885B7B81C0142D582@Carrot.byu.local> Message-ID: hi now I changed the clamd config to only accept official signaturs - but before I also simply set mailscanners = none - should disable it all together. Nothing helps. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Brady Sent: 20. september 2011 16:19 To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times I had the same problem and had to disable the Sane Security Definitions in Clamav. Maillog: Quarantined message p7GF1Wuu024997 as it caused MailScanner to crash several times MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Can't call method "CombineReports" on unblessed reference at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 736. Messages log: MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 Clamav log: /opt/mail/incoming/9458/p7BKf75l013289.header: Sanesecurity.Jurlbl.3982.UNOFFICIAL FOUND The above errors would repeat for every message in the queue and quarantine them until I stopped MailScanner and Clamd services and waited 5 minutes. After that I could move all of the messages back into the queue and they would scan and process ok. After disabling Sane Security in Clamav the problem hasn't returned. Before disabling Sane Security I tried updating MailScanner and Clamav, lowering child processes, searching for spaces in virus names in clamav. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 7:36 AM To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times hi there are a lot of the samme messages for each email that it tries to handle and gives up on. Nothing has been updated and it has been running for a long time since last reboot (now I dont know exacly but im guessing months since last reboot). I tried lowering the child count to 4, having retry count = 6 and I even set virusscanner = none still getting the error -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arjan Melein Sent: 20. september 2011 15:09 To: mailscanner@lists.mailscanner.info Subject: Betr.: MailScanner to crash several times >>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: > hi > one of our mailscanners has started behaving very strange. its > processing no emails anymore with succes only saying for each mail in > the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 > mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused > MailScanner to crash several times Sep 20 14:38:15 mx3 > MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems Are there no more messages then these 3 ? I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From maxsec at gmail.com Tue Sep 20 19:47:24 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 20 19:47:33 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: References: <4E78AC9C0200008E0001B1A0@10.1.0.206> <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> <0D109B15B10D9D409F0F677885B7B81C0142D582@Carrot.byu.local> Message-ID: Run mailscanner in debug to get some clues as th what's going on please Martin On Tuesday, 20 September 2011, Jan Agermose wrote: > hi > > now I changed the clamd config to only accept official signaturs - but before I also simply set mailscanners = none - should disable it all together. Nothing helps. > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Brady > Sent: 20. september 2011 16:19 > To: 'MailScanner discussion' > Subject: RE: Betr.: MailScanner to crash several times > > I had the same problem and had to disable the Sane Security Definitions in Clamav. > > Maillog: > Quarantined message p7GF1Wuu024997 as it caused MailScanner to crash several times > > > MailScanner --debug > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Have a batch of 30 messages. > Can't call method "CombineReports" on unblessed reference at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 736. > > Messages log: > MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 > > Clamav log: > /opt/mail/incoming/9458/p7BKf75l013289.header: Sanesecurity.Jurlbl.3982.UNOFFICIAL FOUND > > The above errors would repeat for every message in the queue and quarantine them until I stopped MailScanner and Clamd services and waited 5 minutes. After that I could move all of the messages back into the queue and they would scan and process ok. After disabling Sane Security in Clamav the problem hasn't returned. > > Before disabling Sane Security I tried updating MailScanner and Clamav, lowering child processes, searching for spaces in virus names in clamav. > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose > Sent: Tuesday, September 20, 2011 7:36 AM > To: 'MailScanner discussion' > Subject: RE: Betr.: MailScanner to crash several times > > hi > > there are a lot of the samme messages for each email that it tries to handle and gives up on. Nothing has been updated and it has been running for a long time since last reboot (now I dont know exacly but im guessing months since last reboot). > > I tried lowering the child count to 4, having retry count = 6 and I even set virusscanner = none > > still getting the error > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arjan Melein > Sent: 20. september 2011 15:09 > To: mailscanner@lists.mailscanner.info > Subject: Betr.: MailScanner to crash several times > >>>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: >> hi >> one of our mailscanners has started behaving very strange. its >> processing no emails anymore with succes only saying for each mail in >> the queue >> >> Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message >> p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 >> mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused >> MailScanner to crash several times Sep 20 14:38:15 mx3 >> MailScanner[2282]: Saved entire message to >> /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 >> >> what might be the problem - what to look for? >> >> MailScanner --lint reports no problems > > > Are there no more messages then these 3 ? > I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. > > - > Arjan > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110920/b2dd0279/attachment.html From ak6783 at gmail.com Wed Sep 21 03:59:35 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Wed Sep 21 04:00:05 2011 Subject: Could support Quoted Printable(QP) subject? Message-ID: Hello, My friend has received mail. But it's show mail source code and not html format. I found some message. Content-Transfer-Encoding: quoted-printable I think it must use Quoted Printable subject. How to do setup let mailscanner to support it? My mailscanner is 4.84.3 Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110921/800d5b60/attachment.html From glenn.steen at gmail.com Wed Sep 21 07:44:04 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 21 07:44:15 2011 Subject: MailScanner to crash several times In-Reply-To: References: <4398918D4E9DB84BB07FF9EFC4B64B1177C8@dc1.KD0YU.COM> Message-ID: So what does a classic debug run give you? Do service MailScanner stop service MailScanner startin Submit/check that at least one message is in the incoming queue, then do MailScanner --debug ... And pay close attention to ant errors. Cheers -- -- Glenn Den 20 sep 2011 15:15 skrev "Jan Agermose" : > hi > > no, disks are not full > > --lint gives no errors > > yes, on all mails > > no, nothing has been updated for long :) > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto: mailscanner-bounces@lists.mailscanner.info] On Behalf Of Dave Helton > Sent: 20. september 2011 15:02 > To: MailScanner discussion > Subject: RE: MailScanner to crash several times > > Jan, > Not enough to diagnose... you might try the following: > > Is your spool dir full? (or corrupt, or fs errors) > > Did you try spamassassin --lint > > Are you having this on all mails? > > Did this start just after an SA update? > > --dave > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose > Sent: Tuesday, September 20, 2011 7:46 AM > To: mailscanner@lists.mailscanner.info > Subject: MailScanner to crash several times > > hi > one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 > mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 > MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems > > -- > > -- > This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110921/9660eff2/attachment.html From glenn.steen at gmail.com Wed Sep 21 07:51:01 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 21 07:51:09 2011 Subject: Could support Quoted Printable(QP) subject? In-Reply-To: References: Message-ID: If you see headers in the message body, you have a misconfiguration. Most likely, you've set your org name to include non-ascii or whitespace characters. Fix that and restart MS and things should be good. Cheers! -- -- Glenn Den 21 sep 2011 05:06 skrev "???" : > Hello, > My friend has received mail. > But it's show mail source code and not html format. > I found some message. > Content-Transfer-Encoding: quoted-printable > I think it must use Quoted Printable subject. > How to do setup let mailscanner to support it? > My mailscanner is 4.84.3 > Thanks a lot. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110921/687e5395/attachment.html From ak6783 at gmail.com Wed Sep 21 08:43:15 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Wed Sep 21 08:43:45 2011 Subject: Could support Quoted Printable(QP) subject? In-Reply-To: References: Message-ID: Thank you. I find my MS setup. %org-name% = Linguitronics %org-long-name% = LINGUITRONICS Co., Ltd. You mean my org-long-name have whitespace, but it's only one mail happen. it's not always. Most mail is ok. 2011/9/21 Glenn Steen > If you see headers in the message body, you have a misconfiguration. Most > likely, you've set your org name to include non-ascii or whitespace > characters. Fix that and restart MS and things should be good. > > Cheers! > -- > -- Glenn > Den 21 sep 2011 05:06 skrev "§d¦¼­è" : > > > Hello, > > My friend has received mail. > > But it's show mail source code and not html format. > > I found some message. > > Content-Transfer-Encoding: quoted-printable > > I think it must use Quoted Printable subject. > > How to do setup let mailscanner to support it? > > My mailscanner is 4.84.3 > > Thanks a lot. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110921/3ef5ba38/attachment.html From richard at fastnet.co.uk Wed Sep 21 11:08:08 2011 From: richard at fastnet.co.uk (Richard Mealing) Date: Wed Sep 21 11:08:21 2011 Subject: Betr.: MailScanner to crash several times In-Reply-To: References: <4E78AC9C0200008E0001B1A0@10.1.0.206> <7af43c4c-0bb2-4f18-94f9-659d87015bf0@conviator.com> <0D109B15B10D9D409F0F677885B7B81C0142D582@Carrot.byu.local> Message-ID: <1251B5423222C446A299CABAA7B46FF423AD45@fn-exchange.fastnet.local> Hi Jan, Try deleting your signatures for clam (/var/db/clam maybe) and then run freshclam afterwards. That usually fixes it for me. It's happened to me a lot of times in the last 2 months, but I can never figure out what signature it is. Rich -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: 20 September 2011 15:51 To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times hi now I changed the clamd config to only accept official signaturs - but before I also simply set mailscanners = none - should disable it all together. Nothing helps. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Brady Sent: 20. september 2011 16:19 To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times I had the same problem and had to disable the Sane Security Definitions in Clamav. Maillog: Quarantined message p7GF1Wuu024997 as it caused MailScanner to crash several times MailScanner --debug In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 30 messages. Can't call method "CombineReports" on unblessed reference at /usr/lib/MailScanner/MailScanner/MessageBatch.pm line 736. Messages log: MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 Clamav log: /opt/mail/incoming/9458/p7BKf75l013289.header: Sanesecurity.Jurlbl.3982.UNOFFICIAL FOUND The above errors would repeat for every message in the queue and quarantine them until I stopped MailScanner and Clamd services and waited 5 minutes. After that I could move all of the messages back into the queue and they would scan and process ok. After disabling Sane Security in Clamav the problem hasn't returned. Before disabling Sane Security I tried updating MailScanner and Clamav, lowering child processes, searching for spaces in virus names in clamav. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 7:36 AM To: 'MailScanner discussion' Subject: RE: Betr.: MailScanner to crash several times hi there are a lot of the samme messages for each email that it tries to handle and gives up on. Nothing has been updated and it has been running for a long time since last reboot (now I dont know exacly but im guessing months since last reboot). I tried lowering the child count to 4, having retry count = 6 and I even set virusscanner = none still getting the error -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arjan Melein Sent: 20. september 2011 15:09 To: mailscanner@lists.mailscanner.info Subject: Betr.: MailScanner to crash several times >>> Op 20-9-2011 om 14:46 is door Jan Agermose geschreven: > hi > one of our mailscanners has started behaving very strange. its > processing no emails anymore with succes only saying for each mail in > the queue > > Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message > p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 > mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused > MailScanner to crash several times Sep 20 14:38:15 mx3 > MailScanner[2282]: Saved entire message to > /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 > > what might be the problem - what to look for? > > MailScanner --lint reports no problems Are there no more messages then these 3 ? I remember having something simular when there was a permission problem after an update. Or when you have the max retries at the same or a lower setting then the number of childs MS can spam, then the old age timer can grab valid e-mails. - Arjan -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Sep 21 21:55:31 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Sep 21 21:55:41 2011 Subject: Could support Quoted Printable(QP) subject? In-Reply-To: References: Message-ID: Ok, that org name (the short one) seems ok. What MTA do you use? Any milters? Even if only one mail is mangled, that just shouldn't happen...;-) so something is doing something bad... Do you have the message? Could you share it on pastebin? Cheers! -- -- Glenn Den 21 sep 2011 09:47 skrev "§d¦¼­è" : > Thank you. > I find my MS setup. > %org-name% = Linguitronics > %org-long-name% = LINGUITRONICS Co., Ltd. > You mean my org-long-name have whitespace, but it's only one mail happen. > it's not always. > Most mail is ok. > > 2011/9/21 Glenn Steen > >> If you see headers in the message body, you have a misconfiguration. Most >> likely, you've set your org name to include non-ascii or whitespace >> characters. Fix that and restart MS and things should be good. >> >> Cheers! >> -- >> -- Glenn >> Den 21 sep 2011 05:06 skrev "§d¦¼­è" : >> >> > Hello, >> > My friend has received mail. >> > But it's show mail source code and not html format. >> > I found some message. >> > Content-Transfer-Encoding: quoted-printable >> > I think it must use Quoted Printable subject. >> > How to do setup let mailscanner to support it? >> > My mailscanner is 4.84.3 >> > Thanks a lot. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > §d¦¼­è > ­Ó¤Hºô­¶ http://pc.aspa.idv.tw > ­Ó¤HBlog http://ak6783.blogspot.com/ > Twitter http://twitter.com/akong77 > Plurk http://www.plurk.com/akong77 > Facebook http://www.facebook.com/akong77 > Email (1) : akong@aspa.idv.tw > Email (2) : ak6783@gmail.com > ¤â¾÷ : 0960599655 > WebRep > Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110921/38de22a0/attachment.html From ak6783 at gmail.com Thu Sep 22 02:03:44 2011 From: ak6783 at gmail.com (=?UTF-8?B?5ZCz5rGd5Ymb?=) Date: Thu Sep 22 02:04:15 2011 Subject: Could support Quoted Printable(QP) subject? In-Reply-To: References: Message-ID: I use postfix,and version is postfix-2.7.4-1.fc13 I cut some message for you.if you need full message.You can tell me and I will forward for you. From: =?utf-8?B?5ZGo5reR55yf?= Reply-To: =?utf-8?B?5ZGo5reR55yf?= Subject: =?utf-8?B?6L2J5a+E77mVIOi9ieWvhO+5lSBUYWl3YW4gLSBiZWF1dGlmdWwgaG9tZSB0?= =?utf-8?B?b3duLS0tLS3kv6E=?= To: undisclosed recipients: ; In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="-16218764-394951850-1316508095=:29076" X-Linguitronics-MailScanner-Information: Please contact the ISP for more information X-Linguitronics-MailScanner-ID: 7E43E99870E.AB707 X-Linguitronics-MailScanner: Found to be clean X-Linguitronics-MailScanner-From: sujen1016@yahoo.com.tw X-Spam-Status: No ---16218764-394951850-1316508095=:29076 Content-Type: multipart/alternative; boundary="-16218764-1046237105-1316508095=:29076" ---16218764-1046237105-1316508095=:29076 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Glenn Steen ©ó 2011¦~9¤ë22¤é¤W¤È4:55 ¼g¹D¡G > Ok, that org name (the short one) seems ok. > > What MTA do you use? Any milters? > Even if only one mail is mangled, that just shouldn't happen...;-) so > something is doing something bad... Do you have the message? Could you share > it on pastebin? > > Cheers! > -- > -- Glenn > Den 21 sep 2011 09:47 skrev "§d¦¼­è" : > > > Thank you. > > I find my MS setup. > > %org-name% = Linguitronics > > %org-long-name% = LINGUITRONICS Co., Ltd. > > You mean my org-long-name have whitespace, but it's only one mail happen. > > it's not always. > > Most mail is ok. > > > > 2011/9/21 Glenn Steen > > > >> If you see headers in the message body, you have a misconfiguration. > Most > >> likely, you've set your org name to include non-ascii or whitespace > >> characters. Fix that and restart MS and things should be good. > >> > >> Cheers! > >> -- > >> -- Glenn > >> Den 21 sep 2011 05:06 skrev "§d¦¼­è" : > >> > >> > Hello, > >> > My friend has received mail. > >> > But it's show mail source code and not html format. > >> > I found some message. > >> > Content-Transfer-Encoding: quoted-printable > >> > I think it must use Quoted Printable subject. > >> > How to do setup let mailscanner to support it? > >> > My mailscanner is 4.84.3 > >> > Thanks a lot. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > >> > > > > > > -- > > §d¦¼­è > > ­Ó¤Hºô­¶ http://pc.aspa.idv.tw > > ­Ó¤HBlog http://ak6783.blogspot.com/ > > Twitter http://twitter.com/akong77 > > Plurk http://www.plurk.com/akong77 > > Facebook http://www.facebook.com/akong77 > > Email (1) : akong@aspa.idv.tw > > Email (2) : ak6783@gmail.com > > ¤â¾÷ : 0960599655 > > WebRep > > Overall rating > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- §d¦¼­è ­Ó¤Hºô­¶ http://pc.aspa.idv.tw ­Ó¤HBlog http://ak6783.blogspot.com/ Twitter http://twitter.com/akong77 Plurk http://www.plurk.com/akong77 Facebook http://www.facebook.com/akong77 Email (1) : akong@aspa.idv.tw Email (2) : ak6783@gmail.com ¤â¾÷ : 0960599655 WebRep Overall rating -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/f7f512fe/attachment.html From bjron.mork at gmail.com Thu Sep 22 07:06:05 2011 From: bjron.mork at gmail.com (Bjron Mork) Date: Thu Sep 22 07:07:40 2011 Subject: MailScanner to crash several times In-Reply-To: References: Message-ID: <00b101cc78ed$bb542d20$31fc8760$@gmail.com> Hi, I had same problem for RHEL/Fedora/Centos: I have attached all my emails for your reference. Kindly check the permission issue, chown -R postfix:postfix /var/spool/MailScanner/incoming chown -R postfix:apache /var/spool/MailScanner/quarantine or whatever user you're running postfix/apache under. Regards, B~Mork -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jan Agermose Sent: Tuesday, September 20, 2011 5:46 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner to crash several times hi one of our mailscanners has started behaving very strange. its processing no emails anymore with succes only saying for each mail in the queue Sep 20 14:38:15 mx3 MailScanner[2282]: Warning: skipping message p8JHBZlF011310 as it has been attempted too many times Sep 20 14:38:15 mx3 MailScanner[2282]: Quarantined message p8JHBZlF011310 as it caused MailScanner to crash several times Sep 20 14:38:15 mx3 MailScanner[2282]: Saved entire message to /var/spool/MailScanner/quarantine/20110920/p8JHBZlF011310 what might be the problem - what to look for? MailScanner --lint reports no problems -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An embedded message was scrubbed... From: "bjron.mork@gmail.com" Subject: RE: MailScanner Crash Date: Wed, 3 Aug 2011 22:29:30 +0500 Size: 5741 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/19849ec1/attachment.mht -------------- next part -------------- An embedded message was scrubbed... From: "Bjron Mork" Subject: MailScanner Crash Date: Wed, 3 Aug 2011 15:21:41 +0500 Size: 23270 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/19849ec1/attachment-0001.mht -------------- next part -------------- An embedded message was scrubbed... From: "Alex Broens" Subject: Re: MailScanner Crash Date: Thu, 4 Aug 2011 01:30:22 +0500 Size: 3254 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/19849ec1/attachment-0002.mht From johnn at zylun.com Thu Sep 22 07:16:32 2011 From: johnn at zylun.com (John Mark Niar) Date: Thu Sep 22 07:16:47 2011 Subject: mailscanner and opendkim Message-ID: <022001cc78ef$2e36c540$8aa44fc0$@com> Hello All, I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Looking forward to hearing anyone. thanks, John -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/0e7c72b1/attachment.html From J.Ede at birchenallhowden.co.uk Thu Sep 22 08:47:52 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Sep 22 08:55:18 2011 Subject: mailscanner and opendkim In-Reply-To: <022001cc78ef$2e36c540$8aa44fc0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> Message-ID: We use DKIM on our outbound here with MS and postfix. We just have 2 instances of postfix running. The first one scans the email with MS and the second signs the email before it leaves our servers. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: 22 September 2011 07:17 To: mailscanner@lists.mailscanner.info Subject: mailscanner and opendkim Hello All, I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Looking forward to hearing anyone. thanks, John -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/cad54f0f/attachment.html From andrew at topdog.za.net Thu Sep 22 09:06:35 2011 From: andrew at topdog.za.net (Andrew Colin Kissa) Date: Thu Sep 22 09:06:56 2011 Subject: mailscanner and opendkim In-Reply-To: <022001cc78ef$2e36c540$8aa44fc0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> Message-ID: <3E846E48-2196-4E28-846D-EB70DF30F97D@topdog.za.net> On 22 Sep 2011, at 8:16 AM, John Mark Niar wrote: > I?ve just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. > Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? > If so, does anyone can help me solve this? Are these options correct ? http://mailscanner.info/MailScanner.conf.index.html#Multiple%20Headers http://mailscanner.info/MailScanner.conf.index.html#Place%20New%20Headers%20At%20Top%20Of%20Message -- Baruwa - www.baruwa.org From rcooper at dwford.com Thu Sep 22 13:00:05 2011 From: rcooper at dwford.com (Rick Cooper) Date: Thu Sep 22 13:00:22 2011 Subject: mailscanner and opendkim In-Reply-To: <022001cc78ef$2e36c540$8aa44fc0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> Message-ID: _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: Thursday, September 22, 2011 2:17 AM To: mailscanner@lists.mailscanner.info Subject: mailscanner and opendkim Hello All, I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Should not matter what MailScanner does because the DKIM signature should not be added until the last thing before sending, existing signatures should be checked before anything is altered or added -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/72038cda/attachment.html From jonas at vrt.dk Thu Sep 22 15:40:26 2011 From: jonas at vrt.dk (Jonas) Date: Thu Sep 22 15:40:43 2011 Subject: New? behavior og rbl's Message-ID: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> Hmm ok maybe I was a sleep the past year or so but when did the below become normal policy??? Basically the conclusion is if you have a pc infected with a virus that's not email related and or at least is unable to send out spam because of firewall blocks or similar, you are still blocked in a spamfilter for having the same WAN ip? Not only have I not seen this before but it seems like a huge jump in what a normal SMTP RBL list is supposed to do... Anybody else have any thought on the matter? Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk IP Address X.X.X.X is not listed in the CBL. It was previously listed, but was removed at 2011-09-22 13:24 GMT (21 minutes ago) At the time of removal, this was the explanation for this listing: This IP is infected with, or is NATting for a machine infected with Gbot. There are many different versions of Gbot, and it's known under several different names, see: Win32/Cycbot (Microsoft) or perhaps more specifically: Troj/Gbot-C (Sophos). The rest of the Anti-virus industry refers to it as Cycbot or Gbot. This was detected by observing this IP attempting to make contact to a Gbot Command and Control server, with contents unique to Gbot C&C command protocols. Amongst other things, Gbot/Cycbot sets up a web proxy on the infected machine, such that the user's normal browser is subverted to go through this proxy. The proxy then can sniff all traffic from the user (including bank account information and so on), and forward it off elsewhere. It also downloads a "fake-AV" (scareware) component. Many of these infections drop the following three malicious files: C:\Program Files\Internet Explorer\stor.cfg C:\Program Files\Windows NT\dwm.exe C:\Program Files\Windows NT\shell.exe Other versions drop files that can be found by searching for files with a ".exe" suffix in the user's Application Data directory. For example, "C:\\Documents and Settings\\[username]\\Application Data\\dwm.exe". To find these infections, search for TCP/IP connections going to IP address 87.255.51.229, usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-09-21 06:50:27 (GMT - this timestamp is believed accurate to within one second). These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer. You will need to find and eradicate the infection before delisting the IP address. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent. This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working. The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP. Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total. Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected. While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources. From mailscanner-list at okla.com Thu Sep 22 16:52:27 2011 From: mailscanner-list at okla.com (Tracy Greggs) Date: Thu Sep 22 16:53:01 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> Message-ID: <00db01cc793f$a73ac950$f5b05bf0$@okla.com> I have the same issue. Seems like total BS to me when I am doing port blocking for SMTP port 25 at the router. I blocked all outbound traffic to the trap address and logged it , removed the client from the CBL blacklist (which is a trigger for Spamhaus XBL), logged it and quickly found the infected machine. But again, total BS to blacklist the SMTP traffic over Gbot. Tracy Greggs Oklahoma Network Consulting -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas Sent: Thursday, September 22, 2011 9:40 AM To: mailscanner@lists.mailscanner.info Subject: New? behavior og rbl's Hmm ok maybe I was a sleep the past year or so but when did the below become normal policy??? Basically the conclusion is if you have a pc infected with a virus that's not email related and or at least is unable to send out spam because of firewall blocks or similar, you are still blocked in a spamfilter for having the same WAN ip? Not only have I not seen this before but it seems like a huge jump in what a normal SMTP RBL list is supposed to do... Anybody else have any thought on the matter? Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk IP Address X.X.X.X is not listed in the CBL. It was previously listed, but was removed at 2011-09-22 13:24 GMT (21 minutes ago) At the time of removal, this was the explanation for this listing: This IP is infected with, or is NATting for a machine infected with Gbot. There are many different versions of Gbot, and it's known under several different names, see: Win32/Cycbot (Microsoft) or perhaps more specifically: Troj/Gbot-C (Sophos). The rest of the Anti-virus industry refers to it as Cycbot or Gbot. This was detected by observing this IP attempting to make contact to a Gbot Command and Control server, with contents unique to Gbot C&C command protocols. Amongst other things, Gbot/Cycbot sets up a web proxy on the infected machine, such that the user's normal browser is subverted to go through this proxy. The proxy then can sniff all traffic from the user (including bank account information and so on), and forward it off elsewhere. It also downloads a "fake-AV" (scareware) component. Many of these infections drop the following three malicious files: C:\Program Files\Internet Explorer\stor.cfg C:\Program Files\Windows NT\dwm.exe C:\Program Files\Windows NT\shell.exe Other versions drop files that can be found by searching for files with a ".exe" suffix in the user's Application Data directory. For example, "C:\\Documents and Settings\\[username]\\Application Data\\dwm.exe". To find these infections, search for TCP/IP connections going to IP address 87.255.51.229, usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-09-21 06:50:27 (GMT - this timestamp is believed accurate to within one second). These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer. You will need to find and eradicate the infection before delisting the IP address. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall it, your IPs will remain infected, and they will still be able to download from real command & control servers run by the bot operators. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent. This means: if you have port 25 blocking enabled, do not take this as indication that your port 25 blocking isn't working. The links above may help you find this infection. You can also consult Advanced Techniques for other options and alternatives. NOTE: the Advanced Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as this listing, we aren't detecting port 25 traffic, we're detecting traffic on other ports. Therefore, when reading Advanced Techniques, you will need to consider all ports, not just SMTP. Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of 49 AV tools queried at Virus Total. Thus: having your anti-virus software doesn't find anything doesn't prove that you're not infected. While we regret having to say this, downloaders will generally download many different malicious payloads. Even if an Anti-Virus product finds and removes the direct threat, they will not have detected or removed the other malicious payloads. For that reason, we recommend recloning the machine - meaning: reformatting the disks on the infected machine, and re-installing all software from known-good sources. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Sep 22 17:02:16 2011 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Sep 22 17:02:37 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> Message-ID: on 9/22/2011 7:40 AM Jonas spake the following: > Hmm ok maybe I was a sleep the past year or so but when did the below become normal policy??? > > Basically the conclusion is if you have a pc infected with a virus that's not email related and or at least is unable to send out spam because of firewall blocks or similar, you are still blocked in a spamfilter for having the same WAN ip? > > Not only have I not seen this before but it seems like a huge jump in what a normal SMTP RBL list is supposed to do... > > Anybody else have any thought on the matter? > > Med venlig hilsen / Best regards > All the RBL's have is the public facing address that the crap goes out on... One bad apple does spoil the whole bunch... From ms-list at alexb.ch Thu Sep 22 17:16:19 2011 From: ms-list at alexb.ch (Alex Broens) Date: Thu Sep 22 17:16:31 2011 Subject: New? behavior og rbl's In-Reply-To: References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> Message-ID: <4E7B5F53.5010504@alexb.ch> On 2011-09-22 18:02, Scott Silva wrote: > on 9/22/2011 7:40 AM Jonas spake the following: >> Hmm ok maybe I was a sleep the past year or so but when did the below >> become normal policy??? >> >> Basically the conclusion is if you have a pc infected with a virus >> that's not email related and or at least is unable to send out spam >> because of firewall blocks or similar, you are still blocked in a >> spamfilter for having the same WAN ip? >> >> Not only have I not seen this before but it seems like a huge jump in >> what a normal SMTP RBL list is supposed to do... >> >> Anybody else have any thought on the matter? >> >> Med venlig hilsen / Best regards >> > All the RBL's have is the public facing address that the crap goes out > on... One bad apple does spoil the whole bunch... > Which translated means: - put your MTAs on dedicated IP/s and do not share with gateway. - setup log watching/alerts - If you're corporate/Exchange don't allow OWA without being VPN'd or at least use a non standard port. - block port 25 outbound for all behind the gateway which is not an MTA (your MTA is on dedicated IP) - use outbound rating to minimize possible blasts. Alex From glenn.steen at gmail.com Thu Sep 22 18:04:17 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Sep 22 18:04:27 2011 Subject: mailscanner and opendkim In-Reply-To: References: <022001cc78ef$2e36c540$8aa44fc0$@com> Message-ID: True, but if implemented via a milter on Postfix... You'd best do as Jason Ede mentioned and do the signing in a separate pf instance after MS... Else the order will be reversed and the sig ... Unuseable. Cheers -- -- Glenn Den 22 sep 2011 14:06 skrev "Rick Cooper" : > > > > _____ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark > Niar > Sent: Thursday, September 22, 2011 2:17 AM > To: mailscanner@lists.mailscanner.info > Subject: mailscanner and opendkim > > > > Hello All, > > > > I've just implemented MailScanner. Great software by the way! When I run > MailScanner I run into OpenDKIM problem. My OpenDKIM was working already > before I run the MailScanner. > > Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad > sig). I know MailScanner inserts some information inside the header and > probably overwrites the OpenDKIM header information? > > If so, does anyone can help me solve this? > > > > Should not matter what MailScanner does because the DKIM signature should > not be added until the last thing before sending, existing signatures should > be checked before anything is altered or added > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110922/6381de06/attachment.html From Kevin_Miller at ci.juneau.ak.us Thu Sep 22 20:02:11 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Sep 22 20:02:40 2011 Subject: F-secure 9.10 In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E38F@SCTSBS.sct.dk> References: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07> <09F23668E315FD4597C13D73E5123ADF68E38F@SCTSBS.sct.dk> Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A0F@city-exchange07> Thanks. I just installed it on one of my MailScanner boxes and noticed that it now uses fsaua (automatic update agent) rather than a cron job. Previously I?d disabled the cron job and let MailScanner handle updating. Should I stop the fsaua daemon? Is MailScanner still handling updating? Thanks... Jonas wrote: > Yep been running it for some weeks. > > Have not noticed much difference, they removed Kaspersky and included > a new engine instead. > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax:??? 7020 0978 > Web: www.techbiz.dk > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Kevin Miller >> Sent: 17. september 2011 02:37 >> To: 'MailScanner discussion' >> Subject: F-secure 9.10 >> >> Noticed today that f-secure went from 7.x to 9.10. Has anyone tried >> this yet with MailScanner? Any caveats? Always a good idea to >> upgrade of course. Except when it isn't... >> >> ...Kevin >> -- >> Kevin Miller Registered Linux User No: 307357 >> CBJ MIS Dept. Network Systems Admin., Mail Admin. >> 155 South Seward Street ph: (907) 586-0242 >> Juneau, Alaska 99801 fax: (907 586-4500 ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From johnn at zylun.com Thu Sep 22 22:49:24 2011 From: johnn at zylun.com (John Mark Niar) Date: Thu Sep 22 22:49:35 2011 Subject: mailscanner and opendkim In-Reply-To: References: <022001cc78ef$2e36c540$8aa44fc0$@com> Message-ID: <001e01cc7971$7ffbb750$7ff325f0$@com> Jason, Do you have any links for any tutorial on how to do this? I'm not yet familiar on this that much. Thanks, John From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Thursday, September 22, 2011 3:48 PM To: MailScanner discussion Subject: RE: mailscanner and opendkim We use DKIM on our outbound here with MS and postfix. We just have 2 instances of postfix running. The first one scans the email with MS and the second signs the email before it leaves our servers. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: 22 September 2011 07:17 To: mailscanner@lists.mailscanner.info Subject: mailscanner and opendkim Hello All, I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Looking forward to hearing anyone. thanks, John -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/0858fca2/attachment.html From johnn at zylun.com Thu Sep 22 22:51:15 2011 From: johnn at zylun.com (John Mark Niar) Date: Thu Sep 22 22:51:23 2011 Subject: mailscanner and opendkim In-Reply-To: <3E846E48-2196-4E28-846D-EB70DF30F97D@topdog.za.net> References: <022001cc78ef$2e36c540$8aa44fc0$@com> <3E846E48-2196-4E28-846D-EB70DF30F97D@topdog.za.net> Message-ID: <002c01cc7971$c20080e0$460182a0$@com> I will try this Andrew. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Colin Kissa Sent: Thursday, September 22, 2011 4:07 PM To: MailScanner discussion Subject: Re: mailscanner and opendkim On 22 Sep 2011, at 8:16 AM, John Mark Niar wrote: > I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. > Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? > If so, does anyone can help me solve this? Are these options correct ? http://mailscanner.info/MailScanner.conf.index.html#Multiple%20Headers http://mailscanner.info/MailScanner.conf.index.html#Place%20New%20Headers%20 At%20Top%20Of%20Message -- Baruwa - www.baruwa.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From johnn at zylun.com Thu Sep 22 23:11:52 2011 From: johnn at zylun.com (John Mark Niar) Date: Thu Sep 22 23:12:01 2011 Subject: mailscanner and opendkim In-Reply-To: <002c01cc7971$c20080e0$460182a0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> <3E846E48-2196-4E28-846D-EB70DF30F97D@topdog.za.net> <002c01cc7971$c20080e0$460182a0$@com> Message-ID: <004301cc7974$a355d3e0$ea017ba0$@com> Wow this one worked. Thanks a lot Andrew! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: Friday, September 23, 2011 5:51 AM To: 'MailScanner discussion' Subject: RE: mailscanner and opendkim I will try this Andrew. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Colin Kissa Sent: Thursday, September 22, 2011 4:07 PM To: MailScanner discussion Subject: Re: mailscanner and opendkim On 22 Sep 2011, at 8:16 AM, John Mark Niar wrote: > I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. > Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? > If so, does anyone can help me solve this? Are these options correct ? http://mailscanner.info/MailScanner.conf.index.html#Multiple%20Headers http://mailscanner.info/MailScanner.conf.index.html#Place%20New%20Headers%20 At%20Top%20Of%20Message -- Baruwa - www.baruwa.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From johnn at zylun.com Thu Sep 22 23:19:30 2011 From: johnn at zylun.com (John Mark Niar) Date: Thu Sep 22 23:19:45 2011 Subject: mailscanner and opendkim In-Reply-To: <004301cc7974$a355d3e0$ea017ba0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> <3E846E48-2196-4E28-846D-EB70DF30F97D@topdog.za.net> <002c01cc7971$c20080e0$460182a0$@com> <004301cc7974$a355d3e0$ea017ba0$@com> Message-ID: <006201cc7975$b5255900$1f700b00$@com> Oops sorry about that. I forgot to edit my postfix main.cf. SO when I edited that, actually with even this config settings, I still get bad sig. So I guess I need to have two pf instances running. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: Friday, September 23, 2011 6:12 AM To: 'MailScanner discussion' Subject: RE: mailscanner and opendkim Wow this one worked. Thanks a lot Andrew! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: Friday, September 23, 2011 5:51 AM To: 'MailScanner discussion' Subject: RE: mailscanner and opendkim I will try this Andrew. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Andrew Colin Kissa Sent: Thursday, September 22, 2011 4:07 PM To: MailScanner discussion Subject: Re: mailscanner and opendkim On 22 Sep 2011, at 8:16 AM, John Mark Niar wrote: > I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. > Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? > If so, does anyone can help me solve this? Are these options correct ? http://mailscanner.info/MailScanner.conf.index.html#Multiple%20Headers http://mailscanner.info/MailScanner.conf.index.html#Place%20New%20Headers%20 At%20Top%20Of%20Message -- Baruwa - www.baruwa.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stephencoxmail at gmail.com Fri Sep 23 06:32:59 2011 From: stephencoxmail at gmail.com (Stephen Cox) Date: Fri Sep 23 06:33:09 2011 Subject: MailScanner to crash several times In-Reply-To: <00b101cc78ed$bb542d20$31fc8760$@gmail.com> References: <00b101cc78ed$bb542d20$31fc8760$@gmail.com> Message-ID: On Thu, Sep 22, 2011 at 8:06 AM, Bjron Mork wrote: > Hi, > > I had same problem for RHEL/Fedora/Centos: I have attached all my emails for > your reference. > > Kindly check the permission issue, > > chown -R postfix:postfix /var/spool/MailScanner/incoming > chown -R postfix:apache /var/spool/MailScanner/quarantine > > or whatever user you're running postfix/apache under. > > > Regards, > B~Mork Stop mailscanner en try MailScanner --debug with a test message. Its likely that there are some taint errors. What is you MailScanner --version -- Stephen Cox From markus at markusoft.se Fri Sep 23 07:11:46 2011 From: markus at markusoft.se (Markus Nilsson) Date: Fri Sep 23 07:12:08 2011 Subject: mailscanner and opendkim In-Reply-To: <001e01cc7971$7ffbb750$7ff325f0$@com> Message-ID: <2887e9e1-240d-4c3f-9546-3ebd2b25e717@cronlabworkstation0> We configure this in postfix's master.cf submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o content_filter=dksign:[127.0.0.1]:10028 On the submission instance, we add a content_filter (dksign) which signs all mail coming in on the submission port /Markus ----- Ursprungligt meddelande ----- Fr?n: "John Mark Niar" Till: "MailScanner discussion" Skickat: torsdag, 22 sep 2011 23:49:24 ?mne: RE: mailscanner and opendkim Jason, Do you have any links for any tutorial on how to do this? I?m not yet familiar on this that much. Thanks, John From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Thursday, September 22, 2011 3:48 PM To: MailScanner discussion Subject: RE: mailscanner and opendkim We use DKIM on our outbound here with MS and postfix. We just have 2 instances of postfix running. The first one scans the email with MS and the second signs the email before it leaves our servers. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: 22 September 2011 07:17 To: mailscanner@lists.mailscanner.info Subject: mailscanner and opendkim Hello All, I?ve just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Looking forward to hearing anyone. thanks, John -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/21ecf99a/attachment.html From drew.marshall at trunknetworks.com Fri Sep 23 07:29:16 2011 From: drew.marshall at trunknetworks.com (Drew Marshall) Date: Fri Sep 23 07:29:26 2011 Subject: Quarantined Message Ownership Message-ID: <5997DFF6-FFB3-421B-B55E-143422B0FA84@trunknetworks.com> Hi All An interesting one. I have just upgraded one of my FreeBSD 8 gateways to perl 5.12.4, which of cause broke the latest stable MS just nicely :-( So I installed the latest beta and am running MS with the -u switch (Via the rc.conf knob for those who know FreeBSD) and we are back processing mail :-) However, out came last night's quarantine report and the message details are not available for MailWatch to read, permission denied errors on the files. Strange as nothing has changed in the config and it's worked fine for eons. So I had a look at the MailScanner.conf settings: Quarantine User = postfix Quarantine Group = www Quarantine Permissions = 0660 All good as these produce directories like this: drwxr-xr-x 33 postfix www 1024 Sep 23 02:40 . drwxr-xr-x 6 postfix postfix 512 May 10 19:37 .. drwxrwx--- 6 postfix www 512 Sep 10 15:59 20110910 drwxrwx--- 28 postfix www 1024 Sep 11 19:31 20110911 drwxrwx--- 10 postfix www 512 Sep 12 16:12 20110912 drwxrwx--- 5 postfix www 512 Sep 13 16:22 20110913 drwxrwx--- 6 postfix www 512 Sep 14 17:37 20110914 drwxrwx--- 5 postfix www 512 Sep 15 18:57 20110915 drwxrwx--- 6 postfix www 512 Sep 16 17:03 20110916 drwxrwx--- 5 postfix www 512 Sep 17 20:19 20110917 drwxrwx--- 4 postfix www 512 Sep 18 15:57 20110918 drwxrwx--- 4 postfix www 512 Sep 19 12:52 20110919 drwxrwx--- 9 postfix www 512 Sep 20 17:36 20110920 drwxrwx--- 3 postfix www 512 Sep 21 00:16 20110921 drwxrwx--- 6 postfix www 512 Sep 22 17:15 20110922 drwxrwx--- 3 postfix www 512 Sep 23 00:00 20110923 and when you go to yesterday's directory drwxrwx--- 6 postfix www 512 Sep 22 17:15 . drwxr-xr-x 33 postfix www 1024 Sep 23 02:40 .. drwxrwx--- 2 postfix www 512 Sep 22 14:17 5F0A22A6A46.A7647 drwxrwx--- 2 postfix www 512 Sep 22 09:35 9CCD22A6867.A4D03 drwxrwx--- 2 postfix www 512 Sep 22 17:15 E62192A6A05.A6977 drwxrwx--- 2 postfix www 8192 Sep 22 23:56 spam all good still but when you go to the spam directory root@in1.rdc /var/spool/MailScanner/quarantine/20110922/spam # ls -al total 12854 drwxrwx--- 2 postfix www 8192 Sep 22 23:56 . drwxrwx--- 6 postfix www 512 Sep 22 17:15 .. -rw-rw---- 1 postfix postfix 4335 Sep 22 07:18 002552A6A39.A1A34 -rw-rw---- 1 postfix postfix 4242 Sep 22 16:02 00E722A68BC.A085C -rw-rw---- 1 postfix postfix 630189 Sep 22 11:03 02E512A6A44.AC5AA -rw-rw---- 1 postfix postfix 14310 Sep 22 12:37 049852A6841.A9C3F -rw-rw---- 1 postfix postfix 5111 Sep 22 23:03 04E0F2A68A5.A5AAE -rw-rw---- 1 postfix postfix 4142 Sep 22 09:12 05A032A6A48.AF835 -rw-rw---- 1 postfix postfix 1897 Sep 22 11:18 05B122A689B.A9065 -rw-rw---- 1 postfix postfix 30585 Sep 22 17:18 05C702A6A49.ACE43 -rw-rw---- 1 postfix postfix 4246 Sep 22 16:53 065CF2A6A46.A84F0 -rw-rw---- 1 postfix postfix 14132 Sep 22 07:30 09F282A6915.A6E6F ?. Has anyone else seen this? Is it another taint issue or a by product of me running it in '-u mode'? Perhaps more importantly, any ideas to fix it would be appreciated! Many thanks Drew From J.Ede at birchenallhowden.co.uk Fri Sep 23 09:23:15 2011 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Sep 23 09:31:12 2011 Subject: mailscanner and opendkim In-Reply-To: <001e01cc7971$7ffbb750$7ff325f0$@com> References: <022001cc78ef$2e36c540$8aa44fc0$@com> <001e01cc7971$7ffbb750$7ff325f0$@com> Message-ID: I followed this with a bit of tweaking... http://www.postfix.org/MULTI_INSTANCE_README.html I'm working on a document internally that might try and post on the MS wiki when done, but won't be that soon. >From the above link the main this is to make the inbound instance the MS one and then just pass straight through to the outbound instance (not via a milter as the above instructions use) and then sign on the outbound instance. I've also found it helps with debugging if give each postfix instance a different hostname in the config so you can distinguish in logfile what is going on. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: 22 September 2011 22:49 To: 'MailScanner discussion' Subject: RE: mailscanner and opendkim Jason, Do you have any links for any tutorial on how to do this? I'm not yet familiar on this that much. Thanks, John From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Thursday, September 22, 2011 3:48 PM To: MailScanner discussion Subject: RE: mailscanner and opendkim We use DKIM on our outbound here with MS and postfix. We just have 2 instances of postfix running. The first one scans the email with MS and the second signs the email before it leaves our servers. Jason From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Mark Niar Sent: 22 September 2011 07:17 To: mailscanner@lists.mailscanner.info Subject: mailscanner and opendkim Hello All, I've just implemented MailScanner. Great software by the way! When I run MailScanner I run into OpenDKIM problem. My OpenDKIM was working already before I run the MailScanner. Now even if OpenDKIM adds a signature, it will result o dkim: permerror (bad sig). I know MailScanner inserts some information inside the header and probably overwrites the OpenDKIM header information? If so, does anyone can help me solve this? Looking forward to hearing anyone. thanks, John -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/cb142f95/attachment-0001.html From jonas at vrt.dk Fri Sep 23 11:45:07 2011 From: jonas at vrt.dk (Jonas) Date: Fri Sep 23 11:45:23 2011 Subject: F-secure 9.10 In-Reply-To: <4A09477D575C2C4B86497161427DD94C1631BC9A0F@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07><09F23668E315FD4597C13D73E5123ADF68E38F@SCTSBS.sct.dk> <4A09477D575C2C4B86497161427DD94C1631BC9A0F@city-exchange07> Message-ID: <09F23668E315FD4597C13D73E5123ADF68E5D1@SCTSBS.sct.dk> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kevin Miller > Sent: 22. september 2011 21:02 > To: 'MailScanner discussion' > Subject: RE: F-secure 9.10 > > Thanks. > I just installed it on one of my MailScanner boxes and noticed that it now uses > fsaua (automatic update agent) rather than a cron job. Previously I?d disabled > the cron job and let MailScanner handle updating. Should I stop the fsaua > daemon? Is MailScanner still handling updating? > I do not have a crontab either, and my fsupdate as well as fsaua is running so I assume those are handling updating. I'm not sure if mailscanner tries to update as well to be honest. Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk From jonas at vrt.dk Fri Sep 23 11:50:10 2011 From: jonas at vrt.dk (Jonas) Date: Fri Sep 23 11:50:26 2011 Subject: New? behavior og rbl's In-Reply-To: <4E7B5F53.5010504@alexb.ch> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> Message-ID: <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> > Which translated means: > - put your MTAs on dedicated IP/s and do not share with gateway. > - setup log watching/alerts > - If you're corporate/Exchange don't allow OWA without being VPN'd or at least > use a non standard port. > - block port 25 outbound for all behind the gateway which is not an MTA (your > MTA is on dedicated IP) > - use outbound rating to minimize possible blasts. All sound advice for enterprises, however the part about putting your MTA on a dedicated IP is just nonsense. Here in Denmark 90% of companies have less than 10 employees, so most just run on business adsl lines or similar smaller connections, where there is only 1 WAN ip. Who suddenly decided you need multiple WAN ip's to host a mail gateway? In my humble opinion its taking it way too far when you combine things that has nothing to do with mail with a mail blocking filter... Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk From ms-list at alexb.ch Fri Sep 23 12:23:12 2011 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 23 12:23:26 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> Message-ID: <4E7C6C20.5030501@alexb.ch> On 2011-09-23 12:50, Jonas wrote: >> Which translated means: - put your MTAs on dedicated IP/s and do >> not share with gateway. - setup log watching/alerts - If you're >> corporate/Exchange don't allow OWA without being VPN'd or at least >> use a non standard port. - block port 25 outbound for all behind >> the gateway which is not an MTA (your MTA is on dedicated IP) - use >> outbound rating to minimize possible blasts. > > All sound advice for enterprises, however the part about putting your > MTA on a dedicated IP is just nonsense. Here in Denmark 90% of > companies have less than 10 employees, so most just run on business > adsl lines or similar smaller connections, where there is only 1 WAN > ip. you get what you pay for... as simple as that. (if a company can't afford a second IP or a clean smarthost then it has other problems) > Who suddenly decided you need multiple WAN ip's to host a mail > gateway? nobody decided - it's just a piece of advice based on facts to spare you headaches (been there, got the tickets/listings/worries) > In my humble opinion its taking it way too far when you combine > things that has nothing to do with mail with a mail blocking > filter... get the picture: pretend your IP spews bot spam by the thousands, maybe millions. You honestly think anybody gives a damm if behind that IP there's also little mail server for a dozen of users, a cofffe machine and possibly a dozen own3d PCs?... not really - block you and move on. There's a +-130Mb XBL rbldnsd file full of IPs doing the same you were doing before you got listed. We should be very thankfull that there's still BLs around like CBL/XBL which are extremely accurate, easy to deal with and so widely used that a listing should ring all our bells and trigger your "damm, gotta do my homework". I agree it's a pita, but it's up to us admins to keep a clean neighbourhood and not let thugs abuse our little ecosystems. .. and ranting won't get problems fixed any faster... Alex From peter at farrows.org Fri Sep 23 12:33:57 2011 From: peter at farrows.org (Peter Farrow) Date: Fri Sep 23 12:34:07 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> Message-ID: <4E7C6EA5.4040906@farrows.org> On 23/09/2011 11:50, Jonas wrote: >> Which translated means: >> - put your MTAs on dedicated IP/s and do not share with gateway. >> - setup log watching/alerts >> - If you're corporate/Exchange don't allow OWA without being VPN'd or at least >> use a non standard port. >> - block port 25 outbound for all behind the gateway which is not an MTA (your >> MTA is on dedicated IP) >> - use outbound rating to minimize possible blasts. > All sound advice for enterprises, however the part about putting your MTA on a dedicated IP is just nonsense. Here in Denmark 90% of companies have less than 10 employees, so most just run on business adsl lines or similar smaller connections, where there is only 1 WAN ip. > > Who suddenly decided you need multiple WAN ip's to host a mail gateway? > > In my humble opinion its taking it way too far when you combine things that has nothing to do with mail with a mail blocking filter... > > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! I Agree, if you have a machine on your network that sends spam for what ever reason, your WAN IP address of your gateway will get targeted for blacklisting, This is the way of the world. The lesson from of all this: Make sure you keep you network clean and tidy and secure and don't send spam. Sending out on different IPs is nonsense. One gateway and properly managed network is all you need for most small companies, if you can't keep your network secure and free of spamming worms and viruses, find someone who can. Just my 10p worth, and yes I am having a bad day... (but not with spam or blacklists) :-D P. From ms-list at alexb.ch Fri Sep 23 12:54:35 2011 From: ms-list at alexb.ch (Alex Broens) Date: Fri Sep 23 12:54:48 2011 Subject: New? behavior og rbl's In-Reply-To: <4E7C6EA5.4040906@farrows.org> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> <4E7C6EA5.4040906@farrows.org> Message-ID: <4E7C737B.9020109@alexb.ch> On 2011-09-23 13:33, Peter Farrow wrote: > Sending out on different IPs is nonsense. it's as nonsense as being insured - chances you really need it, is under normal circumstances, rather small. The fact that a network probably was infected clearly shows having his mail server on a separate IP *could" have spared him lots of headaches. > and yes I am having a bad day... (but not with spam or blacklists) lets all wish you a better day :) From peter at farrows.org Fri Sep 23 13:11:58 2011 From: peter at farrows.org (Peter Farrow) Date: Fri Sep 23 13:12:06 2011 Subject: New? behavior og rbl's In-Reply-To: <4E7C737B.9020109@alexb.ch> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> <4E7C6EA5.4040906@farrows.org> <4E7C737B.9020109@alexb.ch> Message-ID: <4E7C778E.2090107@farrows.org> On 23/09/2011 12:54, Alex Broens wrote: > On 2011-09-23 13:33, Peter Farrow wrote: >> Sending out on different IPs is nonsense. > > it's as nonsense as being insured - chances you really need it, is > under normal circumstances, rather small. > The fact that a network probably was infected clearly shows having his > mail server on a separate IP *could" have spared him lots of headaches. > >> and yes I am having a bad day... (but not with spam or blacklists) > > lets all wish you a better day :) >>it's as nonsense as being insured Funnily enough thats what my bad day is all about - insurance companies!!! Arrrrrrgggggghhh But the best solution is probably to shift the IP of the gateway by one, if this happens rather than always have a second gateway. When I provision circuits for small companies I always go for a /29 network so there are some free to play with! P. -- horizontal ruler Peter Farrow avatar ______________________ Home: 01249 654183 Fax: 01249 461 548 Mobile: 07799605617 Skype: peter_farrow Web: www.peterfarrow.com -------------- next part -------------- Skipped content of type multipart/related From glenn.steen at gmail.com Fri Sep 23 14:52:44 2011 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Sep 23 14:53:46 2011 Subject: Quarantined Message Ownership In-Reply-To: <5997DFF6-FFB3-421B-B55E-143422B0FA84@trunknetworks.com> References: <5997DFF6-FFB3-421B-B55E-143422B0FA84@trunknetworks.com> Message-ID: Consider use of sticky (group) bit perhaps, on the quarantine dir...? Cheers! -- -- Glenn Den 23 sep 2011 08:33 skrev "Drew Marshall" : > Hi All > > An interesting one. I have just upgraded one of my FreeBSD 8 gateways to perl 5.12.4, which of cause broke the latest stable MS just nicely :-( > > So I installed the latest beta and am running MS with the -u switch (Via the rc.conf knob for those who know FreeBSD) and we are back processing mail :-) > > However, out came last night's quarantine report and the message details are not available for MailWatch to read, permission denied errors on the files. Strange as nothing has changed in the config and it's worked fine for eons. So I had a look at the MailScanner.conf settings: > > Quarantine User = postfix > Quarantine Group = www > Quarantine Permissions = 0660 > > All good as these produce directories like this: > > drwxr-xr-x 33 postfix www 1024 Sep 23 02:40 . > drwxr-xr-x 6 postfix postfix 512 May 10 19:37 .. > drwxrwx--- 6 postfix www 512 Sep 10 15:59 20110910 > drwxrwx--- 28 postfix www 1024 Sep 11 19:31 20110911 > drwxrwx--- 10 postfix www 512 Sep 12 16:12 20110912 > drwxrwx--- 5 postfix www 512 Sep 13 16:22 20110913 > drwxrwx--- 6 postfix www 512 Sep 14 17:37 20110914 > drwxrwx--- 5 postfix www 512 Sep 15 18:57 20110915 > drwxrwx--- 6 postfix www 512 Sep 16 17:03 20110916 > drwxrwx--- 5 postfix www 512 Sep 17 20:19 20110917 > drwxrwx--- 4 postfix www 512 Sep 18 15:57 20110918 > drwxrwx--- 4 postfix www 512 Sep 19 12:52 20110919 > drwxrwx--- 9 postfix www 512 Sep 20 17:36 20110920 > drwxrwx--- 3 postfix www 512 Sep 21 00:16 20110921 > drwxrwx--- 6 postfix www 512 Sep 22 17:15 20110922 > drwxrwx--- 3 postfix www 512 Sep 23 00:00 20110923 > > and when you go to yesterday's directory > > drwxrwx--- 6 postfix www 512 Sep 22 17:15 . > drwxr-xr-x 33 postfix www 1024 Sep 23 02:40 .. > drwxrwx--- 2 postfix www 512 Sep 22 14:17 5F0A22A6A46.A7647 > drwxrwx--- 2 postfix www 512 Sep 22 09:35 9CCD22A6867.A4D03 > drwxrwx--- 2 postfix www 512 Sep 22 17:15 E62192A6A05.A6977 > drwxrwx--- 2 postfix www 8192 Sep 22 23:56 spam > > all good still but when you go to the spam directory > > root@in1.rdc /var/spool/MailScanner/quarantine/20110922/spam # ls -al > total 12854 > drwxrwx--- 2 postfix www 8192 Sep 22 23:56 . > drwxrwx--- 6 postfix www 512 Sep 22 17:15 .. > -rw-rw---- 1 postfix postfix 4335 Sep 22 07:18 002552A6A39.A1A34 > -rw-rw---- 1 postfix postfix 4242 Sep 22 16:02 00E722A68BC.A085C > -rw-rw---- 1 postfix postfix 630189 Sep 22 11:03 02E512A6A44.AC5AA > -rw-rw---- 1 postfix postfix 14310 Sep 22 12:37 049852A6841.A9C3F > -rw-rw---- 1 postfix postfix 5111 Sep 22 23:03 04E0F2A68A5.A5AAE > -rw-rw---- 1 postfix postfix 4142 Sep 22 09:12 05A032A6A48.AF835 > -rw-rw---- 1 postfix postfix 1897 Sep 22 11:18 05B122A689B.A9065 > -rw-rw---- 1 postfix postfix 30585 Sep 22 17:18 05C702A6A49.ACE43 > -rw-rw---- 1 postfix postfix 4246 Sep 22 16:53 065CF2A6A46.A84F0 > -rw-rw---- 1 postfix postfix 14132 Sep 22 07:30 09F282A6915.A6E6F ?. > > Has anyone else seen this? Is it another taint issue or a by product of me running it in '-u mode'? Perhaps more importantly, any ideas to fix it would be appreciated! > > Many thanks > > Drew-- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/d479d82f/attachment.html From maxsec at gmail.com Fri Sep 23 16:52:19 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 23 16:52:28 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> Message-ID: so why have these got their own mailserver? easier to run hostsed surely? -- Martin Hepworth Oxford, UK On 23 September 2011 11:50, Jonas wrote: > > Which translated means: > > - put your MTAs on dedicated IP/s and do not share with gateway. > > - setup log watching/alerts > > - If you're corporate/Exchange don't allow OWA without being VPN'd or at > least > > use a non standard port. > > - block port 25 outbound for all behind the gateway which is not an MTA > (your > > MTA is on dedicated IP) > > - use outbound rating to minimize possible blasts. > > All sound advice for enterprises, however the part about putting your MTA > on a dedicated IP is just nonsense. Here in Denmark 90% of companies have > less than 10 employees, so most just run on business adsl lines or similar > smaller connections, where there is only 1 WAN ip. > > Who suddenly decided you need multiple WAN ip's to host a mail gateway? > > In my humble opinion its taking it way too far when you combine things that > has nothing to do with mail with a mail blocking filter... > > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/3543fa09/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Sep 23 18:11:21 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 23 18:11:49 2011 Subject: Missing signature file Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> I tried to download the latest MailScanner signature file and got this 404: "The requested URL /files/4/suse/MailScanner-4.84.3-1.suse.tar.gz.sig was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From jeremy at fluxlabs.net Fri Sep 23 18:18:13 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri Sep 23 18:20:58 2011 Subject: Missing signature file In-Reply-To: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> Message-ID: Version 4.84.3-1 for SuSE That link works for me - from mailscanner.info If not, i can drop it on a mirror for you. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 23, 2011, at 12:11 PM, Kevin Miller wrote: I tried to download the latest MailScanner signature file and got this 404: "The requested URL /files/4/suse/MailScanner-4.84.3-1.suse.tar.gz.sig was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/ff98dd64/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Sep 23 18:28:50 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 23 18:29:16 2011 Subject: Missing signature file In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A17@city-exchange07> That would be great - I've tried it on several browsers, with and w/o a proxy in front. Odd. I believe it's just a one line checksum - you could just post the contents here rather than a mirror if that's easier... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: Friday, September 23, 2011 9:18 AM To: MailScanner discussion Subject: Re: Missing signature file Version 4.84.3-1 for SuSE That link works for me - from mailscanner.info If not, i can drop it on a mirror for you. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 23, 2011, at 12:11 PM, Kevin Miller wrote: I tried to download the latest MailScanner signature file and got this 404: "The requested URL /files/4/suse/MailScanner-4.84.3-1.suse.tar.gz.sig was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/f4b2e485/attachment.html From jeremy at fluxlabs.net Fri Sep 23 18:30:59 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri Sep 23 18:31:49 2011 Subject: Missing signature file In-Reply-To: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> References: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> Message-ID: Sorry, I didnt read the message. You said Signature file. Yes, it looks 404 -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 23, 2011, at 12:11 PM, Kevin Miller wrote: I tried to download the latest MailScanner signature file and got this 404: "The requested URL /files/4/suse/MailScanner-4.84.3-1.suse.tar.gz.sig was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/30c5397e/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Sep 23 19:05:45 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 23 19:06:10 2011 Subject: Missing signature file In-Reply-To: References: <4A09477D575C2C4B86497161427DD94C1631BC9A16@city-exchange07> Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A1A@city-exchange07> Whew. Thought we had one of those really odd-ball network issues that take days to sort out! Thanks for the offer & the update on the status. Guess it's in Julian's court now... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeremy McSpadden Sent: Friday, September 23, 2011 9:31 AM To: MailScanner discussion Subject: Re: Missing signature file Sorry, I didnt read the message. You said Signature file. Yes, it looks 404 -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 23, 2011, at 12:11 PM, Kevin Miller wrote: I tried to download the latest MailScanner signature file and got this 404: "The requested URL /files/4/suse/MailScanner-4.84.3-1.suse.tar.gz.sig was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request." Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110923/dcd87373/attachment.html From Kevin_Miller at ci.juneau.ak.us Fri Sep 23 23:38:53 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 23 23:39:10 2011 Subject: F-secure 9.10 In-Reply-To: <09F23668E315FD4597C13D73E5123ADF68E5D1@SCTSBS.sct.dk> References: <4A09477D575C2C4B86497161427DD94C1631BC99D7@city-exchange07><09F23668E315FD4597C13D73E5123ADF68E38F@SCTSBS.sct.dk> <4A09477D575C2C4B86497161427DD94C1631BC9A0F@city-exchange07> <09F23668E315FD4597C13D73E5123ADF68E5D1@SCTSBS.sct.dk> Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A22@city-exchange07> Jonas wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Kevin Miller >> Sent: 22. september 2011 21:02 >> To: 'MailScanner discussion' >> Subject: RE: F-secure 9.10 >> >> Thanks. >> I just installed it on one of my MailScanner boxes and noticed that >> it >> now uses fsaua (automatic update agent) rather than a cron job. >> Previously I?d disabled the cron job and let MailScanner handle >> updating. Should I stop the fsaua daemon? Is MailScanner still >> handling updating? >> > I do not have a crontab either, and my fsupdate as well as fsaua is > running so I assume those are handling updating. I'm not sure if > mailscanner tries to update as well to be honest. I turned off the daemons, and the MailScanner update routine failed, so it looks like the daemons need to be running in order for MS to check. I've turned them back on now... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Fri Sep 23 23:41:47 2011 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Sep 23 23:42:00 2011 Subject: F-Secure reports in MailWatch for MailScanner Message-ID: <4A09477D575C2C4B86497161427DD94C1631BC9A23@city-exchange07> Slightly off topic, but for those using MailWatch for MailScanner, I tweaked the MailWatch status reports for F-Secure (which have been broken for quite a while). I posted the modified awp and php scripts in the MailWatch mail list. If you'd like a copy but aren't on that list let me know... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From vincent at zijnemail.nl Mon Sep 26 16:13:12 2011 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Mon Sep 26 16:11:30 2011 Subject: Need help on crashing MS Message-ID: <4E809688.20803@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4884 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/95300078/smime.bin From jeremy at fluxlabs.net Mon Sep 26 16:24:59 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon Sep 26 16:25:13 2011 Subject: Need help on crashing MS In-Reply-To: <4E809688.20803@zijnemail.nl> References: <4E809688.20803@zijnemail.nl> Message-ID: What distro ? I gave up on Ubuntu Natty. Switched to CENT6. I literally built 10 VMs and all had the same "16:48:22 Insecure dependency " that you are having, and caused the same thing. Yet no one else was able to duplicate my issue -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 10:13 AM, Vincent Verhagen wrote: Hi all, I think I'm running into a permissions problem, but aren't sure and am a bit stumped... When SA finds that an email is spam and MS (4.84.3) is told to "store", MS crashes. ("deliver" goes fine) When running in debug mode, I can see that SA, ClamAV, are doing fine and these are the last few lines: ------------- 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.2229, head-points=0.2229, learned-points=0 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 16:48:22 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. ------------- Line 185 in File.pm is the "open" function. System is SL 6.1 x86_64, perl is v5.10.1 I run MS as "postfix" and the perms for /var/spool/MailScanner/... are: ----------- [root@mail rules]# ls -l /var/spool/MailScanner/ total 8 drwxr-xr-x. 5 postfix clamav 4096 Sep 26 16:48 incoming drwxr-xr-x. 4 postfix apache 4096 Sep 26 14:13 quarantine [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/ total 8 drwxrwx---. 3 postfix apache 4096 Sep 26 14:13 20110926 drwxr-xr-x. 3 root root 4096 Sep 26 16:03 phishingupdate [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/20110926/ total 4 drwxrwx---. 2 postfix apache 4096 Sep 26 14:13 spam ----------- The perms on todays quarantine directory look ok? Could this be a failing perl module? Does anyone have any pointers for me where to look next? Thanks! Vincent MailScanner --version output: ---------------- Running on Linux mail.vive-id.local 2.6.32-131.12.1.el6.x86_64 #1 SMP Tue Aug 23 11:13:45 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux This is Scientific Linux release 6.1 (Carbon) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.10 Digest::SHA1 1.01 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.77 version 0.62 YAML -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/0711f019/attachment.html From vincent at zijnemail.nl Mon Sep 26 16:42:49 2011 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Mon Sep 26 16:39:27 2011 Subject: Need help on crashing MS In-Reply-To: References: <4E809688.20803@zijnemail.nl> Message-ID: <4E809D79.8090004@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4884 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/b1463a31/smime.bin From jbull at esd113.org Mon Sep 26 16:48:46 2011 From: jbull at esd113.org (John Bull) Date: Mon Sep 26 16:49:06 2011 Subject: Need help on crashing MS In-Reply-To: <4E809D79.8090004@zijnemail.nl> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> Message-ID: <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> Vincent, Try running MailScanner with the -U switch, as follows: nano /usr/sbin/MailScanner #!/usr/bin/perl -I/usr/lib/MailScanner -U From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 8:43 AM To: MailScanner discussion Subject: Re: Need help on crashing MS Distro is Scientific Linux 6.1 (another RHEL spinoff like CentOS) On 26-9-2011 17:24, Jeremy McSpadden wrote: What distro ? I gave up on Ubuntu Natty. Switched to CENT6. I literally built 10 VMs and all had the same "16:48:22 Insecure dependency " that you are having, and caused the same thing. Yet no one else was able to duplicate my issue -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 10:13 AM, Vincent Verhagen wrote: Hi all, I think I'm running into a permissions problem, but aren't sure and am a bit stumped... When SA finds that an email is spam and MS (4.84.3) is told to "store", MS crashes. ("deliver" goes fine) When running in debug mode, I can see that SA, ClamAV, are doing fine and these are the last few lines: ------------- 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.2229, head-points=0.2229, learned-points=0 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 16:48:22 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. ------------- Line 185 in File.pm is the "open" function. System is SL 6.1 x86_64, perl is v5.10.1 I run MS as "postfix" and the perms for /var/spool/MailScanner/... are: ----------- [root@mail rules]# ls -l /var/spool/MailScanner/ total 8 drwxr-xr-x. 5 postfix clamav 4096 Sep 26 16:48 incoming drwxr-xr-x. 4 postfix apache 4096 Sep 26 14:13 quarantine [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/ total 8 drwxrwx---. 3 postfix apache 4096 Sep 26 14:13 20110926 drwxr-xr-x. 3 root root 4096 Sep 26 16:03 phishingupdate [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/20110926/ total 4 drwxrwx---. 2 postfix apache 4096 Sep 26 14:13 spam ----------- The perms on todays quarantine directory look ok? Could this be a failing perl module? Does anyone have any pointers for me where to look next? Thanks! Vincent MailScanner --version output: ---------------- Running on Linux mail.vive-id.local 2.6.32-131.12.1.el6.x86_64 #1 SMP Tue Aug 23 11:13:45 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux This is Scientific Linux release 6.1 (Carbon) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.10 Digest::SHA1 1.01 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.77 version 0.62 YAML -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/9af986cd/attachment.html From vincent at zijnemail.nl Mon Sep 26 17:14:52 2011 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Mon Sep 26 17:12:23 2011 Subject: Need help on crashing MS In-Reply-To: <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> Message-ID: <4E80A4FC.5020901@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4884 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/5134549a/smime-0001.bin From jbull at esd113.org Mon Sep 26 17:22:09 2011 From: jbull at esd113.org (John Bull) Date: Mon Sep 26 17:22:24 2011 Subject: Need help on crashing MS In-Reply-To: <4E80A4FC.5020901@zijnemail.nl> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> <4E80A4FC.5020901@zijnemail.nl> Message-ID: <2046762850AF9D4DA8E1EB3B6F2BA19C1226130C@VA3DIAXVS1A1.RED001.local> I was asked to try the same thing several weeks ago but was not informed of what it was accomplishing. Possibly someone could let us all know.... From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 9:15 AM To: MailScanner discussion Subject: Re: Need help on crashing MS That seems to fare better. I still get the errors (more of them) when debugging (see output below), but the results are as expected. Spam is stored correctly and no crash. Could you tell me what I've just done by adding the -U switch? ---------------------- [root@mail conf.d]# MailScanner In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Stopping now as you are debugging me. On 26-9-2011 17:48, John Bull wrote: Vincent, Try running MailScanner with the -U switch, as follows: nano /usr/sbin/MailScanner #!/usr/bin/perl -I/usr/lib/MailScanner -U From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 8:43 AM To: MailScanner discussion Subject: Re: Need help on crashing MS Distro is Scientific Linux 6.1 (another RHEL spinoff like CentOS) On 26-9-2011 17:24, Jeremy McSpadden wrote: What distro ? I gave up on Ubuntu Natty. Switched to CENT6. I literally built 10 VMs and all had the same "16:48:22 Insecure dependency " that you are having, and caused the same thing. Yet no one else was able to duplicate my issue -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 10:13 AM, Vincent Verhagen wrote: Hi all, I think I'm running into a permissions problem, but aren't sure and am a bit stumped... When SA finds that an email is spam and MS (4.84.3) is told to "store", MS crashes. ("deliver" goes fine) When running in debug mode, I can see that SA, ClamAV, are doing fine and these are the last few lines: ------------- 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.2229, head-points=0.2229, learned-points=0 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 16:48:22 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. ------------- Line 185 in File.pm is the "open" function. System is SL 6.1 x86_64, perl is v5.10.1 I run MS as "postfix" and the perms for /var/spool/MailScanner/... are: ----------- [root@mail rules]# ls -l /var/spool/MailScanner/ total 8 drwxr-xr-x. 5 postfix clamav 4096 Sep 26 16:48 incoming drwxr-xr-x. 4 postfix apache 4096 Sep 26 14:13 quarantine [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/ total 8 drwxrwx---. 3 postfix apache 4096 Sep 26 14:13 20110926 drwxr-xr-x. 3 root root 4096 Sep 26 16:03 phishingupdate [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/20110926/ total 4 drwxrwx---. 2 postfix apache 4096 Sep 26 14:13 spam ----------- The perms on todays quarantine directory look ok? Could this be a failing perl module? Does anyone have any pointers for me where to look next? Thanks! Vincent MailScanner --version output: ---------------- Running on Linux mail.vive-id.local 2.6.32-131.12.1.el6.x86_64 #1 SMP Tue Aug 23 11:13:45 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux This is Scientific Linux release 6.1 (Carbon) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.10 Digest::SHA1 1.01 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.77 version 0.62 YAML -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/31a09d6e/attachment.html From vincent at zijnemail.nl Mon Sep 26 17:41:26 2011 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Mon Sep 26 17:37:51 2011 Subject: Need help on crashing MS In-Reply-To: <2046762850AF9D4DA8E1EB3B6F2BA19C1226130C@VA3DIAXVS1A1.RED001.local> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> <4E80A4FC.5020901@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C1226130C@VA3DIAXVS1A1.RED001.local> Message-ID: <4E80AB36.5050303@zijnemail.nl> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4884 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/1e199ef3/smime.bin From dave at KD0YU.COM Mon Sep 26 17:55:23 2011 From: dave at KD0YU.COM (Dave Helton) Date: Mon Sep 26 17:55:51 2011 Subject: Need help on crashing MS In-Reply-To: <4E80A4FC.5020901@zijnemail.nl> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> <4E80A4FC.5020901@zijnemail.nl> Message-ID: <77F23E6E4DE9084BA33755BA403E53FC2406CCE2@S8.KD0YU.COM> Hi all, My setup is different here... (CentOS 5, 32bit) so I cannot verify what I'm seeing is an anomaly or what. But, shouldn't your perl path include a version? Such as /usr/lib64/perl5/5.10.0/IO/File.pm. Just an observation FWIW. --Dave From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 11:15 AM To: MailScanner discussion Subject: Re: Need help on crashing MS That seems to fare better. I still get the errors (more of them) when debugging (see output below), but the results are as expected. Spam is stored correctly and no crash. Could you tell me what I've just done by adding the -U switch? ---------------------- [root@mail conf.d]# MailScanner In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Stopping now as you are debugging me. On 26-9-2011 17:48, John Bull wrote: Vincent, Try running MailScanner with the -U switch, as follows: nano /usr/sbin/MailScanner #!/usr/bin/perl -I/usr/lib/MailScanner -U From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 8:43 AM To: MailScanner discussion Subject: Re: Need help on crashing MS Distro is Scientific Linux 6.1 (another RHEL spinoff like CentOS) On 26-9-2011 17:24, Jeremy McSpadden wrote: What distro ? I gave up on Ubuntu Natty. Switched to CENT6. I literally built 10 VMs and all had the same "16:48:22 Insecure dependency " that you are having, and caused the same thing. Yet no one else was able to duplicate my issue -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 10:13 AM, Vincent Verhagen wrote: Hi all, I think I'm running into a permissions problem, but aren't sure and am a bit stumped... When SA finds that an email is spam and MS (4.84.3) is told to "store", MS crashes. ("deliver" goes fine) When running in debug mode, I can see that SA, ClamAV, are doing fine and these are the last few lines: ------------- 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.2229, head-points=0.2229, learned-points=0 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 16:48:22 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. ------------- Line 185 in File.pm is the "open" function. System is SL 6.1 x86_64, perl is v5.10.1 I run MS as "postfix" and the perms for /var/spool/MailScanner/... are: ----------- [root@mail rules]# ls -l /var/spool/MailScanner/ total 8 drwxr-xr-x. 5 postfix clamav 4096 Sep 26 16:48 incoming drwxr-xr-x. 4 postfix apache 4096 Sep 26 14:13 quarantine [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/ total 8 drwxrwx---. 3 postfix apache 4096 Sep 26 14:13 20110926 drwxr-xr-x. 3 root root 4096 Sep 26 16:03 phishingupdate [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/20110926/ total 4 drwxrwx---. 2 postfix apache 4096 Sep 26 14:13 spam ----------- The perms on todays quarantine directory look ok? Could this be a failing perl module? Does anyone have any pointers for me where to look next? Thanks! Vincent MailScanner --version output: ---------------- Running on Linux mail.vive-id.local 2.6.32-131.12.1.el6.x86_64 #1 SMP Tue Aug 23 11:13:45 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux This is Scientific Linux release 6.1 (Carbon) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.10 Digest::SHA1 1.01 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.77 version 0.62 YAML -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner at KD0YU.COM, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/263a128b/attachment.html From jeremy at fluxlabs.net Mon Sep 26 18:04:46 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Mon Sep 26 18:05:02 2011 Subject: Need help on crashing MS In-Reply-To: <77F23E6E4DE9084BA33755BA403E53FC2406CCE2@S8.KD0YU.COM> References: <4E809688.20803@zijnemail.nl> <4E809D79.8090004@zijnemail.nl> <2046762850AF9D4DA8E1EB3B6F2BA19C122612F2@VA3DIAXVS1A1.RED001.local> <4E80A4FC.5020901@zijnemail.nl> <77F23E6E4DE9084BA33755BA403E53FC2406CCE2@S8.KD0YU.COM> Message-ID: <6B678290-AC32-404A-A98E-C0D7C91FFF1A@fluxlabs.net> Not on my 64 bit systems .. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 11:55 AM, Dave Helton wrote: Hi all, My setup is different here... (CentOS 5, 32bit) so I cannot verify what I'm seeing is an anomaly or what. But, shouldn't your perl path include a version? Such as /usr/lib64/perl5/5.10.0/IO/File.pm. Just an observation FWIW. --Dave From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 11:15 AM To: MailScanner discussion Subject: Re: Need help on crashing MS That seems to fare better. I still get the errors (more of them) when debugging (see output below), but the results are as expected. Spam is stored correctly and no crash. Could you tell me what I've just done by adding the -U switch? ---------------------- [root@mail conf.d]# MailScanner In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Have a batch of 1 message. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. Stopping now as you are debugging me. On 26-9-2011 17:48, John Bull wrote: Vincent, Try running MailScanner with the ?U switch, as follows: nano /usr/sbin/MailScanner #!/usr/bin/perl -I/usr/lib/MailScanner ?U From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vincent Verhagen Sent: Monday, September 26, 2011 8:43 AM To: MailScanner discussion Subject: Re: Need help on crashing MS Distro is Scientific Linux 6.1 (another RHEL spinoff like CentOS) On 26-9-2011 17:24, Jeremy McSpadden wrote: What distro ? I gave up on Ubuntu Natty. Switched to CENT6. I literally built 10 VMs and all had the same "16:48:22 Insecure dependency " that you are having, and caused the same thing. Yet no one else was able to duplicate my issue -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 26, 2011, at 10:13 AM, Vincent Verhagen wrote: Hi all, I think I'm running into a permissions problem, but aren't sure and am a bit stumped... When SA finds that an email is spam and MS (4.84.3) is told to "store", MS crashes. ("deliver" goes fine) When running in debug mode, I can see that SA, ClamAV, are doing fine and these are the last few lines: ------------- 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? ham=0.1, spam=12, body-points=0.2229, head-points=0.2229, learned-points=0 16:48:22 Sep 26 16:48:22.048 [19001] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam 16:48:22 Insecure dependency in open while running with -T switch at /usr/lib64/perl5/IO/File.pm line 185. ------------- Line 185 in File.pm is the "open" function. System is SL 6.1 x86_64, perl is v5.10.1 I run MS as "postfix" and the perms for /var/spool/MailScanner/... are: ----------- [root@mail rules]# ls -l /var/spool/MailScanner/ total 8 drwxr-xr-x. 5 postfix clamav 4096 Sep 26 16:48 incoming drwxr-xr-x. 4 postfix apache 4096 Sep 26 14:13 quarantine [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/ total 8 drwxrwx---. 3 postfix apache 4096 Sep 26 14:13 20110926 drwxr-xr-x. 3 root root 4096 Sep 26 16:03 phishingupdate [root@mail rules]# ls -l /var/spool/MailScanner/quarantine/20110926/ total 4 drwxrwx---. 2 postfix apache 4096 Sep 26 14:13 spam ----------- The perms on todays quarantine directory look ok? Could this be a failing perl module? Does anyone have any pointers for me where to look next? Thanks! Vincent MailScanner --version output: ---------------- Running on Linux mail.vive-id.local 2.6.32-131.12.1.el6.x86_64 #1 SMP Tue Aug 23 11:13:45 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux This is Scientific Linux release 6.1 (Carbon) This is Perl version 5.010001 (5.10.1) This is MailScanner version 4.84.3 Module versions are: 1.00 AnyDBM_File 1.30 Archive::Zip 0.23 bignum 1.11 Carp 2.02 Compress::Zlib 1.119 Convert::BinHex 0.17 Convert::TNEF 2.124 Data::Dumper 2.27 Date::Parse 1.03 DirHandle 1.06 Fcntl 2.77 File::Basename 2.14 File::Copy 2.02 FileHandle 2.08 File::Path 0.22 File::Temp 0.92 Filesys::Df 3.64 HTML::Entities 3.64 HTML::Parser 3.57 HTML::TokeParser 1.25 IO 1.14 IO::File 1.13 IO::Pipe 2.04 Mail::Header 1.89 Math::BigInt 0.22 Math::BigRat 3.08 MIME::Base64 5.427 MIME::Decoder 5.427 MIME::Decoder::UU 5.427 MIME::Head 5.427 MIME::Parser 3.08 MIME::QuotedPrint 5.427 MIME::Tools 0.14 Net::CIDR 1.25 Net::IP 0.19 OLE::Storage_Lite 1.04 Pod::Escapes 3.13 Pod::Simple 1.17 POSIX 1.21 Scalar::Util 1.82 Socket 2.20 Storable 1.4 Sys::Hostname::Long 0.27 Sys::Syslog 1.40 Test::Pod 0.92 Test::Simple 1.9721 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.23 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 1.08 Data::Dump 1.82 DB_File 1.27 DBD::SQLite 1.609 DBI 1.16 Digest 1.01 Digest::HMAC 2.39 Digest::MD5 2.10 Digest::SHA1 1.01 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.2203 ExtUtils::ParseXS 2.38 Getopt::Long 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.29 Mail::ClamAV 3.003001 Mail::SpamAssassin v2.007 Mail::SPF missing Mail::SPF::Query 0.35 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 3.17 Test::Harness 0.95 Test::Manifest 2.0.0 Text::Balanced 1.35 URI 0.77 version 0.62 YAML -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner running on mail server KD0YU.COM, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110926/fadce93e/attachment-0001.html From prandal at herefordshire.gov.uk Tue Sep 27 17:57:03 2011 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Sep 27 17:57:32 2011 Subject: External TNEF decoding bug in MailScanner 4.84.3 Message-ID: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> Hi folks, The following change to TNEF.pm (from 4.83.5 to 4.84.3) breaks external TNEF decoding: @@ -228,7 +228,9 @@ my($dir, $tnefname, $message, $perms, $owner, $group, $change) = @_; # Create the subdir to unpack it into - my $unpackdir = "tnef.$$"; + #my $unpackdir = "tnef.$$"; + my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK => 0); + $dir =~ s,^.*/,,; $unpackdir = $message->MakeNameSafe($unpackdir, $dir); unless (mkdir "$dir/$unpackdir", 0777) { MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could not create subdirectory %s, failed to unpack TNEF message", $tnefname, $message->{id}, Error logged is: Sep 27 15:36:20 mx0 MailScanner[17000]: Expanding TNEF archive at /var/spool/MailScanner/incoming/17000/p8REaJo0023344/winmail.dat Sep 27 15:36:20 mx0 MailScanner[17000]: Trying to unpack nwinmail.dat in message p8REaJo0023344, could not create subdirectory p8REaJo0023344//tnefiOXxho, failed to unpack TNEF message Sep 27 15:36:20 mx0 MailScanner[17000]: Corrupt TNEF winmail.dat that cannot be analysed in message p8REaJo0023344 Changing to internal decoder fixes this. All worked fine with external decoder in 4.83.5. Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 "Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council, Herefordshire Primary Care Trust or 2gether NHS Foundation Trust. You should be aware that Herefordshire Council, Herefordshire Primary Care Trust & 2gether NHS Foundation Trust monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Please consider the environment before printing this e-mail." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110927/3149693c/attachment.html From jonas at vrt.dk Tue Sep 27 18:29:02 2011 From: jonas at vrt.dk (Jonas) Date: Tue Sep 27 18:29:13 2011 Subject: New? behavior og rbl's In-Reply-To: References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch><09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> Message-ID: <09F23668E315FD4597C13D73E5123ADF6C92AE@SCTSBS.sct.dk> > so why have these got their own mailserver? easier to run hostsed surely? >-- >Martin Hepworth >Oxford, UK Mmm I think that might be a tad too off topic for this thread anyway, but shortly put: If you need a server for shared files (which you do because putting 5mb+, which even the smallest company has, on some hosted setup would be way too slow on a small adsl line) then you need a server/nas. And if you have that anyway paying some1 to host your email when you already have the software/hardware to run your mailserver does not necessarily make a lot of sense. Med venlig hilsen / Best regards ? Jonas Akrouh Larsen ? TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S ? Office: 7020 0979 Direct: 3336 9974 Mobile: 5120 1096 Fax:??? 7020 0978 Web: www.techbiz.dk From jeremy at fluxlabs.net Tue Sep 27 18:37:48 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 27 18:38:12 2011 Subject: New? behavior og rbl's In-Reply-To: <09F23668E315FD4597C13D73E5123ADF6C92AE@SCTSBS.sct.dk> References: <09F23668E315FD4597C13D73E5123ADF68E586@SCTSBS.sct.dk> <4E7B5F53.5010504@alexb.ch> <09F23668E315FD4597C13D73E5123ADF68E5D4@SCTSBS.sct.dk> <09F23668E315FD4597C13D73E5123ADF6C92AE@SCTSBS.sct.dk> Message-ID: Get a 25$/vps and relay through it. Call it a day. -- Jeremy McSpadden On Sep 27, 2011, at 12:35 PM, "Jonas" wrote: >> so why have these got their own mailserver? easier to run hostsed surely? >> -- >> Martin Hepworth >> Oxford, UK > > Mmm I think that might be a tad too off topic for this thread anyway, but shortly put: If you need a server for shared files (which you do because putting 5mb+, which even the smallest company has, on some hosted setup would be way too slow on a small adsl line) then you need a server/nas. And if you have that anyway paying some1 to host your email when you already have the software/hardware to run your mailserver does not necessarily make a lot of sense. > > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 3336 9974 > Mobile: 5120 1096 > Fax: 7020 0978 > Web: www.techbiz.dk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From maxsec at gmail.com Tue Sep 27 19:02:18 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Tue Sep 27 19:02:26 2011 Subject: External TNEF decoding bug in MailScanner 4.84.3 In-Reply-To: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> References: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> Message-ID: Side question is who the heck is still using this encoding on emails ... Its 2011 not 1991 ???? Martin On Tuesday, 27 September 2011, Randal, Phil wrote: > Hi folks, > > > > The following change to TNEF.pm (from 4.83.5 to 4.84.3) breaks external TNEF decoding: > > > > > > @@ -228,7 +228,9 @@ > > my($dir, $tnefname, $message, $perms, $owner, $group, $change) = @_; > > > > # Create the subdir to unpack it into > > - my $unpackdir = "tnef.$$"; > > + #my $unpackdir = "tnef.$$"; > > + my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK => 0); > > + $dir =~ s,^.*/,,; > > $unpackdir = $message->MakeNameSafe($unpackdir, $dir); > > unless (mkdir "$dir/$unpackdir", 0777) { > > MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could not create subdirectory %s, failed to unpack TNEF message", $tnefname, $message->{id}, > > > > Error logged is: > > > > Sep 27 15:36:20 mx0 MailScanner[17000]: Expanding TNEF archive at /var/spool/MailScanner/incoming/17000/p8REaJo0023344/winmail.dat > > Sep 27 15:36:20 mx0 MailScanner[17000]: Trying to unpack nwinmail.dat in message p8REaJo0023344, could not create subdirectory p8REaJo0023344//tnefiOXxho, failed to unpack TNEF message > > Sep 27 15:36:20 mx0 MailScanner[17000]: Corrupt TNEF winmail.dat that cannot be analysed in message p8REaJo0023344 > > > > Changing to internal decoder fixes this. > > > > All worked fine with external decoder in 4.83.5. > > > > Cheers, > > > > Phil > > -- > Phil Randal | Infrastructure Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > > > > ?Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council, Herefordshire Primary Care Trust or 2gether NHS Foundation Trust. You should be aware that Herefordshire Council, Herefordshire Primary Care Trust & 2gether NHS Foundation Trust monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Please consider the environment before printing this e-mail.? -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110927/aed4fabd/attachment.html From bonivart at opencsw.org Tue Sep 27 19:10:08 2011 From: bonivart at opencsw.org (Peter Bonivart) Date: Tue Sep 27 19:10:37 2011 Subject: External TNEF decoding bug in MailScanner 4.84.3 In-Reply-To: References: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> Message-ID: On Tue, Sep 27, 2011 at 8:02 PM, Martin Hepworth wrote: > Side question is who the heck is still using this encoding on emails ... Its > 2011 not 1991 ???? The senders are clueless about this, it should be removed from Outlook so the decease finally ends. /peter From jeremy at fluxlabs.net Tue Sep 27 19:09:55 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 27 19:10:43 2011 Subject: External TNEF decoding bug in MailScanner 4.84.3 In-Reply-To: References: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> Message-ID: <4681F624-411C-4901-9F41-C4039E97C488@fluxlabs.net> Microshaft -- Jeremy McSpadden On Sep 27, 2011, at 1:05 PM, "Martin Hepworth" > wrote: Side question is who the heck is still using this encoding on emails ... Its 2011 not 1991 ???? Martin On Tuesday, 27 September 2011, Randal, Phil > wrote: > Hi folks, > > > > The following change to TNEF.pm (from 4.83.5 to 4.84.3) breaks external TNEF decoding: > > > > > > @@ -228,7 +228,9 @@ > > my($dir, $tnefname, $message, $perms, $owner, $group, $change) = @_; > > > > # Create the subdir to unpack it into > > - my $unpackdir = "tnef.$$"; > > + #my $unpackdir = "tnef.$$"; > > + my ($tmpfh, $unpackdir) = tempfile("tnefXXXXXX", TMPDIR => $dir, UNLINK => 0); > > + $dir =~ s,^.*/,,; > > $unpackdir = $message->MakeNameSafe($unpackdir, $dir); > > unless (mkdir "$dir/$unpackdir", 0777) { > > MailScanner::Log::WarnLog("Trying to unpack %s in message %s, could not create subdirectory %s, failed to unpack TNEF message", $tnefname, $message->{id}, > > > > Error logged is: > > > > Sep 27 15:36:20 mx0 MailScanner[17000]: Expanding TNEF archive at /var/spool/MailScanner/incoming/17000/p8REaJo0023344/winmail.dat > > Sep 27 15:36:20 mx0 MailScanner[17000]: Trying to unpack nwinmail.dat in message p8REaJo0023344, could not create subdirectory p8REaJo0023344//tnefiOXxho, failed to unpack TNEF message > > Sep 27 15:36:20 mx0 MailScanner[17000]: Corrupt TNEF winmail.dat that cannot be analysed in message p8REaJo0023344 > > > > Changing to internal decoder fixes this. > > > > All worked fine with external decoder in 4.83.5. > > > > Cheers, > > > > Phil > > -- > Phil Randal | Infrastructure Engineer > NHS Herefordshire & Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division > Thorn Office Centre, Rotherwas, Hereford, HR2 6JT > Tel: 01432 260160 > > > > ?Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council, Herefordshire Primary Care Trust or 2gether NHS Foundation Trust. You should be aware that Herefordshire Council, Herefordshire Primary Care Trust & 2gether NHS Foundation Trust monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Please consider the environment before printing this e-mail.? -- -- Martin Hepworth Oxford, UK -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110927/7c961684/attachment.html From mikea at mikea.ath.cx Tue Sep 27 19:20:31 2011 From: mikea at mikea.ath.cx (mikea) Date: Tue Sep 27 19:20:42 2011 Subject: External TNEF decoding bug in MailScanner 4.84.3 In-Reply-To: References: <7CA580B59C1ABD45B4614ED90D4C7B853B965764@HC-EXMBX02.herefordshire.gov.uk> Message-ID: <20110927182031.GA66720@mikea.ath.cx> On Tue, Sep 27, 2011 at 07:02:18PM +0100, Martin Hepworth wrote: > Side question is who the heck is still using this encoding on emails ... Its > 2011 not 1991 ???? I have to contend with this two or three times a month, when external users have misconfigured settings for a mailbox in our domains. It is, and I expect it to continue to be, a perennial Pain In The Sitting Parts. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From sonidhaval at gmail.com Tue Sep 27 21:28:42 2011 From: sonidhaval at gmail.com (sonidhaval@gmail.com) Date: Tue Sep 27 21:29:30 2011 Subject: Regarding MailScanner signature. Message-ID: Dear All, By default, MailScanner is adding "Inline HTML Signature" or "Inline Text Signature" to the end of uninfected messages if Sign Clean Messages = yes. But can we configure MailScanner that it can not add signature for particular one domain even emails are getting cleaned by MailScanner ? System: CentOS5.6 (64bit) MailScanner 4.79) SpamAssassin Thank you, -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of *LinuxArticles.org* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110928/94b02613/attachment.html From jeremy at fluxlabs.net Tue Sep 27 21:32:02 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 27 21:32:31 2011 Subject: Regarding MailScanner signature. In-Reply-To: References: Message-ID: <4948F6A7-800B-42CA-ACCE-4E0CA9259638@fluxlabs.net> Setup a rule. Just like the rest of them. -- Jeremy McSpadden On Sep 27, 2011, at 3:30 PM, "sonidhaval@gmail.com" > wrote: Dear All, By default, MailScanner is adding "Inline HTML Signature" or "Inline Text Signature" to the end of uninfected messages if Sign Clean Messages = yes. But can we configure MailScanner that it can not add signature for particular one domain even emails are getting cleaned by MailScanner ? System: CentOS5.6 (64bit) MailScanner 4.79) SpamAssassin Thank you, -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of LinuxArticles.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110927/14b5f532/attachment.html From sonidhaval at gmail.com Tue Sep 27 21:49:12 2011 From: sonidhaval at gmail.com (sonidhaval@gmail.com) Date: Tue Sep 27 21:50:31 2011 Subject: Regarding MailScanner signature. In-Reply-To: <4948F6A7-800B-42CA-ACCE-4E0CA9259638@fluxlabs.net> References: <4948F6A7-800B-42CA-ACCE-4E0CA9259638@fluxlabs.net> Message-ID: Hi, I have just added Sign Clean Messages = %rules-dir%/signing.rules in MailScanner.conf and below to signing.rules. FromOrTo: default yes To: *@domain.com no Is that okey? Thank you, On Wed, Sep 28, 2011 at 2:02 AM, Jeremy McSpadden wrote: > Setup a rule. Just like the rest of them. > > > -- > Jeremy McSpadden > > On Sep 27, 2011, at 3:30 PM, "sonidhaval@gmail.com" > wrote: > > Dear All, > > By default, MailScanner is adding "Inline HTML Signature" or "Inline Text > Signature" to the end of uninfected messages if Sign Clean Messages = yes. > > But can we configure MailScanner that it can not add signature for > particular one domain even emails are getting cleaned by MailScanner ? > System: > > CentOS5.6 (64bit) > MailScanner 4.79) > SpamAssassin > > Thank you, > > > -- > Kind regards, > Dhaval Soni ( RHCA ) > > Active Contributor of *LinuxArticles.org* > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of *LinuxArticles.org* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110928/a291b93a/attachment.html From jeremy at fluxlabs.net Tue Sep 27 21:53:44 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Tue Sep 27 21:57:00 2011 Subject: Regarding MailScanner signature. In-Reply-To: References: <4948F6A7-800B-42CA-ACCE-4E0CA9259638@fluxlabs.net> Message-ID: <630D6A63-A41C-418E-8EA2-517447CB4A77@fluxlabs.net> Should work .. I'm not at my computers; but looks good. -- Jeremy McSpadden On Sep 27, 2011, at 3:51 PM, "sonidhaval@gmail.com" > wrote: Hi, I have just added Sign Clean Messages = %rules-dir%/signing.rules in MailScanner.conf and below to signing.rules. FromOrTo: default yes To: *@domain.com no Is that okey? Thank you, On Wed, Sep 28, 2011 at 2:02 AM, Jeremy McSpadden > wrote: Setup a rule. Just like the rest of them. -- Jeremy McSpadden On Sep 27, 2011, at 3:30 PM, "sonidhaval@gmail.com" > wrote: Dear All, By default, MailScanner is adding "Inline HTML Signature" or "Inline Text Signature" to the end of uninfected messages if Sign Clean Messages = yes. But can we configure MailScanner that it can not add signature for particular one domain even emails are getting cleaned by MailScanner ? System: CentOS5.6 (64bit) MailScanner 4.79) SpamAssassin Thank you, -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of LinuxArticles.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of LinuxArticles.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110927/be834d68/attachment.html From markus at markusoft.se Wed Sep 28 07:17:38 2011 From: markus at markusoft.se (Markus Nilsson) Date: Wed Sep 28 07:17:55 2011 Subject: Regarding MailScanner signature. In-Reply-To: Message-ID: Hi! You need to have them the other way around, also remove the "*" To: @ domain.com no FromOrTo: default yes /Markus ----- Ursprungligt meddelande ----- Fr?n: sonidhaval@gmail.com Till: "MailScanner discussion" Skickat: tisdag, 27 sep 2011 22:49:12 ?mne: Re: Regarding MailScanner signature. Hi, I have just added Sign Clean Messages = %rules-dir%/signing.rules in MailScanner.conf and below to signing.rules. FromOrTo: default yes To: *@ domain.com no Is that okey? Thank you, On Wed, Sep 28, 2011 at 2:02 AM, Jeremy McSpadden < jeremy@fluxlabs.net > wrote: Setup a rule. Just like the rest of them. -- Jeremy McSpadden On Sep 27, 2011, at 3:30 PM, " sonidhaval@gmail.com " < sonidhaval@gmail.com > wrote:
Dear All, By default, MailScanner is adding "Inline HTML Signature" or "Inline Text Signature" to the end of uninfected messages if Sign Clean Messages = yes. But can we configure MailScanner that it can not add signature for particular one domain even emails are getting cleaned by MailScanner ? System: CentOS5.6 (64bit) MailScanner 4.79) SpamAssassin Thank you, -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of LinuxArticles.org
-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!
-- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!
-- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of LinuxArticles.org -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110928/f32ac3ff/attachment.html From sonidhaval at gmail.com Wed Sep 28 12:27:42 2011 From: sonidhaval at gmail.com (sonidhaval@gmail.com) Date: Wed Sep 28 12:28:31 2011 Subject: Regarding MailScanner signature. In-Reply-To: References: Message-ID: Thanks, I have changed my rule as mentioned below. On Wed, Sep 28, 2011 at 11:47 AM, Markus Nilsson wrote: > Hi! > > You need to have them the other way around, also remove the "*" > > To: @domain.com no > FromOrTo: default yes > > /Markus > > ------------------------------ > *Fr?n: *sonidhaval@gmail.com > *Till: *"MailScanner discussion" > *Skickat: *tisdag, 27 sep 2011 22:49:12 > *?mne: *Re: Regarding MailScanner signature. > > > Hi, > > I have just added Sign Clean Messages = %rules-dir%/signing.rules in > MailScanner.conf and below to signing.rules. > > FromOrTo: default yes > To: *@domain.com no > > Is that okey? > > Thank you, > > > On Wed, Sep 28, 2011 at 2:02 AM, Jeremy McSpadden wrote: > >> Setup a rule. Just like the rest of them. >> >> >> -- >> Jeremy McSpadden >> >> On Sep 27, 2011, at 3:30 PM, "sonidhaval@gmail.com" >> wrote: >> >> Dear All, >> >> By default, MailScanner is adding "Inline HTML Signature" or "Inline Text >> Signature" to the end of uninfected messages if Sign Clean Messages = yes. >> >> But can we configure MailScanner that it can not add signature for >> particular one domain even emails are getting cleaned by MailScanner ? >> System: >> >> CentOS5.6 (64bit) >> MailScanner 4.79) >> SpamAssassin >> >> Thank you, >> >> >> -- >> Kind regards, >> Dhaval Soni ( RHCA ) >> >> Active Contributor of *LinuxArticles.org* >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > -- > Kind regards, > Dhaval Soni ( RHCA ) > > Active Contributor of *LinuxArticles.org* > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Kind regards, Dhaval Soni ( RHCA ) Active Contributor of *LinuxArticles.org* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110928/6dcba69a/attachment.html From routerlinux at yahoo.es Thu Sep 29 22:17:10 2011 From: routerlinux at yahoo.es (Diego) Date: Thu Sep 29 22:17:20 2011 Subject: Error MailScanner Message-ID: <1317331030.54962.YahooMailNeo@web27003.mail.ukl.yahoo.com> config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110929/5e75b5d9/attachment.html From jeremy at fluxlabs.net Thu Sep 29 22:19:23 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Thu Sep 29 22:19:54 2011 Subject: Error MailScanner In-Reply-To: <1317331030.54962.YahooMailNeo@web27003.mail.ukl.yahoo.com> References: <1317331030.54962.YahooMailNeo@web27003.mail.ukl.yahoo.com> Message-ID: put a # in front of it and restart ms -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 29, 2011, at 4:17 PM, Diego wrote: config: failed to parse line, skipping, in "/etc/MailScanner/spam.assassin.prefs.conf": use_auto_whitelist 0 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110929/6e3e6819/attachment.html From routerlinux at yahoo.es Fri Sep 30 05:22:05 2011 From: routerlinux at yahoo.es (Diego) Date: Fri Sep 30 05:22:14 2011 Subject: Error MailScanner Message-ID: <1317356525.43266.YahooMailNeo@web27004.mail.ukl.yahoo.com> root@fx:/etc/MailScanner# MailScanner -debug?? In Debugging mode, not forking... Trying to setlogsock(unix) Building a message batch to scan... Insecure dependency in open while running with -T switch at /usr/share/MailScanner//MailScanner/Lock.pm line 358. ? ? Use?? mailscanner???4.79.11-2.2,?????and Debian 6 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/3aa1681c/attachment.html From mike at leawood.com Fri Sep 30 06:22:45 2011 From: mike at leawood.com (Mike) Date: Fri Sep 30 06:22:55 2011 Subject: Error MailScanner In-Reply-To: <1317356525.43266.YahooMailNeo@web27004.mail.ukl.yahoo.com> References: <1317356525.43266.YahooMailNeo@web27004.mail.ukl.yahoo.com> Message-ID: On Fri, 30 Sep 2011, Diego wrote: > > root@fx:/etc/MailScanner# MailScanner -debug?? > > In Debugging mode, not forking... > Trying to setlogsock(unix) > Building a message batch to scan... > Insecure dependency in open while running with -T switch at /usr/share/MailScanner//MailScanner/Lock.pm line 358. ? Perhaps the extra / might have something of pointing to the correct file? Also, did you look at line 358 in the file to see what it is? ? Regards, Mike From maxsec at gmail.com Fri Sep 30 06:33:58 2011 From: maxsec at gmail.com (Martin Hepworth) Date: Fri Sep 30 06:34:08 2011 Subject: Error MailScanner In-Reply-To: References: <1317356525.43266.YahooMailNeo@web27004.mail.ukl.yahoo.com> Message-ID: Latest beta and running with the -u switch at the top should sort this, looks like youve upgraded perl and not upgraded MS martin On Friday, 30 September 2011, Mike wrote: > On Fri, 30 Sep 2011, Diego wrote: > >> >> root@fx:/etc/MailScanner# MailScanner -debug >> >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> Building a message batch to scan... >> Insecure dependency in open while running with -T switch at /usr/share/MailScanner//MailScanner/Lock.pm line 358. > > > Perhaps the extra / might have something of pointing to the correct > file? Also, did you look at line 358 in the file to see what it is? > > Regards, > > > Mike > -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/60841cff/attachment.html From anderson at quicksoft.com.br Fri Sep 30 12:04:42 2011 From: anderson at quicksoft.com.br (Anderson Arthur Nuss) Date: Fri Sep 30 12:05:11 2011 Subject: RES: Error MailScanner In-Reply-To: References: <1317356525.43266.YahooMailNeo@web27004.mail.ukl.yahoo.com> Message-ID: <53109E15F41BA948814ABF39E43A44A63B4B9089@exchsrv01.quickbnu.quicksoft.local> Hi, Really a thing the problem was on perl. I'm running now MailScaner with -U option by perl and now Works Fine. cat /usr/sbin/MailScanner |more #!/usr/bin/perl -I/usr/lib/MailScanner -U Thank's for all. Anderson. De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Em nome de Martin Hepworth Enviada em: sexta-feira, 30 de setembro de 2011 02:34 Para: MailScanner discussion Assunto: Re: Error MailScanner Latest beta and running with the -u switch at the top should sort this, looks like youve upgraded perl and not upgraded MS martin On Friday, 30 September 2011, Mike > wrote: > On Fri, 30 Sep 2011, Diego wrote: > >> >> root@fx:/etc/MailScanner# MailScanner -debug >> >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> Building a message batch to scan... >> Insecure dependency in open while running with -T switch at /usr/share/MailScanner//MailScanner/Lock.pm line 358. > > > Perhaps the extra / might have something of pointing to the correct > file? Also, did you look at line 358 in the file to see what it is? > > Regards, > > > Mike > -- -- Martin Hepworth Oxford, UK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/3c36e5e7/attachment.html From routerlinux at yahoo.es Fri Sep 30 15:26:19 2011 From: routerlinux at yahoo.es (Diego) Date: Fri Sep 30 15:26:28 2011 Subject: Error in MailScanner ** Message-ID: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> ? ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-unconfigured-debian-site-MailScanner-From -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/084740ea/attachment.html From jeremy at fluxlabs.net Fri Sep 30 15:41:43 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri Sep 30 15:42:19 2011 Subject: Error in MailScanner ** In-Reply-To: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> References: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> Message-ID: <66FB6ACF-6A64-4CD0-A64D-0B35DCE556C1@fluxlabs.net> Do what it says. Change your envelope header. -- Jeremy McSpadden On Sep 30, 2011, at 9:34 AM, "Diego" > wrote: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-unconfigured-debian-site-MailScanner-From -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/5b95bbe3/attachment.html From mikael at syska.dk Fri Sep 30 15:49:50 2011 From: mikael at syska.dk (Mikael Syska) Date: Fri Sep 30 15:50:03 2011 Subject: Error in MailScanner ** In-Reply-To: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> References: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> Message-ID: Hi, On Fri, Sep 30, 2011 at 4:26 PM, Diego wrote: > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match > X-unconfigured-debian-site-MailScanner-From What seems to be the problem? What have you configured? What are the values in MailScanner.conf and spam.assassin.prefs.conf I guess they dont match from the error description. mvh Mikael Syska > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From sbanderson at impromed.com Fri Sep 30 16:56:12 2011 From: sbanderson at impromed.com (Scott B. Anderson) Date: Fri Sep 30 16:56:50 2011 Subject: Error in MailScanner ** In-Reply-To: References: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> Message-ID: <7D95F4DE708E0948892128F41A25073816A78EBF@ES2.impromed.com> I have the same message when I -lint, and they are set exactly identical. I'm chalking it up to a tab, special char or unseen whitespace error...either way watermarking is working as it is supposed to for me, so I've not worried about it. FC13 32-bit. Scott -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mikael Syska Sent: Friday, September 30, 2011 9:50 AM To: MailScanner discussion Subject: Re: Error in MailScanner ** Hi, On Fri, Sep 30, 2011 at 4:26 PM, Diego wrote: > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match > X-unconfigured-debian-site-MailScanner-From What seems to be the problem? What have you configured? What are the values in MailScanner.conf and spam.assassin.prefs.conf I guess they dont match from the error description. mvh Mikael Syska > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- ImproMed, LLC. -- From jeremy at fluxlabs.net Fri Sep 30 17:02:40 2011 From: jeremy at fluxlabs.net (Jeremy McSpadden) Date: Fri Sep 30 17:03:38 2011 Subject: Error in MailScanner ** In-Reply-To: <7D95F4DE708E0948892128F41A25073816A78EBF@ES2.impromed.com> References: <1317392779.28613.YahooMailNeo@web27007.mail.ukl.yahoo.com> <7D95F4DE708E0948892128F41A25073816A78EBF@ES2.impromed.com> Message-ID: <78823011-3429-4426-9CD3-6FD231441FCA@fluxlabs.net> You need to edit the spam.assassin.prefs.conf file a s change your envelope_sender_header to match your MailScanner-From line. Match it to your Org from Mailscanner.conf. It looks as though you have not completely edited your Mailscanner.conf file. unconfigured-debian-site -- Jeremy McSpadden On Sep 30, 2011, at 10:58 AM, "Scott B. Anderson" > wrote: I have the same message when I -lint, and they are set exactly identical. I'm chalking it up to a tab, special char or unseen whitespace error...either way watermarking is working as it is supposed to for me, so I've not worried about it. FC13 32-bit. Scott -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mikael Syska Sent: Friday, September 30, 2011 9:50 AM To: MailScanner discussion Subject: Re: Error in MailScanner ** Hi, On Fri, Sep 30, 2011 at 4:26 PM, Diego > wrote: ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-unconfigured-debian-site-MailScanner-From What seems to be the problem? What have you configured? What are the values in MailScanner.conf and spam.assassin.prefs.conf I guess they dont match from the error description. mvh Mikael Syska -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- ImproMed, LLC. -- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110930/160343d6/attachment.html