From paul at welshfamily.com  Mon Oct  1 15:43:58 2012
From: paul at welshfamily.com (Paul Welsh)
Date: Mon, 1 Oct 2012 15:43:58 +0100
Subject: Email with virus getting through
Message-ID: <CAA510g48OPZzPSMFnYARUoA_yyhQ14NjJJQXE9nnaEaX-HWfgQ@mail.gmail.com>

Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS
6.3 with Exim 4.76 and an infected message is being delivered.  Here's
the maillog extract.  I've changed the recipient domain to
mydomain.com:

Oct  1 10:34:00 mail MailScanner[15454]: Infected message
1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
came from
Oct  1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from
83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam,
SpamAssassin (score=2.798, required 6, autolearn=disabled,
DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL
0.97, UNPARSEABLE_RELAY 0.00)
Oct  1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message
1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to
postmaster at mydomain.com with subject  Your friend added a new photo
with you to the album

As you can see, it's identified as Infected but still delivered.

If I manually scan the message, I get this from f-prot:
# /opt/f-prot/fpscan Y*.eml
<snip>
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> 	Your friend added a new photo with you to the
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
[Contains infected objects]	Your friend added a new photo with you to
the album.eml


I get this from clam:
# clamscan Y*.eml
Your friend added a new photo with you to the album.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 1314671
Engine version: 0.97.6
Scanned directories: 0
Scanned files: 1
Infected files: 0

In MailScanner.conf I have these set but neither affect virus
checking, apparently:
Maximum Archive Depth = 0
Find Archives By Content = no

I also have:
Virus Scanning = yes
Virus Scanners = clamav f-prot-6
Deliver Disinfected Files = no
Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Block Encrypted Messages = no
Allow Password-Protected Archives = no
Check Filenames In Password-Protected Archives = yes
Dangerous Content Scanning = yes
Allow Partial Messages = no
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Use Stricter Phishing Net = no

Any ideas?

For now, I have tried this.  Previously it was not set:
Archives: Deny Filenames = \.exe$

From maxsec at gmail.com  Mon Oct  1 17:31:01 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 1 Oct 2012 17:31:01 +0100
Subject: Email with virus getting through
In-Reply-To: <CAA510g48OPZzPSMFnYARUoA_yyhQ14NjJJQXE9nnaEaX-HWfgQ@mail.gmail.com>
References: <CAA510g48OPZzPSMFnYARUoA_yyhQ14NjJJQXE9nnaEaX-HWfgQ@mail.gmail.com>
Message-ID: <CAGDKor+-NNLxQpGDLW+zzRi5Q3hBTKOM=ejpBeRppWXeVnB7Yg@mail.gmail.com>

the double attachment check should have blocked this - never mind the
anti-virus products

you sure you've not turned that off somehow in the filetypes rule?
http://www.mailscanner.info/files/filename.rules.conf

-- 
Martin Hepworth, CISSP
Oxford, UK


On 1 October 2012 15:43, Paul Welsh <paul at welshfamily.com> wrote:

> Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS
> 6.3 with Exim 4.76 and an infected message is being delivered.  Here's
> the maillog extract.  I've changed the recipient domain to
> mydomain.com:
>
> Oct  1 10:34:00 mail MailScanner[15454]: Infected message
>
> 1TIcNu-0004Ww-Ny.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> came from
> Oct  1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from
> 83.149.158.186 (truismsjb95 at paypal.com) to mydomain.com is not spam,
> SpamAssassin (score=2.798, required 6, autolearn=disabled,
> DKIM_ADSP_ALL 1.10, HTML_MESSAGE 0.00, RCVD_IN_XBL 0.72, SPF_SOFTFAIL
> 0.97, UNPARSEABLE_RELAY 0.00)
> Oct  1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message
> 1TIcNu-0004Ww-Ny from truismsjb95 at paypal.com to
> postmaster at mydomain.com with subject  Your friend added a new photo
> with you to the album
>
> As you can see, it's identified as Infected but still delivered.
>
> If I manually scan the message, I get this from f-prot:
> # /opt/f-prot/fpscan Y*.eml
> <snip>
> [Found possible security risk] <W32/Heuristic-200!Eldorado (not
> disinfectable)>         Your friend added a new photo with you to the
> album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> [Contains infected objects]     Your friend added a new photo with you to
> the album.eml
>
>
> I get this from clam:
> # clamscan Y*.eml
> Your friend added a new photo with you to the album.eml: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1314671
> Engine version: 0.97.6
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
>
> In MailScanner.conf I have these set but neither affect virus
> checking, apparently:
> Maximum Archive Depth = 0
> Find Archives By Content = no
>
> I also have:
> Virus Scanning = yes
> Virus Scanners = clamav f-prot-6
> Deliver Disinfected Files = no
> Silent Viruses = HTML-IFrame All-Viruses
> Still Deliver Silent Viruses = no
> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
> Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
> Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
> Block Encrypted Messages = no
> Allow Password-Protected Archives = no
> Check Filenames In Password-Protected Archives = yes
> Dangerous Content Scanning = yes
> Allow Partial Messages = no
> Find Phishing Fraud = yes
> Also Find Numeric Phishing = yes
> Use Stricter Phishing Net = no
>
> Any ideas?
>
> For now, I have tried this.  Previously it was not set:
> Archives: Deny Filenames = \.exe$
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121001/7c1e7211/attachment.html 

From paul at welshfamily.com  Mon Oct  1 22:00:28 2012
From: paul at welshfamily.com (Paul Welsh)
Date: Mon, 1 Oct 2012 22:00:28 +0100
Subject: Email with virus getting through
In-Reply-To: <CAGDKor+-NNLxQpGDLW+zzRi5Q3hBTKOM=ejpBeRppWXeVnB7Yg@mail.gmail.com>
References: <CAA510g48OPZzPSMFnYARUoA_yyhQ14NjJJQXE9nnaEaX-HWfgQ@mail.gmail.com>
	<CAGDKor+-NNLxQpGDLW+zzRi5Q3hBTKOM=ejpBeRppWXeVnB7Yg@mail.gmail.com>
Message-ID: <CAA510g5++CJ_MkWk1wMi31dZBE=Brvdx1pKA-sGZCWuecZJuWA@mail.gmail.com>

On 1 October 2012 17:31, Martin Hepworth <maxsec at gmail.com> wrote:
> the double attachment check should have blocked this - never mind the
> anti-virus products
>
> you sure you've not turned that off somehow in the filetypes rule?
> http://www.mailscanner.info/files/filename.rules.conf
>

Hi Martin

As I said previously, I changed this in MailScanner.conf in an attempt
to stop this:
Archives: Deny Filenames = \.exe$

This evening I then sent myself the infected message and got this:
Oct  1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2
messages, 70239 bytes
Oct  1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning: Starting
Oct  1 20:30:00 mail MailScanner[6096]: [Found trojan]
<W32/Trojan3.EBT (exact, not disinfectable)>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found
2 infections
Oct  1 20:30:00 mail MailScanner[6096]: Infected message
1TIlgf-0002Ar-ST came from <snip>
Oct  1 20:30:00 mail MailScanner[6096]: Infected message
1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
came from
Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses
Oct  1 20:30:00 mail MailScanner[6096]: Viruses marked as silent:
F-Prot6: [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>
./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe

Note that now f-prot classifies it as W32/Trojan3.EBT whereas
previously it was W32/Heuristic-200!Eldorado.

Likewise when I scan it manually:
# /opt/f-prot/fpscan Y*.eml
...
[Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)> 	Your
friend added a new photo with you to the
album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
[Contains infected objects]	Your friend added a new photo with you to
the album.eml

So it has gone from being a "possible security risk" to a "trojan".
Clearly this is because f-prot was updated:
Oct  1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated
Oct  1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated

Clam still says it is fine, even though I have confirmed Clam is up to
date (and in fact has found several viruses recently):
# clamscan -V
ClamAV 0.97.6/15420/Mon Oct  1 12:57:26 2012

So, clearly f-prot's "possible security risk" isn't a sufficiently
severe enough classification to get MailScanner to delete it.

Just goes to show the importance of having > 1 virus scanner and some
extra filename/filetype rules.

I haven't changed filename.rules.conf for over a year:
# Allow repeated file extension, e.g. blah.zip.zip
allow   (\.[a-z0-9]{3})\1$      -       -

# Deny all other double file extensions. This catches any hidden filenames.
deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename hiding

Regards

Paul

From ricardo at wenn.com  Tue Oct  2 10:57:02 2012
From: ricardo at wenn.com (Ricardo Branco)
Date: Tue, 02 Oct 2012 10:57:02 +0100
Subject: SpamAssasin Rule Actions ignores Whitelist entries
Message-ID: <506ABA6E.6040100@wenn.com>

An old issue has come up again.

http://lists.mailscanner.info/pipermail/mailscanner/2010-March/095358.html

We seem to have this and ive had to disable the rule action which means more spam will now get through.

Oct  2 10:38:51 posti MailScanner[4163]: Message q929cgk9004175 from 10.0.0.xxx (newsdesk at wenn.com) is whitelisted
Oct  2 10:38:51 posti MailScanner[4163]: SpamAssassin cache hit for message q929cgk9004175
Oct  2 10:38:51 posti MailScanner[4163]: SpamAssassin Rule Actions: rule spamscore>=20 caused action delete in message 
q929cgk9004175
Oct  2 10:38:51 posti MailScanner[4163]: Non-delivery of nonspam: message q929cgk9004175 from newsdesk at wenn.com to 
xxxxxx at xxxxxxxxx with subject WENN - ELITE
Oct  2 10:38:52 posti MailScanner[4163]: Logging message q929cgk9004175 to SQL



-- 
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain any message or any part of it. If you have received an email in error, please contact the sender and delete the material from any computer.  The contents of this email are not for publication unless specifically stated.  Furthermore, the information contained in this message, and any attachment(s) thereto, is for information purposes only and may contain the personal views and opinions of the author, which are not necessarily the views and opinions of WENN or its subsidiaries and associated companies.  We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way!
  of this e-mail.

WENN Ltd: Registered Office: 35 Tileyard Studios, Tileyard Road, London, N7 9AH, England.  Registered No: 4375163.  Place of Registration: United Kingdom.
USA Entertainment News Inc (d/b/a WENN):  Registered Office: 60 Madison Avenue, Suite 1027, New York, NY 10010, USA

The WENN name, design and related marks are trademarks of the WENN group of companies.  (c) 2012 All Rights Reserved.


From dave at KD0YU.COM  Tue Oct  2 12:05:16 2012
From: dave at KD0YU.COM (Dave Helton)
Date: Tue, 2 Oct 2012 06:05:16 -0500
Subject: SpamAssasin Rule Actions ignores Whitelist entries
In-Reply-To: <506ABA6E.6040100@wenn.com>
References: <506ABA6E.6040100@wenn.com>
Message-ID: <77F23E6E4DE9084BA33755BA403E53FCFA678EC7B0@S8.KD0YU.COM>

Richardo,

  I have seen a lot of updates to spamassassin recently.
Are you getting updates as well?  And, are they over-writing
your 'local.cf' rule set?

  After I discovered the local.cf file was getting over-written, I moved
all the rules I had placed in there to another .cf file so it wouldn't
happen again.

  You might look at the "shortcircuit" function in the local.cf file, I think
it might be what you're looking for.  Oh.. and put it in a different file,
like 'site.cf' or something ;)

--Dave, KD0YU

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Ricardo Branco
> Sent: Tuesday, October 02, 2012 4:57 AM
> To: MailScanner discussion
> Subject: SpamAssasin Rule Actions ignores Whitelist entries
>
> An old issue has come up again.
>
> http://lists.mailscanner.info/pipermail/mailscanner/2010-March/095358.html
>
> We seem to have this and ive had to disable the rule action which means
> more spam will now get through.
>
> Oct  2 10:38:51 posti MailScanner[4163]: Message q929cgk9004175 from
> 10.0.0.xxx (newsdesk at wenn.com) is whitelisted Oct  2 10:38:51 posti
> MailScanner[4163]: SpamAssassin cache hit for message q929cgk9004175 Oct
> 2 10:38:51 posti MailScanner[4163]: SpamAssassin Rule Actions: rule
> spamscore>=20 caused action delete in message

-- 
This message has been scanned for viruses and dangerous content
by MailScanner at KD0YU.COM, and is believed to be clean.


From glenn.steen at gmail.com  Fri Oct  5 16:23:16 2012
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri, 5 Oct 2012 17:23:16 +0200
Subject: Correct format for allow.filename.conf
In-Reply-To: <VA.00003f39.094045f4@news.conactive.com>
References: <VA.00003f39.094045f4@news.conactive.com>
Message-ID: <CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>

Den 27 sep 2012 12:03 skrev "Kai Schaetzl" <maillists at conactive.com>:
>
> I seem to be hitting some problem with the content of this file lately or
> may have just not recognized it earlier and may have been using a wrong
> format for some time.
> Locally released messages are caught although they are exempted by
> scan.messages.rules. It seems I have to exempt them in allow.filename.conf
> as well.
>
> Is something like this going to work?
>
> FromOrTo:   127.0.0.1   yes
> \.txt$  yes
> \.pdf$  yes
> \.bmp$  yes
> \.rel$  yes
> \.rels  yes
>

Hi Kai,

No, that looks wrong. Take a look at the overloading examples in the wiki,
to see what you'd need... Basically a ruleset that overload a "pure allow"
file for localhost...;-). Remember to do both name and type!
The ruleset(s) need a normal defaulr entry for the respective
filename/filetype rulesets.

> Do I need a default rule at the end?
>
> Thanks,?
>
> Kai
>

Cheers
-- 
-- Glenn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121005/eacc723b/attachment.html 

From glenn.steen at gmail.com  Fri Oct  5 16:33:29 2012
From: glenn.steen at gmail.com (Glenn Steen)
Date: Fri, 5 Oct 2012 17:33:29 +0200
Subject: Email with virus getting through
In-Reply-To: <CAA510g5++CJ_MkWk1wMi31dZBE=Brvdx1pKA-sGZCWuecZJuWA@mail.gmail.com>
References: <CAA510g48OPZzPSMFnYARUoA_yyhQ14NjJJQXE9nnaEaX-HWfgQ@mail.gmail.com>
	<CAGDKor+-NNLxQpGDLW+zzRi5Q3hBTKOM=ejpBeRppWXeVnB7Yg@mail.gmail.com>
	<CAA510g5++CJ_MkWk1wMi31dZBE=Brvdx1pKA-sGZCWuecZJuWA@mail.gmail.com>
Message-ID: <CAAug_B-a5T-yt_7u9hFpn2A=7SOWPVtLck3LBSUyxw3jaAS1EQ@mail.gmail.com>

Guess the fp6 wrapper and/or sweepviruses need some tender-love-and-care to
actually do the right thing on a heuristic match... Someone who has fp6
should look at it (iow, not me;-).

Cheers
-- 
-- Glenn
Den 1 okt 2012 23:24 skrev "Paul Welsh" <paul at welshfamily.com>:

> On 1 October 2012 17:31, Martin Hepworth <maxsec at gmail.com> wrote:
> > the double attachment check should have blocked this - never mind the
> > anti-virus products
> >
> > you sure you've not turned that off somehow in the filetypes rule?
> > http://www.mailscanner.info/files/filename.rules.conf
> >
>
> Hi Martin
>
> As I said previously, I changed this in MailScanner.conf in an attempt
> to stop this:
> Archives: Deny Filenames = \.exe$
>
> This evening I then sent myself the infected message and got this:
> Oct  1 20:29:56 mail MailScanner[6096]: New Batch: Scanning 2
> messages, 70239 bytes
> Oct  1 20:29:56 mail MailScanner[6096]: Virus and Content Scanning:
> Starting
> Oct  1 20:30:00 mail MailScanner[6096]: [Found trojan]
> <W32/Trojan3.EBT (exact, not disinfectable)>
>
> ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: F-Prot6 found
> 2 infections
> Oct  1 20:30:00 mail MailScanner[6096]: Infected message
> 1TIlgf-0002Ar-ST came from <snip>
> Oct  1 20:30:00 mail MailScanner[6096]: Infected message
>
> 1TIlgf-0002Ar-ST.message->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> came from
> Oct  1 20:30:00 mail MailScanner[6096]: Virus Scanning: Found 2 viruses
> Oct  1 20:30:00 mail MailScanner[6096]: Viruses marked as silent:
> F-Prot6: [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>
>
> ./1TIlgf-0002Ar-ST/FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
>
> Note that now f-prot classifies it as W32/Trojan3.EBT whereas
> previously it was W32/Heuristic-200!Eldorado.
>
> Likewise when I scan it manually:
> # /opt/f-prot/fpscan Y*.eml
> ...
> [Found trojan] <W32/Trojan3.EBT (exact, not disinfectable)>     Your
> friend added a new photo with you to the
> album.eml->FacebookPhoto_ID9506-2485.zip->PayPal_Payment_Received.pdf.exe
> [Contains infected objects]     Your friend added a new photo with you to
> the album.eml
>
> So it has gone from being a "possible security risk" to a "trojan".
> Clearly this is because f-prot was updated:
> Oct  1 16:09:18 mail F-Prot-6 autoupdate[32668]: F-Prot-6 updated
> Oct  1 19:09:17 mail F-Prot-6 autoupdate[6790]: F-Prot-6 updated
>
> Clam still says it is fine, even though I have confirmed Clam is up to
> date (and in fact has found several viruses recently):
> # clamscan -V
> ClamAV 0.97.6/15420/Mon Oct  1 12:57:26 2012
>
> So, clearly f-prot's "possible security risk" isn't a sufficiently
> severe enough classification to get MailScanner to delete it.
>
> Just goes to show the importance of having > 1 virus scanner and some
> extra filename/filetype rules.
>
> I haven't changed filename.rules.conf for over a year:
> # Allow repeated file extension, e.g. blah.zip.zip
> allow   (\.[a-z0-9]{3})\1$      -       -
>
> # Deny all other double file extensions. This catches any hidden filenames.
> deny    \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$   Found possible filename
> hiding
>
> Regards
>
> Paul
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121005/0b2e042b/attachment.html 

From pinemail11 at gmail.com  Sat Oct  6 12:56:21 2012
From: pinemail11 at gmail.com (Mail Admin)
Date: Sat, 6 Oct 2012 17:26:21 +0530
Subject: Attachment restriction for specific user
Message-ID: <CACGqapKKz6X7mc5Tw7RCHd-5HdQKRJYa0HbnnTJvoOvyTm2CvQ@mail.gmail.com>

Hi Experts,

I have blocked send and receive attachment for one user out of five normal
users in mailscanner. When i tried to send attachments to multiple users
including restricted user and all users getting attachment restricted.


I have made the entry in
/etc/Mailscanner/rules/maximum.attachment.size.rules

From:     user1 at mydomain.com   1b
To:       user1 at mydoamin.com   1b

The above configuration is working fine for me but when this user is part
of group of recipients then same configuration affects on all users.


Kindly advise.

Thanks in advance,
Pinemail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121006/af7e6d35/attachment.html 

From maillists at conactive.com  Sun Oct  7 13:31:15 2012
From: maillists at conactive.com (Kai Schaetzl)
Date: Sun, 07 Oct 2012 14:31:15 +0200
Subject: Correct format for allow.filename.conf
In-Reply-To: <CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
References: <VA.00003f39.094045f4@news.conactive.com>
	<CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
Message-ID: <VA.00003f41.3d5afbbb@news.conactive.com>

Glenn Steen wrote on Fri, 5 Oct 2012 17:23:16 +0200:

> No, that looks wrong. Take a look at the overloading examples in the wiki,
> to see what you'd need... Basically a ruleset that overload a "pure allow"
> file for localhost...;-). Remember to do both name and type!

So, something like this?

From:  127.0.0.1  \.txt
FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels

where txt files from localhost would be allowed. What about allowing all 
files from local? Does this look ok, then?

From:  127.0.0.1  .*
FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels


Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From bonivart at opencsw.org  Sun Oct  7 14:02:27 2012
From: bonivart at opencsw.org (Peter Bonivart)
Date: Sun, 7 Oct 2012 15:02:27 +0200
Subject: Correct format for allow.filename.conf
In-Reply-To: <VA.00003f41.3d5afbbb@news.conactive.com>
References: <VA.00003f39.094045f4@news.conactive.com>
	<CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
	<VA.00003f41.3d5afbbb@news.conactive.com>
Message-ID: <CABY0g1Xc4eMfJgeG29a9JkoysZzpw22m+y_+BLiuibL496u+GA@mail.gmail.com>

On Sun, Oct 7, 2012 at 2:31 PM, Kai Schaetzl <maillists at conactive.com> wrote:
> Glenn Steen wrote on Fri, 5 Oct 2012 17:23:16 +0200:
>
>> No, that looks wrong. Take a look at the overloading examples in the wiki,
>> to see what you'd need... Basically a ruleset that overload a "pure allow"
>> file for localhost...;-). Remember to do both name and type!
>
> So, something like this?
>
> From:  127.0.0.1  \.txt
> FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels
>
> where txt files from localhost would be allowed. What about allowing all
> files from local? Does this look ok, then?
>
> From:  127.0.0.1  .*
> FromOrTo: default \.txt$ \.pdf$ \.bmp$ \.rel$ \.rels

Remember that rulesets decide on an option from MailScanner.conf. What
option is it you're trying to create a ruleset for? Let's start there.

/peter

From maxsec at gmail.com  Sun Oct  7 16:59:52 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Sun, 7 Oct 2012 16:59:52 +0100
Subject: Attachment restriction for specific user
In-Reply-To: <CACGqapKKz6X7mc5Tw7RCHd-5HdQKRJYa0HbnnTJvoOvyTm2CvQ@mail.gmail.com>
References: <CACGqapKKz6X7mc5Tw7RCHd-5HdQKRJYa0HbnnTJvoOvyTm2CvQ@mail.gmail.com>
Message-ID: <CAGDKorKey0sWJCFW5ZiYyMyOXqOYBp5DvKpheOUZ=_ijMo3pdQ@mail.gmail.com>

You need to split the emails into individual ones for each recipient, only
way it can be done.

Here's a how-to for sendmail
http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient

and postfix
http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient


-- 
Martin Hepworth, CISSP
Oxford, UK


On 6 October 2012 12:56, Mail Admin <pinemail11 at gmail.com> wrote:

> Hi Experts,
>
> I have blocked send and receive attachment for one user out of five normal
> users in mailscanner. When i tried to send attachments to multiple users
> including restricted user and all users getting attachment restricted.
>
>
> I have made the entry in
> /etc/Mailscanner/rules/maximum.attachment.size.rules
>
> From:     user1 at mydomain.com   1b
> To:       user1 at mydoamin.com   1b
>
> The above configuration is working fine for me but when this user is part
> of group of recipients then same configuration affects on all users.
>
>
> Kindly advise.
>
> Thanks in advance,
> Pinemail
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121007/1338577b/attachment.html 

From bfebrian.milis at gmail.com  Mon Oct  8 11:30:49 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Mon, 8 Oct 2012 17:30:49 +0700
Subject: Receives email with blank body
Message-ID: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>

Dear all,

My customer have problems with their mailscanner installation, sometimes
users emails with blank body. I already search the web for possible
reasons, but can't find any.

This is the configurations:

MailScanner 4.84.5
Centos 6.2 64 bit
Sendmail 8.13
MailWatch-1.1.5.1
ClamAV 0.96.5

Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/ac45c7b2/attachment.html 

From maillists at conactive.com  Mon Oct  8 12:31:13 2012
From: maillists at conactive.com (Kai Schaetzl)
Date: Mon, 08 Oct 2012 13:31:13 +0200
Subject: Correct format for allow.filename.conf
In-Reply-To: <CABY0g1Xc4eMfJgeG29a9JkoysZzpw22m+y_+BLiuibL496u+GA@mail.gmail.com>
References: <VA.00003f39.094045f4@news.conactive.com>
	<CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
	<VA.00003f41.3d5afbbb@news.conactive.com>
	<CABY0g1Xc4eMfJgeG29a9JkoysZzpw22m+y_+BLiuibL496u+GA@mail.gmail.com>
Message-ID: <VA.00003f42.424a5323@news.conactive.com>

Peter Bonivart wrote on Sun, 7 Oct 2012 15:02:27 +0200:

> What
> option is it you're trying to create a ruleset for? Let's start there.

Isn't that clear from the first posting and the Subject?

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From maxsec at gmail.com  Mon Oct  8 12:53:04 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 8 Oct 2012 12:53:04 +0100
Subject: Receives email with blank body
In-Reply-To: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
Message-ID: <CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>

Check the mailScanner logs for  that message to see if it's doing anything
'unusual' with the message.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com> wrote:

> Dear all,
>
> My customer have problems with their mailscanner installation, sometimes
> users emails with blank body. I already search the web for possible
> reasons, but can't find any.
>
> This is the configurations:
>
> MailScanner 4.84.5
> Centos 6.2 64 bit
> Sendmail 8.13
> MailWatch-1.1.5.1
> ClamAV 0.96.5
>
> Best regards
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/0ce706d8/attachment.html 

From bfebrian.milis at gmail.com  Mon Oct  8 16:27:23 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Mon, 8 Oct 2012 22:27:23 +0700
Subject: Receives email with blank body
In-Reply-To: <CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
Message-ID: <CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>

Dear Martin,

Thank you for the reply, but I don't see something strange in the maillog

[root at spam log]# cat maillog.1 | grep q917UfQF014676
Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, proto=ESMTP,
daemon=MTA, relay=ln-static-202-77-100-39.link.net.id [202.77.100.39] (may
be forged)
Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<amiws at xyz.co.id>,
delay=00:00:11, mailer=smtp, pri=370562, stat=queued
Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
checks (341198 > 200000 bytes)
Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 to
SQL
Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
MailWatch SQL
Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<amiws at xyz.co.id>,
delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562,
relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message
accepted for delivery)

Best Regards

On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com> wrote:

> Check the mailScanner logs for  that message to see if it's doing anything
> 'unusual' with the message.
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>
>> Dear all,
>>
>> My customer have problems with their mailscanner installation, sometimes
>> users emails with blank body. I already search the web for possible
>> reasons, but can't find any.
>>
>> This is the configurations:
>>
>> MailScanner 4.84.5
>> Centos 6.2 64 bit
>> Sendmail 8.13
>> MailWatch-1.1.5.1
>> ClamAV 0.96.5
>>
>> Best regards
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/41035464/attachment.html 

From maxsec at gmail.com  Mon Oct  8 17:13:37 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 8 Oct 2012 17:13:37 +0100
Subject: Receives email with blank body
In-Reply-To: <CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
Message-ID: <CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>

Is this consistent with large emails above the spam checks size limit?

If it is, you could run a test in debug mode of a large email to see what's
going flakey.

I presume the next host down the line (192.168.10.17) is handling this OK?


-- 
Martin Hepworth, CISSP
Oxford, UK


On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com> wrote:

> Dear Martin,
>
> Thank you for the reply, but I don't see something strange in the maillog
>
> [root at spam log]# cat maillog.1 | grep q917UfQF014676
> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>, proto=ESMTP,
> daemon=MTA, relay=ln-static-202-77-100-39.link.net.id [202.77.100.39]
> (may be forged)
> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<amiws at xyz.co.id>,
> delay=00:00:11, mailer=smtp, pri=370562, stat=queued
> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
> checks (341198 > 200000 bytes)
> Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676 to
> SQL
> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
> MailWatch SQL
> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<amiws at xyz.co.id>,
> delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562,
> relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message
> accepted for delivery)
>
> Best Regards
>
> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> Check the mailScanner logs for  that message to see if it's doing
>> anything 'unusual' with the message.
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>>
>>> Dear all,
>>>
>>> My customer have problems with their mailscanner installation, sometimes
>>> users emails with blank body. I already search the web for possible
>>> reasons, but can't find any.
>>>
>>> This is the configurations:
>>>
>>> MailScanner 4.84.5
>>> Centos 6.2 64 bit
>>> Sendmail 8.13
>>> MailWatch-1.1.5.1
>>> ClamAV 0.96.5
>>>
>>> Best regards
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/784a0304/attachment.html 

From bfebrian.milis at gmail.com  Mon Oct  8 18:05:10 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Tue, 9 Oct 2012 00:05:10 +0700
Subject: Receives email with blank body
In-Reply-To: <CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
Message-ID: <CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>

Dear Martin,

This happen not always with big emails, many big emails still delivered
without any problems.

This problem appears to be random, but often.

The next host is the mail server, which is Lotus Domino 8.5.

Is it possible that the anti virus or mailwatch somehow altered the mail
format?

Best regards
On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:

> Is this consistent with large emails above the spam checks size limit?
>
> If it is, you could run a test in debug mode of a large email to see
> what's going flakey.
>
> I presume the next host down the line (192.168.10.17) is handling this OK?
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>
>> Dear Martin,
>>
>> Thank you for the reply, but I don't see something strange in the maillog
>>
>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>> [202.77.100.39] (may be forged)
>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<amiws at xyz.co.id>,
>> delay=00:00:11, mailer=smtp, pri=370562, stat=queued
>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
>> checks (341198 > 200000 bytes)
>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676
>> to SQL
>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>> MailWatch SQL
>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<amiws at xyz.co.id>,
>> delay=00:00:13, xdelay=00:00:01, mailer=smtp, pri=460562,
>> relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent (Message
>> accepted for delivery)
>>
>> Best Regards
>>
>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com> wrote:
>>
>>> Check the mailScanner logs for  that message to see if it's doing
>>> anything 'unusual' with the message.
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>
>>>> Dear all,
>>>>
>>>> My customer have problems with their mailscanner installation,
>>>> sometimes users emails with blank body. I already search the web for
>>>> possible reasons, but can't find any.
>>>>
>>>> This is the configurations:
>>>>
>>>> MailScanner 4.84.5
>>>> Centos 6.2 64 bit
>>>> Sendmail 8.13
>>>> MailWatch-1.1.5.1
>>>> ClamAV 0.96.5
>>>>
>>>> Best regards
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/eb3056c9/attachment.html 

From maxsec at gmail.com  Mon Oct  8 19:31:19 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 8 Oct 2012 19:31:19 +0100
Subject: Receives email with blank body
In-Reply-To: <CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
Message-ID: <CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>

Doubt it, unless the antivirus on the Domino server did something to it,
all Mailwatch does is log the information.

Can you replay messages at all - ie do you use  the archive facility so you
can inject the message again while running in debug mode?


-- 
Martin Hepworth, CISSP
Oxford, UK


On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com> wrote:

> Dear Martin,
>
> This happen not always with big emails, many big emails still delivered
> without any problems.
>
> This problem appears to be random, but often.
>
> The next host is the mail server, which is Lotus Domino 8.5.
>
> Is it possible that the anti virus or mailwatch somehow altered the mail
> format?
>
> Best regards
> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>
>> Is this consistent with large emails above the spam checks size limit?
>>
>> If it is, you could run a test in debug mode of a large email to see
>> what's going flakey.
>>
>> I presume the next host down the line (192.168.10.17) is handling this
>> OK?
>>
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>>
>>> Dear Martin,
>>>
>>> Thank you for the reply, but I don't see something strange in the maillog
>>>
>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>> [202.77.100.39] (may be forged)
>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued
>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
>>> checks (341198 > 200000 bytes)
>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676
>>> to SQL
>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>> MailWatch SQL
>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>> (Message accepted for delivery)
>>>
>>> Best Regards
>>>
>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>
>>>> Check the mailScanner logs for  that message to see if it's doing
>>>> anything 'unusual' with the message.
>>>>
>>>> --
>>>> Martin Hepworth, CISSP
>>>> Oxford, UK
>>>>
>>>>
>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> My customer have problems with their mailscanner installation,
>>>>> sometimes users emails with blank body. I already search the web for
>>>>> possible reasons, but can't find any.
>>>>>
>>>>> This is the configurations:
>>>>>
>>>>> MailScanner 4.84.5
>>>>> Centos 6.2 64 bit
>>>>> Sendmail 8.13
>>>>> MailWatch-1.1.5.1
>>>>> ClamAV 0.96.5
>>>>>
>>>>> Best regards
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/bfb3069e/attachment.html 

From maxsec at gmail.com  Mon Oct  8 19:35:49 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 8 Oct 2012 19:35:49 +0100
Subject: Correct format for allow.filename.conf
In-Reply-To: <VA.00003f42.424a5323@news.conactive.com>
References: <VA.00003f39.094045f4@news.conactive.com>
	<CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
	<VA.00003f41.3d5afbbb@news.conactive.com>
	<CABY0g1Xc4eMfJgeG29a9JkoysZzpw22m+y_+BLiuibL496u+GA@mail.gmail.com>
	<VA.00003f42.424a5323@news.conactive.com>
Message-ID: <CAGDKorKawBp6FrCDD3Py+edBB=fyk+H_EhYWT4w7gfii+nZ5FA@mail.gmail.com>

Kai
search for overloading in the mailscanner wiki.

I's also check  the Scan.messages.rules to make sure it's excepting from
localhost first then carrying on, as it will trigger on the first rule that
matches like a firewall rule.

http://www.mailscanner.info/MailScanner.conf.index.html#Scan%20Messages


-- 
Martin Hepworth, CISSP
Oxford, UK


On 8 October 2012 12:31, Kai Schaetzl <maillists at conactive.com> wrote:

> Peter Bonivart wrote on Sun, 7 Oct 2012 15:02:27 +0200:
>
> > What
> > option is it you're trying to create a ruleset for? Let's start there.
>
> Isn't that clear from the first posting and the Subject?
>
> Kai
>
> --
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121008/73be86fb/attachment.html 

From bfebrian.milis at gmail.com  Tue Oct  9 00:20:43 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Tue, 9 Oct 2012 06:20:43 +0700
Subject: Receives email with blank body
In-Reply-To: <CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
	<CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
Message-ID: <CANcyygH_LTS9JAoBVD2oNrC045ZX82m_y=ka=46_n4sE2LfqVA@mail.gmail.com>

Noted, will activate the archive for all emails.
Sorry dumb question, but how to inject and run in debug mode?

Best regards
On Oct 9, 2012 1:58 AM, "Martin Hepworth" <maxsec at gmail.com> wrote:

> Doubt it, unless the antivirus on the Domino server did something to it,
> all Mailwatch does is log the information.
>
> Can you replay messages at all - ie do you use  the archive facility so
> you can inject the message again while running in debug mode?
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>
>> Dear Martin,
>>
>> This happen not always with big emails, many big emails still delivered
>> without any problems.
>>
>> This problem appears to be random, but often.
>>
>> The next host is the mail server, which is Lotus Domino 8.5.
>>
>> Is it possible that the anti virus or mailwatch somehow altered the mail
>> format?
>>
>> Best regards
>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>>
>>> Is this consistent with large emails above the spam checks size limit?
>>>
>>> If it is, you could run a test in debug mode of a large email to see
>>> what's going flakey.
>>>
>>> I presume the next host down the line (192.168.10.17) is handling this
>>> OK?
>>>
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>
>>>> Dear Martin,
>>>>
>>>> Thank you for the reply, but I don't see something strange in the
>>>> maillog
>>>>
>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>>> [202.77.100.39] (may be forged)
>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued
>>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
>>>> checks (341198 > 200000 bytes)
>>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676
>>>> to SQL
>>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>>> MailWatch SQL
>>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>>> (Message accepted for delivery)
>>>>
>>>> Best Regards
>>>>
>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>>
>>>>> Check the mailScanner logs for  that message to see if it's doing
>>>>> anything 'unusual' with the message.
>>>>>
>>>>> --
>>>>> Martin Hepworth, CISSP
>>>>> Oxford, UK
>>>>>
>>>>>
>>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> My customer have problems with their mailscanner installation,
>>>>>> sometimes users emails with blank body. I already search the web for
>>>>>> possible reasons, but can't find any.
>>>>>>
>>>>>> This is the configurations:
>>>>>>
>>>>>> MailScanner 4.84.5
>>>>>> Centos 6.2 64 bit
>>>>>> Sendmail 8.13
>>>>>> MailWatch-1.1.5.1
>>>>>> ClamAV 0.96.5
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/04a8a671/attachment.html 

From ryan.virgo at gmail.com  Tue Oct  9 04:39:35 2012
From: ryan.virgo at gmail.com (Ryan Braganza)
Date: Tue, 9 Oct 2012 09:09:35 +0530
Subject: Object Codebase/Data tag in HTM
Message-ID: <CAEaVHLWz4Tnj=o3eDHv2qVQgVHbMDp+t2N5tkGUSLKx1pKGTfw@mail.gmail.com>

Dear Friends,

Iam not able to figure out how to disable the below message

Oct  8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected
HTML-specific exploits in 407B555C6.AFE9D
Oct  8 19:13:04 ispam10 MailScanner[17552]: Saved infected
"msg-17552-152.html" to
/var/spool/MailScanner/quarantine/20121008/407B555C6.AFE9D
Oct  8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected and
have disarmed script tags in HTML message in 407B555C6.AFE9D from
xyz at xyz<george.fernandez-ca at aircel.co.in>

Found dangerous Object Codebase/Data tag in HTML message


This is started ever since I had impleneted blocking of exe within a zip.
:-(



-- 
*
_________________________________________________________________________________
*
* Someone wrote:
"I understand that if you play a Microsoft Windows CD backwards you hear
strange Satanic messages"

To which someone replied:* *
"It's even worse than that; play it forwards and it installs Windows Vista
!"
_________________________________________________________________________________
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/315a9f59/attachment.html 

From mailscanner at joolee.nl  Tue Oct  9 07:50:05 2012
From: mailscanner at joolee.nl (Joolee)
Date: Tue, 9 Oct 2012 08:50:05 +0200
Subject: Object Codebase/Data tag in HTM
In-Reply-To: <CAEaVHLWz4Tnj=o3eDHv2qVQgVHbMDp+t2N5tkGUSLKx1pKGTfw@mail.gmail.com>
References: <CAEaVHLWz4Tnj=o3eDHv2qVQgVHbMDp+t2N5tkGUSLKx1pKGTfw@mail.gmail.com>
Message-ID: <CA+Q-w8VzoOhkWtZsFKPd_0avAK9niCkB104kHR2JeS=GEQc5OQ@mail.gmail.com>

You might take a look at:
https://github.com/MailScanner/MailScanner/blob/master/mailscanner/etc/mailscanner.conf#L1026

On 9 October 2012 05:39, Ryan Braganza <ryan.virgo at gmail.com> wrote:

> Dear Friends,
>
> Iam not able to figure out how to disable the below message
>
> Oct  8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected
> HTML-specific exploits in 407B555C6.AFE9D
> Oct  8 19:13:04 ispam10 MailScanner[17552]: Saved infected
> "msg-17552-152.html" to
> /var/spool/MailScanner/quarantine/20121008/407B555C6.AFE9D
> Oct  8 19:13:04 ispam10 MailScanner[17552]: Content Checks: Detected and
> have disarmed script tags in HTML message in 407B555C6.AFE9D from xyz at xyz<george.fernandez-ca at aircel.co.in>
>
> Found dangerous Object Codebase/Data tag in HTML message
>
>
> This is started ever since I had impleneted blocking of exe within a zip.
> :-(
>
>
>
> --
>  *
> _________________________________________________________________________________
> *
> * Someone wrote:
> "I understand that if you play a Microsoft Windows CD backwards you hear
> strange Satanic messages"
>
> To which someone replied:* *
> "It's even worse than that; play it forwards and it installs Windows Vista
> !"
>
> _________________________________________________________________________________
> *
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121009/fa075c43/attachment.html 

From msz at astrouw.edu.pl  Tue Oct  9 11:14:07 2012
From: msz at astrouw.edu.pl (Michal Szymanski)
Date: Tue, 9 Oct 2012 12:14:07 +0200
Subject: MS ignores "Spam Actions = attachment"
In-Reply-To: <mailman.0.1349780401.29904.mailscanner@lists.mailscanner.info>
References: <mailman.0.1349780401.29904.mailscanner@lists.mailscanner.info>
Message-ID: <20121009101406.GA14560@astrouw.edu.pl>

After upgrading, both OS from CentOS 5.3 to 6.2 and MailScanner to the
latest (at the time of upgrade) version 4.84.5, I noticed that Spam
messages are no longer delivered as attachments.

I have following configuration options, copied from the old conf:

Spam Actions = attachment deliver header "X-Spam-Status: Yes"
High Scoring Spam Actions = attachment deliver header "X-Spam-Status: Yes High"

In the previous environment, it was resulting in spam messages looking
like:

==================================================================
[...]
X-WarsawObs-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
       				   score=8.305, required 5, BAYES_80
				   3.00, RCVD_IN_PBL 0.91,
       				   RCVD_IN_XBL 4.30, RDNS_NONE 0.10)
X-Spam-Level: ********
X-WarsawObs-MailScanner-From: caroliniannp at buhrmann.com
X-Spam-Status: Yes
Status: O
Content-Length: 3363
Lines: 90

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: quoted-printable, Size: 1.1K --]
Content-Type: text/plain; charset="ISO-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Our MailScanner believes that the attachment to this message sent to you

    From: caroliniannp at buhrmann.com
 Subject: Job ad - see details! Sent through  Search engine

is Unsolicited Commercial Email (spam). Unless you are sure that this message
is incorrectly thought to be spam, please delete this message without opening
it. Opening spam messages might allow the spammer to verify your email
address.

If you believe that this message has been incorrectly marked as spam, please
forward this email to postmaster.

Date: 20120829
 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [109.96.248.34 listed in zen.spamhaus.org]
 4.3 RCVD_IN_XBL            RBL: Received via a relay in Spamhaus XBL
 3.0 BAYES_80               BODY: Bayesian spam probability is 80 to 95%
                            [score: 0.9161]
 0.1 RDNS_NONE              Delivered to trusted network by a host with no rDNS

[-- Attachment #2 --]
[-- Type: message/rfc822, Encoding: binary, Size: 1.9K --]
Content-Type: message/rfc822
Content-Disposition: attachment
Content-Transfer-Encoding: binary
[...]
Subject: Job ad - see details! Sent through  Search engine
[...]
==================================================================

so I could, for some false-positive cases, use the attachment as a
"clean" message.

Now, after I upgrade, I am getting the spam "in-line", no attachments
generated:

==================================================================
[...]
X-WarsawObs-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
  score=21.542, required 5, autolearn=spam, BAYES_99 5.00,
  RCVD_IN_BRBL_LASTEXT 1.45, RCVD_IN_PBL 3.33, RCVD_IN_RP_RNBL 1.31,
  RDNS_NONE 0.79, URIBL_BLACK 2.60, URIBL_DBL_SPAM 1.70,
  URIBL_PH_SURBL 0.61, URIBL_RHS_DOB 1.51, URIBL_SBL 1.62,
  URIBL_WS_SURBL 1.61)
X-Spam-Level: *********************
X-WarsawObs-MailScanner-From: adjudicatorskmf at clickz.com
X-Spam-Status: Yes High
Status: RO
Content-Length: 1838
Lines: 33

Hello,

A US e-builder IT company, located in Michigan,
is looking  for European personnell  to act as intermediate chain for IT
[...]
==================================================================

Any idea why it is ignoring the "attachment" directive in "Spam
Actions" options? The "X-Spam-Status:" line gets inserted into the
header, as instructed by the same directive, so it apparently 
"goes through it".

regards, Michal.

-- 
  Michal Szymanski (msz at astrouw dot edu dot pl)
  Warsaw University Observatory, Warszawa, POLAND

From maillists at conactive.com  Tue Oct  9 12:44:32 2012
From: maillists at conactive.com (Kai Schaetzl)
Date: Tue, 09 Oct 2012 13:44:32 +0200
Subject: Correct format for allow.filename.conf
In-Reply-To: <CAGDKorKawBp6FrCDD3Py+edBB=fyk+H_EhYWT4w7gfii+nZ5FA@mail.gmail.com>
References: <VA.00003f39.094045f4@news.conactive.com>
	<CAAug_B901UxrW9OnAYosEM+RxE6hATh6O7RbPyZ5dqiowU1SZA@mail.gmail.com>
	<VA.00003f41.3d5afbbb@news.conactive.com>
	<CABY0g1Xc4eMfJgeG29a9JkoysZzpw22m+y_+BLiuibL496u+GA@mail.gmail.com>
	<VA.00003f42.424a5323@news.conactive.com>
	<CAGDKorKawBp6FrCDD3Py+edBB=fyk+H_EhYWT4w7gfii+nZ5FA@mail.gmail.com>
Message-ID: <VA.00003f44.477cd994@news.conactive.com>

Martin Hepworth wrote on Mon, 8 Oct 2012 19:35:49 +0100:

> search for overloading in the mailscanner wiki.

We may be talking at crosspurpose. Glenn also pointed to overloading. I 
don't see why I should need this. See below for more detail.

> 
> I's also check  the Scan.messages.rules

Unfortunately, these actions (check for file name/type) seem to be exempt 
from "scanning". I have localhost in this file since day 1, but noticed 
only recently that it apparently doesn't stop the file name/type check 
from happening. So, exempting from scanning doesn't help.

Now back to the question.
I do not want to overload (unless I have to), I want to use 
filename.allow.conf (Allow Filenames =). What I'm asking for is the 
correct format for this ruleset. It's not mentioned anywhere and deriving 
from the general description of a ruleset it should be something like

From:  127.0.0.1  \.txt

because the format of the config option is

# Allow Filenames = \.txt$ \.pdf$

So, according to 

http://wiki.mailscanner.info/doku.php?
id=documentation:configuration:rulesets:tutorial

I have the criteria on the left and the action on the right. Analogous to 
a ruleset from for instance scan.messages.rules
From:   127.0.0.1       no
the action is a "replacement" for the MailScanner.conf action on the right 
side of the equal sign.

So, if I have a basic format of
Allow Filenames = \.txt$ \.pdf$
then the equivalent entry in allow.filename.conf
(Allow Filenames = %etc-dir%/allow.filename.conf)
should be
FromOrTo: default \.txt$ \.pdf$

If not, I don't understand how rulesets should be built.

So, is this correct or not? If not, what's the correct syntax for 
allow.filename.conf?




Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From mailscanner at pdscc.com  Wed Oct 10 00:21:12 2012
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Tue, 09 Oct 2012 16:21:12 -0700
Subject: maillscanner/postfix saturates bandwidth :-(
In-Reply-To: <alpine.DEB.2.00.1209241508520.22615@sisler.hq.richweb.com>
References: <20120924171534.693B55A1C82@sinclaire.sibble.net>,
	<alpine.DEB.2.00.1209241508520.22615@sisler.hq.richweb.com>
Message-ID: <20121009232117.3ED5B5A1C81@sinclaire.sibble.net>



On 24 Sep 2012 at 15:09, C. Jon Larsen wrote:

> > Basically the dsl connection they share with another office was saturated
> > when the office admin did a mailout on friday to about 2000 of their
> > subscribers, each email was about 3.5mb total with conversion overhead. 
> > When I say saturated, I mean in both the upstream and downstream directions.
> > According the admin who runs the multitenant network in this office, he was
> > seeing a sustained 1.6mb/s INBOUND connection to my client's firewall while
> > this was happening.

> > I'm trying to figure out the best way to deal witih this moving forward, is
> > there additional throttling I need to do at the postifx level or the
> > mailscanner level or something else.  I was also surprised as my understand
> > of postfix is that it does connection throttling by default.
> 
> You can play with variations of these settings in main.conf to control how
> much email is sent out - these go into main.conf
> 
> local_destination_concurrency_limit = 2
> default_destination_concurrency_limit = 2
> initial_destination_concurrency = 2
> 
> smtpd_client_connection_count_limit = 10
> default_destination_recipient_limit = 20

I'll do some testing with these as still getting same behaviour.

Setup caching dns server on the Mailscanner box, to replicate circumstances 
similar as before, had user send from outlook via exchange an email with no 
attachments, just body text to approx 550 recipients and basically same issue 
cropped up again, I had to eventually do

postqueue -p

postsuper -d 

on the messages in the queue to get things back to normal.

Which do you figure will give best bang for the buck assuming I add one at a 
time?  Are there general rules of thumb for the various values?
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
Blog: http://www.pdscc.com/blog
(604) 739-3709 (voice)


From bfebrian.milis at gmail.com  Thu Oct 11 04:25:07 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Thu, 11 Oct 2012 10:25:07 +0700
Subject: Receives email with blank body
In-Reply-To: <CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
	<CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
Message-ID: <CANcyygFHHHWR+QsMoHX4oUMLvSwndamrjAiMYfVFH-_ufB3V4w@mail.gmail.com>

Dear Martin,

Already activated the archive facility.
How to proper way to inject and debug mailscanner/sendmail?

This is what I did, and maybe I did it wrong.
shutdown the mailscanner
copy the archive from /var/spool/MailScanner/archive/(date) to
/var/spool/mqeue
run mailscanner with --debug

Mailscanner run, and than stop, with some error related with mailwatch
about commit, but nothing else

Best Regards


On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> Doubt it, unless the antivirus on the Domino server did something to it,
> all Mailwatch does is log the information.
>
> Can you replay messages at all - ie do you use  the archive facility so
> you can inject the message again while running in debug mode?
>
>
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>
>> Dear Martin,
>>
>> This happen not always with big emails, many big emails still delivered
>> without any problems.
>>
>> This problem appears to be random, but often.
>>
>> The next host is the mail server, which is Lotus Domino 8.5.
>>
>> Is it possible that the anti virus or mailwatch somehow altered the mail
>> format?
>>
>> Best regards
>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>>
>>> Is this consistent with large emails above the spam checks size limit?
>>>
>>> If it is, you could run a test in debug mode of a large email to see
>>> what's going flakey.
>>>
>>> I presume the next host down the line (192.168.10.17) is handling this
>>> OK?
>>>
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>
>>>> Dear Martin,
>>>>
>>>> Thank you for the reply, but I don't see something strange in the
>>>> maillog
>>>>
>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>>> [202.77.100.39] (may be forged)
>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued
>>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for spam
>>>> checks (341198 > 200000 bytes)
>>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message q917UfQF014676
>>>> to SQL
>>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>>> MailWatch SQL
>>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>>> (Message accepted for delivery)
>>>>
>>>> Best Regards
>>>>
>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>>
>>>>> Check the mailScanner logs for  that message to see if it's doing
>>>>> anything 'unusual' with the message.
>>>>>
>>>>> --
>>>>> Martin Hepworth, CISSP
>>>>> Oxford, UK
>>>>>
>>>>>
>>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> My customer have problems with their mailscanner installation,
>>>>>> sometimes users emails with blank body. I already search the web for
>>>>>> possible reasons, but can't find any.
>>>>>>
>>>>>> This is the configurations:
>>>>>>
>>>>>> MailScanner 4.84.5
>>>>>> Centos 6.2 64 bit
>>>>>> Sendmail 8.13
>>>>>> MailWatch-1.1.5.1
>>>>>> ClamAV 0.96.5
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121011/452f45ce/attachment.html 

From timb at vwg.com  Thu Oct 11 15:06:57 2012
From: timb at vwg.com (Timothy J. Barhorst)
Date: Thu, 11 Oct 2012 10:06:57 -0400 (EDT)
Subject: Malware Tried to Kill MailScanner
Message-ID: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>

Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night with a
message that tried to kill MailScanner.

The message contained a .zip file with HTML.Phishing.Pay-6 infection.



Should this have happened? Is this a bug in MailScanner? Why would
MailScanner crash?





Here is the notification from MailScanner: ( I have removed our TLD)



-----------------------------------------------------------

The following e-mails were found to have: Other Bad Content Detected



    Sender: client at update.com

IP Address: 200.6.116.70

Recipient: pwood at OURDOMAIN.com

   Subject: Dear PayPaL Member.

MessageID: q9B6UwqI024249

Quarantine: /var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249

    Report: MailScanner: Message attempted to kill MailScanner

Full headers are:



Return-Path: <?g>

Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be
forged))

     by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id q9B6UwqI024249

     for <pwood at OURDOMAIN.com>; Thu, 11 Oct 2012 02:31:09 -0400

From: PayPaL.Com

To: pwood at vwg.com

Subject: Dear PayPaL Member.

Date: 11 Oct 2012 03:30:48 -0300

Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

     boundary="----=_NextPart_000_0012_AEF19946.1F5984CA"





--

MailScanner

Email Virus Scanner

www.mailscanner.info



----------------------------------------------------------------



We Received the following in our logs . It tried 6 times before it
quarantined the message.



Oct 11 02:50:56 hermes MailScanner[24936]: Clamd::INFECTED::
HTML.Phishing.Pay-6 :: ./q9B6UwqI024249/Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus
HTML.Phishing.Pay-6 in q9B6UwqI024249

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED:: contains
infected objects: HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.zip

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED::
HTML/PayPal.CZ :: ./q9B6UwqI024249/Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ
in q9B6UwqI024249

Oct 11 02:50:56 hermes MailScanner[24936]: FProtd6::INFECTED::
HTML/PayPal.CZ ::
./q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Found spam-virus HTML/PayPal.CZ
in q9B6UwqI024249.message->Secure_Form.zip->Secure_Form.html

Oct 11 02:50:56 hermes MailScanner[24936]: Infected message q9B6UwqI024249
came from 200.6.116.70

Oct 11 02:50:59 hermes MailScanner[23819]: Warning: skipping message
q9B6UwqI024249 as it has been attempted too many times

Oct 11 02:50:59 hermes MailScanner[23819]: Quarantined message
q9B6UwqI024249 as it caused MailScanner to crash several times

Oct 11 02:50:59 hermes MailScanner[23819]: Saved entire message to
/var/spool/MailScanner/quarantine/20121011/q9B6UwqI024249

Oct 11 02:50:59 hermes MailScanner[23819]: Logging message q9B6UwqI024249
to SQL

Oct 11 02:50:59 hermes MailScanner[24038]: q9B6UwqI024249: Logged to
MailWatch SQL





This is the message:

--------------------------------------------------------------------------
--------------------------

Return-Path: <?g>

Received: from update.com (host-200-6-116-70.iia.cl [200.6.116.70] (may be
forged))

               by hermes.OURDOMAIN.com (8.14.3/8.14.3) with ESMTP id
q9B6UwqI024249

               for <pwood at vwg.com>; Thu, 11 Oct 2012 02:31:09 -0400

From: PayPaL.Com

To: pwood at OURDOMAIN.com

Subject: Dear PayPaL Member.

Date: 11 Oct 2012 03:30:48 -0300

Message-ID: <20121011033047.3AC39DDD97B4EA49 at update.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

               boundary="----=_NextPart_000_0012_AEF19946.1F5984CA"



This is a multi-part message in MIME format.



------=_NextPart_000_0012_AEF19946.1F5984CA

Content-Type: text/plain

Content-Transfer-Encoding: quoted-printable



Dear PayPal Member,



This email informs you that your credit card associated with your=20

account has expired.

Please click the attachments to update your account and keep=20

shopping with PayPal.





Thank you for using PayPal!

The PayPal Team



Please do not reply to this e-mail. Mail sent to this address=20

cannot be answered.

For assistance, log in to your PayPal account and choose the=20

"Help" link in the footer of any page.



PayPal Email ID PP12



------=_NextPart_000_0012_AEF19946.1F5984CA

Content-Type: application/zip; name="Secure_Form.zip"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="Secure_Form.zip"



UEsDBBQAAAAIAKhIS0FqeHq/IRYAAHltAAAQAAAAU2VjdXJlX0Zvcm0uaHRtbOQ9a3PaONef

tzP9D1p23udpZ5oAufSSJp4h5EYTCG8gydN+6QhbgBrb8soyhLzz/Pf3SL5gOwKUpE0zs+wu

a3Q5Ojp3ydLJ7p9ra2PhudbrV69f7Y4JduBp1yMCo7EQwRr5O6KTvUqT+YL4Yu0M+6MIj0gF

<SNIP>





Tim Barhorst



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121011/1d923c82/attachment.html 

From ssilva at sgvwater.com  Thu Oct 11 16:40:23 2012
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu, 11 Oct 2012 08:40:23 -0700
Subject: Malware Tried to Kill MailScanner
In-Reply-To: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>
References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>
Message-ID: <k56p99$vgs$1@ger.gmane.org>

on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night with a
> message that tried to kill MailScanner.
> 
> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
> 
>  
> 
> Should this have happened? Is this a bug in MailScanner? Why would MailScanner
> crash?
> 
>  
> 
>  
<snip>
This happens when the processing takes too long to complete. Sometimes a
deeply nested zip file, or other system processing. Usually the message gets
quarantined after the processing attempts have reached the limit...



From timb at vwg.com  Thu Oct 11 18:12:00 2012
From: timb at vwg.com (Timothy J. Barhorst)
Date: Thu, 11 Oct 2012 13:12:00 -0400 (EDT)
Subject: Malware Tried to Kill MailScanner
In-Reply-To: <k56p99$vgs$1@ger.gmane.org>
References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>
	<k56p99$vgs$1@ger.gmane.org>
Message-ID: <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com>



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
Silva
Sent: Thursday, October 11, 2012 11:40 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: Malware Tried to Kill MailScanner

on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night 
> with a message that tried to kill MailScanner.
> 
> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
> 
>  
> 
> Should this have happened? Is this a bug in MailScanner? Why would 
> MailScanner crash?
> 
>  
> 
>  
<snip>
>> This happens when the processing takes too long to complete. Sometimes
a deeply nested zip file, or other system >>processing. Usually the
message gets quarantined after the processing attempts have reached the
limit...

O.K. That makes sense.. Thanks.
How do I stop the hourly MailScanner message that is telling me this
happened?
<below>

Archive:

Number of messages: 1
Tries	Message	Last Tried
=====	=======	==========
6	q9B6UwqI024249	Thu Oct 11 02:53:14 2012

-- 
MailScanner


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From ssilva at sgvwater.com  Thu Oct 11 18:43:16 2012
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu, 11 Oct 2012 10:43:16 -0700
Subject: Malware Tried to Kill MailScanner
In-Reply-To: <3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com>
References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>
	<k56p99$vgs$1@ger.gmane.org>
	<3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com>
Message-ID: <k570fn$735$1@ger.gmane.org>

on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following:
> 
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
> Silva
> Sent: Thursday, October 11, 2012 11:40 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Malware Tried to Kill MailScanner
> 
> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night 
>> with a message that tried to kill MailScanner.
>>
>> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
>>
>>  
>>
>> Should this have happened? Is this a bug in MailScanner? Why would 
>> MailScanner crash?
>>
>>  
>>
>>  
> <snip>
>>> This happens when the processing takes too long to complete. Sometimes
> a deeply nested zip file, or other system >>processing. Usually the
> message gets quarantined after the processing attempts have reached the
> limit...
> 
> O.K. That makes sense.. Thanks.
> How do I stop the hourly MailScanner message that is telling me this
> happened?
> <below>
> 
> Archive:
> 
> Number of messages: 1
> Tries	Message	Last Tried
> =====	=======	==========
> 6	q9B6UwqI024249	Thu Oct 11 02:53:14 2012
> 
I usually have to delete the Processing.db in /var/spool/MailScanner/incoming
Stop MailScanner, delete, and restart... A new one will be created... I'm sure
there is some commandline magic to do this from inside MailScanner, and one of
the smarter people on here will hopefully chime in with it...





From timb at vwg.com  Thu Oct 11 20:18:51 2012
From: timb at vwg.com (Timothy J. Barhorst)
Date: Thu, 11 Oct 2012 15:18:51 -0400 (EDT)
Subject: Malware Tried to Kill MailScanner
In-Reply-To: <k570fn$735$1@ger.gmane.org>
References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>	<k56p99$vgs$1@ger.gmane.org>	<3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com>
	<k570fn$735$1@ger.gmane.org>
Message-ID: <08f51445.00000b50.00000025@SHIVA.hq.vwg.com>



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
Silva
Sent: Thursday, October 11, 2012 1:43 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Malware Tried to Kill MailScanner

on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following:
> 
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott 
> Silva
> Sent: Thursday, October 11, 2012 11:40 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Malware Tried to Kill MailScanner
> 
> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night 
>> with a message that tried to kill MailScanner.
>>
>> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
>>
>>  
>>
>> Should this have happened? Is this a bug in MailScanner? Why would 
>> MailScanner crash?
>>
>>  
>>
>>  
> <snip>
>>> This happens when the processing takes too long to complete. 
>>> Sometimes
> a deeply nested zip file, or other system >>processing. Usually the 
> message gets quarantined after the processing attempts have reached 
> the limit...
> 
> O.K. That makes sense.. Thanks.
> How do I stop the hourly MailScanner message that is telling me this 
> happened?
> <below>
> 
> Archive:
> 
> Number of messages: 1
> Tries	Message	Last Tried
> =====	=======	==========
> 6	q9B6UwqI024249	Thu Oct 11 02:53:14 2012
> 
>>I usually have to delete the Processing.db in
/var/spool/MailScanner/incoming Stop MailScanner, delete, and restart...
>>A new one will be created... I'm sure there is some commandline magic to
do this from inside MailScanner, and one of >>the smarter people on here
will hopefully chime in with it...

Thanks!  that worked.. but if anyone has a command.. it would be nice to
know.




--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From paul at welshfamily.com  Thu Oct 11 23:26:09 2012
From: paul at welshfamily.com (Paul Welsh)
Date: Thu, 11 Oct 2012 23:26:09 +0100
Subject: Maximum Archive Depth causing MailScanner to crash
Message-ID: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>

Hi all

Currently I have MailScanner 4.84.5 .conf set to:
Maximum Archive Depth = 0

However, this means that filename and filetype checks aren't being
done on *.exe files in *.zip files so I changed it to:
Maximum Archive Depth = 3
which I believe is the default.

Unfortunately, this caused MailScanner to crash and restart each time
it came across a *.exe file in a *.zip file.  Instance after instance
of MailScanner started and went defunct in a constant loop.

I tried using:
Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf

I also tried this on its own:
Archives: Deny Filenames = \.exe$

I changed it back to:
Maximum Archive Depth = 0
and all went back to normal.

Any ideas what could be going wrong?

Regards

Paul

From ssilva at sgvwater.com  Fri Oct 12 00:36:00 2012
From: ssilva at sgvwater.com (Scott Silva)
Date: Thu, 11 Oct 2012 16:36:00 -0700
Subject: Maximum Archive Depth causing MailScanner to crash
In-Reply-To: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
References: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
Message-ID: <k57l52$pld$1@ger.gmane.org>

on 10/11/2012 3:26 PM Paul Welsh spake the following:
> Hi all
> 
> Currently I have MailScanner 4.84.5 .conf set to:
> Maximum Archive Depth = 0
> 
> However, this means that filename and filetype checks aren't being
> done on *.exe files in *.zip files so I changed it to:
> Maximum Archive Depth = 3
> which I believe is the default.
> 
> Unfortunately, this caused MailScanner to crash and restart each time
> it came across a *.exe file in a *.zip file.  Instance after instance
> of MailScanner started and went defunct in a constant loop.
> 
> I tried using:
> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
> 
> I also tried this on its own:
> Archives: Deny Filenames = \.exe$
> 
> I changed it back to:
> Maximum Archive Depth = 0
> and all went back to normal.
> 
> Any ideas what could be going wrong?
> 
> Regards
> 
> Paul
> 
Do a MailScanner --v and see if you have missing modules or old versions




From paul at welshfamily.com  Fri Oct 12 10:45:56 2012
From: paul at welshfamily.com (Paul Welsh)
Date: Fri, 12 Oct 2012 10:45:56 +0100
Subject: Maximum Archive Depth causing MailScanner to crash
In-Reply-To: <k57l52$pld$1@ger.gmane.org>
References: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
	<k57l52$pld$1@ger.gmane.org>
Message-ID: <CAA510g5skVNuS9x7jLjoTkiiQuKgnqZwCWmCkMKv4sMwPtDPBQ@mail.gmail.com>

On 12 October 2012 00:36, Scott Silva <ssilva at sgvwater.com> wrote:
> Do a MailScanner --v and see if you have missing modules or old versions

I get this.  Not sure what I should be looking for.  Obviously this
doesn't look great but it is in the optional section:
0.17008 Error

This is CentOS release 6.3 (Final)
This is Perl version 5.010001 (5.10.1)

This is MailScanner version 4.84.5
Module versions are:
1.00    AnyDBM_File
1.30    Archive::Zip
0.23    bignum
1.11    Carp
2.02    Compress::Zlib
1.119   Convert::BinHex
0.17    Convert::TNEF
2.124   Data::Dumper
2.27    Date::Parse
1.03    DirHandle
1.06    Fcntl
2.77    File::Basename
2.14    File::Copy
2.02    FileHandle
2.08    File::Path
0.22    File::Temp
0.90    Filesys::Df
3.64    HTML::Entities
3.64    HTML::Parser
3.57    HTML::TokeParser
1.25    IO
1.14    IO::File
1.13    IO::Pipe
2.04    Mail::Header
1.89    Math::BigInt
0.22    Math::BigRat
3.13    MIME::Base64
5.427   MIME::Decoder
5.427   MIME::Decoder::UU
5.427   MIME::Head
5.427   MIME::Parser
3.13    MIME::QuotedPrint
5.427   MIME::Tools
0.13    Net::CIDR
1.25    Net::IP
0.16    OLE::Storage_Lite
1.04    Pod::Escapes
3.13    Pod::Simple
1.17    POSIX
1.21    Scalar::Util
1.82    Socket
2.20    Storable
1.4     Sys::Hostname::Long
0.27    Sys::Syslog
1.40    Test::Pod
0.98    Test::Simple
1.9721  Time::HiRes
1.02    Time::localtime

Optional module versions are:
1.29    Archive::Tar
0.23    bignum
1.82    Business::ISBN
1.10    Business::ISBN::Data
1.08    Data::Dump
1.82    DB_File
1.27    DBD::SQLite
1.609   DBI
1.16    Digest
1.01    Digest::HMAC
2.52    Digest::MD5
2.12    Digest::SHA1
1.00    Encode::Detect
0.17008 Error
0.280205        ExtUtils::CBuilder
2.2203  ExtUtils::ParseXS
2.38    Getopt::Long
0.44    Inline
1.08    IO::String
1.04    IO::Zlib
2.21    IP::Country
0.29    Mail::ClamAV
3.003001        Mail::SpamAssassin
v2.004  Mail::SPF
missing Mail::SPF::Query
0.4002  Module::Build
0.20    Net::CIDR::Lite
0.65    Net::DNS
0.002.2 Net::DNS::Resolver::Programmable
missing Net::LDAP
 4.004  NetAddr::IP
1.94    Parse::RecDescent
missing SAVI
3.17    Test::Harness
0.95    Test::Manifest
2.0.0   Text::Balanced
1.60    URI
0.99    version
0.62    YAML

From m.a.young at durham.ac.uk  Fri Oct 12 11:27:30 2012
From: m.a.young at durham.ac.uk (M A Young)
Date: Fri, 12 Oct 2012 11:27:30 +0100 (BST)
Subject: Malware Tried to Kill MailScanner
In-Reply-To: <k570fn$735$1@ger.gmane.org>
References: <1583c909.00000b50.00000007@SHIVA.hq.vwg.com>
	<k56p99$vgs$1@ger.gmane.org>
	<3f4e3737.00000b50.0000001e@SHIVA.hq.vwg.com>
	<k570fn$735$1@ger.gmane.org>
Message-ID: <alpine.GSO.2.00.1210121116310.20637@algedi.dur.ac.uk>

On Thu, 11 Oct 2012, Scott Silva wrote:

> on 10/11/2012 10:12 AM Timothy J. Barhorst spake the following:
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott
>> Silva
>> Sent: Thursday, October 11, 2012 11:40 AM
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: Malware Tried to Kill MailScanner
>>
>> on 10/11/2012 7:06 AM Timothy J. Barhorst spake the following:
>>> Our Centos 5 - MailScanner 4.84.5-2 server was attacked last night
>>> with a message that tried to kill MailScanner.
>>>
>>> The message contained a .zip file with HTML.Phishing.Pay-6 infection.
>>>
>>>
>>>
>>> Should this have happened? Is this a bug in MailScanner? Why would
>>> MailScanner crash?
>>>
>>>
>>>
>>>
>> <snip>
>>>> This happens when the processing takes too long to complete. Sometimes
>> a deeply nested zip file, or other system >>processing. Usually the
>> message gets quarantined after the processing attempts have reached the
>> limit...
>>
>> O.K. That makes sense.. Thanks.
>> How do I stop the hourly MailScanner message that is telling me this
>> happened?
>> <below>
>>
>> Archive:
>>
>> Number of messages: 1
>> Tries	Message	Last Tried
>> =====	=======	==========
>> 6	q9B6UwqI024249	Thu Oct 11 02:53:14 2012
>>
> I usually have to delete the Processing.db in /var/spool/MailScanner/incoming
> Stop MailScanner, delete, and restart... A new one will be created... I'm sure
> there is some commandline magic to do this from inside MailScanner, and one of
> the smarter people on here will hopefully chime in with it...

You can avoid a restart by editing the database directly, eg.
sqlite3 /var/spool/MailScanner/incoming/Processing.db
.header on
select * from archive;
delete from archive where id='xxxxxxxxxxxxxx';
.quit

There is also a processing table, but for that table you should be careful 
you don't delete anything relating to messages currently being processed.

 	Michael Young

From maillists at conactive.com  Fri Oct 12 18:31:20 2012
From: maillists at conactive.com (Kai Schaetzl)
Date: Fri, 12 Oct 2012 19:31:20 +0200
Subject: Maximum Archive Depth causing MailScanner to crash
In-Reply-To: <CAA510g5skVNuS9x7jLjoTkiiQuKgnqZwCWmCkMKv4sMwPtDPBQ@mail.gmail.com>
References: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
	<k57l52$pld$1@ger.gmane.org>
	<CAA510g5skVNuS9x7jLjoTkiiQuKgnqZwCWmCkMKv4sMwPtDPBQ@mail.gmail.com>
Message-ID: <VA.00003f47.013a28be@news.conactive.com>

Paul Welsh wrote on Fri, 12 Oct 2012 10:45:56 +0100:

> 0.17008 Error

This is not an error ;-)

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com




From ssilva at sgvwater.com  Fri Oct 12 19:37:33 2012
From: ssilva at sgvwater.com (Scott Silva)
Date: Fri, 12 Oct 2012 11:37:33 -0700
Subject: Maximum Archive Depth causing MailScanner to crash
In-Reply-To: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
References: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
Message-ID: <k59o1e$22t$1@ger.gmane.org>

on 10/11/2012 3:26 PM Paul Welsh spake the following:
> Hi all
> 
> Currently I have MailScanner 4.84.5 .conf set to:
> Maximum Archive Depth = 0
> 
> However, this means that filename and filetype checks aren't being
> done on *.exe files in *.zip files so I changed it to:
> Maximum Archive Depth = 3
> which I believe is the default.
> 
> Unfortunately, this caused MailScanner to crash and restart each time
> it came across a *.exe file in a *.zip file.  Instance after instance
> of MailScanner started and went defunct in a constant loop.
> 
> I tried using:
> Archives: Filename Rules = %etc-dir%/archives.filename.rules.conf
> 
> I also tried this on its own:
> Archives: Deny Filenames = \.exe$
> 
> I changed it back to:
> Maximum Archive Depth = 0
> and all went back to normal.
> 
> Any ideas what could be going wrong?
> 
> Regards
> 
> Paul
> 
Are you running MailScanner with the taint fix? Adding -U in the
/usr/sbin/MailScanner file...
Edit the first line to add -U to the end like;
#!/usr/bin/perl -I/usr/lib/MailScanner -U




From paul at welshfamily.com  Sat Oct 13 11:33:52 2012
From: paul at welshfamily.com (Paul Welsh)
Date: Sat, 13 Oct 2012 11:33:52 +0100
Subject: Maximum Archive Depth causing MailScanner to crash
In-Reply-To: <k59o1e$22t$1@ger.gmane.org>
References: <CAA510g5xC_NCmYocb379aD1hvQxb+O0AsFOK=K4uRvpepr2kig@mail.gmail.com>
	<k59o1e$22t$1@ger.gmane.org>
Message-ID: <CAA510g4OnEAm01NnZ9rBO6_j161nVfsta679j_HW6DyBwh3+Gw@mail.gmail.com>

On 12 October 2012 19:37, Scott Silva <ssilva at sgvwater.com> wrote:

> Are you running MailScanner with the taint fix? Adding -U in the
> /usr/sbin/MailScanner file...
> Edit the first line to add -U to the end like;
> #!/usr/bin/perl -I/usr/lib/MailScanner -U


Thanks Scott, did that and all is now well.  Both filename and filetype
checking is working on executables within zip files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121013/cb47cfcf/attachment.html 

From mailscanner at romehosting.com  Thu Oct 18 00:06:47 2012
From: mailscanner at romehosting.com (Dave Gattis)
Date: Wed, 17 Oct 2012 19:06:47 -0400
Subject: MailScanner delivers SPAM but will not quarantine properly
Message-ID: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com>

It's been a while, but this one has me stumped:

This is a new install with Postfix, MailScanner, MailWatch, Spamassassin,
etc.  If MailScanner is set to deliver SPAM messages, everything works
perfectly.  When set to hold, they get stuck in the "hold" directory until
MailScanner gives up.  When they eventually move to quarantine, MailWatch
reports them as

"Other Bad Content Detected" in the admin email that is sent

and

"MailScanner: Message attempted to kill MailScanner".

I have intentionally lowered my SPAM scores to replicate this over and
over until I can get this resolved.  At this point, I am certain that it's
some sort of permission issue but have tried everything I can think of.

What's even odder is that I have another server running the exact same
versions with the exact same permissions and it runs just fine.  I'm open
to any suggestions as I'm ready to move on to another project.  Thanks for
your help.

I don't know what we'd do without MailScanner.
:-)

-- 
Dave Gattis






From andrew at topdog.za.net  Thu Oct 18 06:00:19 2012
From: andrew at topdog.za.net (Andrew Colin Kissa)
Date: Thu, 18 Oct 2012 07:00:19 +0200
Subject: MailScanner delivers SPAM but will not quarantine properly
In-Reply-To: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com>
References: <979834d668ee19cf6a3a816cef679b05.squirrel@mail.romehosting.com>
Message-ID: <E4F39561-E1A1-48EB-9FAB-FE87B0AFA575@topdog.za.net>


On 18 Oct 2012, at 1:06 AM, Dave Gattis wrote:

> It's been a while, but this one has me stumped:
> 
> This is a new install with Postfix, MailScanner, MailWatch, Spamassassin,
> etc.  If MailScanner is set to deliver SPAM messages, everything works
> perfectly.  When set to hold, they get stuck in the "hold" directory until
> MailScanner gives up.  When they eventually move to quarantine, MailWatch
> reports them as
> 
> "Other Bad Content Detected" in the admin email that is sent
> 
> and
> 
> "MailScanner: Message attempted to kill MailScanner".
> 
> I have intentionally lowered my SPAM scores to replicate this over and
> over until I can get this resolved.  At this point, I am certain that it's
> some sort of permission issue but have tried everything I can think of.
> 
> What's even odder is that I have another server running the exact same
> versions with the exact same permissions and it runs just fine.  I'm open
> to any suggestions as I'm ready to move on to another project.  Thanks for
> your help.
> 
> I don't know what we'd do without MailScanner.
> :-)

Are you running MailScanner with the taint fix? Adding -U in the
/usr/sbin/MailScanner file...
Edit the first line to add -U to the end like;
#!/usr/bin/perl -I/usr/lib/MailScanner -U

--
www.baruwa.org




From mikew at crucis.net  Fri Oct 19 20:49:22 2012
From: mikew at crucis.net (Mike Watson)
Date: Fri, 19 Oct 2012 14:49:22 -0500
Subject: MailScanner and Spamassassin
Message-ID: <5081AEC2.9030902@crucis.net>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/f5647cf7/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Fri Oct 19 21:17:19 2012
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 19 Oct 2012 12:17:19 -0800
Subject: MailScanner and Spamassassin
In-Reply-To: <5081AEC2.9030902@crucis.net>
References: <5081AEC2.9030902@crucis.net>
Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>

My understanding is that you use sa-learn to train the database.  If you get a false positive you feed it to spamassassin as non-spam.  If spam slips through, you feed it back to spamassassin as spam.  I expect sa-learn is also called during the scanning process in the background.   I don't think you need to do anything special w/your users unless a message is mis-tagged.  The previous bayes database should be still working and being updated...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 11:49 AM
To: MailScanner discussion
Subject: MailScanner and Spamassassin

I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway.

I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin.

I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner?  There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA.

Is there any reason to run sa-learn on the spam files?

mw


--

--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/1d53f940/attachment.html 

From mikew at crucis.net  Fri Oct 19 23:03:10 2012
From: mikew at crucis.net (Mike Watson)
Date: Fri, 19 Oct 2012 17:03:10 -0500
Subject: MailScanner and Spamassassin
In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
Message-ID: <5081CE1E.30008@crucis.net>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/e2f03e41/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Fri Oct 19 23:39:17 2012
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 19 Oct 2012 14:39:17 -0800
Subject: MailScanner and Spamassassin
In-Reply-To: <5081CE1E.30008@crucis.net>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>

Yeah, you definitely should.  Lots of training bound up in the old database.  Also, IIRC, bayes doesn't kick in until it sees 200 hams and 200 spams, so there's a period where it's learning but not contributing.  Or something along those lines...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 2:03 PM
To: MailScanner discussion
Subject: Re: MailScanner and Spamassassin

New box I didn't copy the database but it's an idea.

Thanks,  mw


--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search

On 10/19/2012 03:17 PM, Kevin Miller wrote:
My understanding is that you use sa-learn to train the database.  If you get a false positive you feed it to spamassassin as non-spam.  If spam slips through, you feed it back to spamassassin as spam.  I expect sa-learn is also called during the scanning process in the background.   I don't think you need to do anything special w/your users unless a message is mis-tagged.  The previous bayes database should be still working and being updated...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 11:49 AM
To: MailScanner discussion
Subject: MailScanner and Spamassassin

I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway.

I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin.

I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner?  There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA.

Is there any reason to run sa-learn on the spam files?

mw



--

--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/3e76e4e4/attachment.html 

From mikew at crucis.net  Fri Oct 19 23:46:43 2012
From: mikew at crucis.net (Mike Watson)
Date: Fri, 19 Oct 2012 17:46:43 -0500
Subject: MailScanner and Spamassassin
In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
Message-ID: <5081D853.4090101@crucis.net>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/43bce839/attachment.html 

From Kevin_Miller at ci.juneau.ak.us  Fri Oct 19 23:59:35 2012
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 19 Oct 2012 14:59:35 -0800
Subject: MailScanner and Spamassassin
In-Reply-To: <5081D853.4090101@crucis.net>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
	<5081D853.4090101@crucis.net>
Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07>

I think it's normally a hidden directory under /root.  Been so long since I installed from scratch though that I could be wrong.  I put it under /etc/MailScanner/bayes - be sure to review the instructions in MailScanner.conf on permissions and such.  There's a "use bayes" setting in spamassassin.prefs.conf - make sure it's not set to zero.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 2:47 PM
To: MailScanner discussion
Subject: Re: MailScanner and Spamassassin

I just noticed no bayes directory was created during the MS install. Is that normal?

mw


--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search

On 10/19/2012 05:39 PM, Kevin Miller wrote:
Yeah, you definitely should.  Lots of training bound up in the old database.  Also, IIRC, bayes doesn't kick in until it sees 200 hams and 200 spams, so there's a period where it's learning but not contributing.  Or something along those lines...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 2:03 PM
To: MailScanner discussion
Subject: Re: MailScanner and Spamassassin

New box I didn't copy the database but it's an idea.

Thanks,  mw



--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search

On 10/19/2012 03:17 PM, Kevin Miller wrote:
My understanding is that you use sa-learn to train the database.  If you get a false positive you feed it to spamassassin as non-spam.  If spam slips through, you feed it back to spamassassin as spam.  I expect sa-learn is also called during the scanning process in the background.   I don't think you need to do anything special w/your users unless a message is mis-tagged.  The previous bayes database should be still working and being updated...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mike Watson
Sent: Friday, October 19, 2012 11:49 AM
To: MailScanner discussion
Subject: MailScanner and Spamassassin

I suppose this is more a Spamassassin question than MailScanner but I'll ask anyway.

I've just finished setting up a mailserver using CentOS 6.3, Dovecot, sendmail, and MailScanner-Spamassassin. This is an upgrade from an older linux server that also ran an older version of MailScanner-Spamassassin.

I know SA runs sa-update via cron. That's working. But...is it necessary to run sa-learn for each user as well to detect SPAM that gets through MailScanner?  There has to be a reason for sa-learn or it wouldn't be included in the SA package. I do have Baynes activated for SA.

Is there any reason to run sa-learn on the spam files?

mw




--

--



"Lose not thy airspeed, lest the ground rises up and smites thee."

  -- William Kershner

http://crucis-court.com

http://www.crucis.net/1632search





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121019/91bfdf5e/attachment.html 

From bonivart at opencsw.org  Sat Oct 20 00:09:21 2012
From: bonivart at opencsw.org (Peter Bonivart)
Date: Sat, 20 Oct 2012 01:09:21 +0200
Subject: MailScanner and Spamassassin
In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
Message-ID: <CABY0g1V3xve2Cn_YQqBC943hpyJAUd+=4wAq6pTQ872Mc2_zbw@mail.gmail.com>

On Sat, Oct 20, 2012 at 12:39 AM, Kevin Miller
<Kevin_Miller at ci.juneau.ak.us> wrote:
> Lots of training bound up in the old database.

How do you figure? Have you looked at the retension time of individual
records in the db? The refresh rate of the entire database is fairly
high. I doubt you get much better results after the first few days
even.

I've always been skeptical about this myth surrounding Bayes. It's
just one test out of a thousand and it's easily fooled as well. I
trust the auto-learner to do it's job and I haven't seen others get
significantly better results regardless of effort put into Bayes.

/peter

From Kevin_Miller at ci.juneau.ak.us  Sat Oct 20 00:54:20 2012
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Fri, 19 Oct 2012 15:54:20 -0800
Subject: MailScanner and Spamassassin
In-Reply-To: <CABY0g1V3xve2Cn_YQqBC943hpyJAUd+=4wAq6pTQ872Mc2_zbw@mail.gmail.com>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
	<CABY0g1V3xve2Cn_YQqBC943hpyJAUd+=4wAq6pTQ872Mc2_zbw@mail.gmail.com>
Message-ID: <4A09477D575C2C4B86497161427DD94C279E12DE01@city-exchange07>

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Bonivart
Sent: Friday, October 19, 2012 3:09 PM
To: MailScanner discussion
Subject: Re: MailScanner and Spamassassin

On Sat, Oct 20, 2012 at 12:39 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us> wrote:
> Lots of training bound up in the old database.

> How do you figure? Have you looked at the retension time of individual 
> records in the db? The refresh rate of the entire database is fairly high. 
> I doubt you get much better results after the first few days even.

I suppose it all depends on how much mail you get.  We only get between 5000-10000 messages a day and have 400-500 users.  Not a lot compared to an ISP that might be getting hundreds of thousands of messages a day.  My primary mail server reports this:  
  Number of Tokens:	221,102
I expect It would take some time to get that many tokens if I was starting from scratch.  And even if it did build w/in a couple days, that's a couple days that the filtering could be a bit more optimal.  Every little bit helps.  No idea how big Mike's mail store volume is.

> I've always been skeptical about this myth surrounding Bayes. It's just one
> test out of a thousand and it's easily fooled as well. I trust the auto-learner 
> to do it's job and I haven't seen others get significantly better results 
> regardless of effort put into Bayes.

It's jack-simple to copy over the old bayes database.  Hardly any effort at all really.  If it's from a current corpus it's going to help.  Maybe not an earth shaking amount, but spamassassin is all about lots of little incremental scores.  Might be the difference between a 4.95 score and a 5.0.  Nothing I told him should take longer than maybe five minutes.

If you have any insights and tricks for getting a new build up and running efficiently as quickly as possible I'm sure we'd all love to hear them.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357


From mikew at crucis.net  Sat Oct 20 20:10:08 2012
From: mikew at crucis.net (Mike Watson)
Date: Sat, 20 Oct 2012 14:10:08 -0500
Subject: MailScanner and Spamassassin
In-Reply-To: <4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07>
References: <5081AEC2.9030902@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDF7@city-exchange07>
	<5081CE1E.30008@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DDFF@city-exchange07>
	<5081D853.4090101@crucis.net>
	<4A09477D575C2C4B86497161427DD94C279E12DE00@city-exchange07>
Message-ID: <5082F710.8090303@crucis.net>

An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121020/d0e63496/attachment.html 

From mailscanner at romehosting.com  Mon Oct 22 14:26:56 2012
From: mailscanner at romehosting.com (Dave Gattis)
Date: Mon, 22 Oct 2012 09:26:56 -0400
Subject: Remove headers before MailScanner
Message-ID: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>

Hello All,

I am working with a company that receives mail from it's headquarters. 
Headquarters does a terrible job of filtering email, so we decided to
setup a local server and redirect everything here for filtering.  So far
so good.

Each message is stamped with "Resent-From" and "Return-Path" of the
redirecting address.  I can strip those headers out, after MailScanner,
but really need them removed before.

Any ideas?
-- 
Dave Gattis





From mailscanner at joolee.nl  Mon Oct 22 15:30:25 2012
From: mailscanner at joolee.nl (Joolee)
Date: Mon, 22 Oct 2012 16:30:25 +0200
Subject: Remove headers before MailScanner
In-Reply-To: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
Message-ID: <CA+Q-w8V+FrUSNGmFckQErHRC0qg_ArChmn=xR7ncKEVPsXeXRQ@mail.gmail.com>

2 options:
 - Don't use a relay address to run the E-mails through mailscanner. (how
you do this depends on how headquarters delivers your e-mail)
 - Place an extra MTA instance between your incomming e-mails and your
spamfiltering MTA to strip the headers.

On 22 October 2012 15:26, Dave Gattis <mailscanner at romehosting.com> wrote:

> Hello All,
>
> I am working with a company that receives mail from it's headquarters.
> Headquarters does a terrible job of filtering email, so we decided to
> setup a local server and redirect everything here for filtering.  So far
> so good.
>
> Each message is stamped with "Resent-From" and "Return-Path" of the
> redirecting address.  I can strip those headers out, after MailScanner,
> but really need them removed before.
>
> Any ideas?
> --
> Dave Gattis
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121022/3d5dbc54/attachment.html 

From mailscanner at pdscc.com  Mon Oct 22 17:43:50 2012
From: mailscanner at pdscc.com (Harondel J. Sibble)
Date: Mon, 22 Oct 2012 09:43:50 -0700
Subject: maillscanner/postfix saturates bandwidth :-(
In-Reply-To: <20121009232117.3ED5B5A1C81@sinclaire.sibble.net>
References: <20120924171534.693B55A1C82@sinclaire.sibble.net>,
	<alpine.DEB.2.00.1209241508520.22615@sisler.hq.richweb.com>,
	<20121009232117.3ED5B5A1C81@sinclaire.sibble.net>
Message-ID: <20121022164353.3729B5A1C81@sinclaire.sibble.net>

Interestingly enough, throttling INBOUND smtp at the firewall level resolved 
this issue.  Now they have no issues with sending out large mailouts.  
<shrug>

On 9 Oct 2012 at 16:21, Harondel J. Sibble wrote:

> 
> 
> On 24 Sep 2012 at 15:09, C. Jon Larsen wrote:
> 
> > > Basically the dsl connection they share with another office was saturated
> > > when the office admin did a mailout on friday to about 2000 of their
> > > subscribers, each email was about 3.5mb total with conversion overhead.
> > > When I say saturated, I mean in both the upstream and downstream
> > > directions. According the admin who runs the multitenant network in this
> > > office, he was seeing a sustained 1.6mb/s INBOUND connection to my
> > > client's firewall while this was happening.
> 
> > > I'm trying to figure out the best way to deal witih this moving forward,
> > > is there additional throttling I need to do at the postifx level or the
> > > mailscanner level or something else.  I was also surprised as my
> > > understand of postfix is that it does connection throttling by default.
> > 
> > You can play with variations of these settings in main.conf to control how
> > much email is sent out - these go into main.conf
> > 
> > local_destination_concurrency_limit = 2
> > default_destination_concurrency_limit = 2
> > initial_destination_concurrency = 2
> > 
> > smtpd_client_connection_count_limit = 10
> > default_destination_recipient_limit = 20
> 
> I'll do some testing with these as still getting same behaviour.
> 
> Setup caching dns server on the Mailscanner box, to replicate circumstances
> similar as before, had user send from outlook via exchange an email with no
> attachments, just body text to approx 550 recipients and basically same issue
> cropped up again, I had to eventually do
> 
> postqueue -p
> 
> postsuper -d 
> 
> on the messages in the queue to get things back to normal.
> 
> Which do you figure will give best bang for the buck assuming I add one at a
> time?  Are there general rules of thumb for the various values?
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
Blog: http://www.pdscc.com/blog
(604) 739-3709 (voice)


From ssilva at sgvwater.com  Mon Oct 22 17:49:32 2012
From: ssilva at sgvwater.com (Scott Silva)
Date: Mon, 22 Oct 2012 09:49:32 -0700
Subject: Remove headers before MailScanner
In-Reply-To: <CA+Q-w8V+FrUSNGmFckQErHRC0qg_ArChmn=xR7ncKEVPsXeXRQ@mail.gmail.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<CA+Q-w8V+FrUSNGmFckQErHRC0qg_ArChmn=xR7ncKEVPsXeXRQ@mail.gmail.com>
Message-ID: <k63teq$v1m$1@ger.gmane.org>

Or run something like mimedefang... It can strip, add, remove or otherwise
manipulate the mail stream in many ways...


on 10/22/2012 7:30 AM Joolee spake the following:
> 2 options:
> ? - Don't use a relay address to run the E-mails through mailscanner. (how you
> do this depends on how headquarters delivers your e-mail)
> ? - Place an extra MTA instance between your incomming e-mails and your
> spamfiltering MTA to strip the headers.
> 
> On 22 October 2012 15:26, Dave Gattis <mailscanner at romehosting.com
> <mailto:mailscanner at romehosting.com>> wrote:
> 
>     Hello All,
> 
>     I am working with a company that receives mail from it's headquarters.
>     Headquarters does a terrible job of filtering email, so we decided to
>     setup a local server and redirect everything here for filtering. ? So far
>     so good.
> 
>     Each message is stamped with "Resent-From" and "Return-Path" of the
>     redirecting address. ? I can strip those headers out, after MailScanner,
>     but really need them removed before.
> 
>     Any ideas?
>     --
>     Dave Gattis
> 
> 
> 
> 
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
>     Before posting, read http://wiki.mailscanner.info/posting
> 
>     Support MailScanner development - buy the book off the website!
> 
> 
> 
> 



From john at tradoc.fr  Tue Oct 23 08:10:41 2012
From: john at tradoc.fr (John Wilcock)
Date: Tue, 23 Oct 2012 09:10:41 +0200
Subject: Remove headers before MailScanner
In-Reply-To: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
Message-ID: <508642F1.2010800@tradoc.fr>

Le 22/10/2012 15:26, Dave Gattis a ?crit :
> Each message is stamped with "Resent-From" and "Return-Path" of the
> redirecting address.  I can strip those headers out, after MailScanner,
> but really need them removed before.

Why do you really need them removed? If it's just for spamassassin, you 
can use bayes_ignore_header in your local.cf file.

John.

-- 
-- Over 5000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

From bfebrian.milis at gmail.com  Tue Oct 23 10:21:15 2012
From: bfebrian.milis at gmail.com (Budi Febrianto)
Date: Tue, 23 Oct 2012 16:21:15 +0700
Subject: Receives email with blank body
In-Reply-To: <CANcyygFHHHWR+QsMoHX4oUMLvSwndamrjAiMYfVFH-_ufB3V4w@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
	<CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
	<CANcyygFHHHWR+QsMoHX4oUMLvSwndamrjAiMYfVFH-_ufB3V4w@mail.gmail.com>
Message-ID: <CANcyygH8poWibobNNy7TkSDPxLWe9uaonNckNAQrmsymYFBKkQ@mail.gmail.com>

Dear all,

I have the archive file that user received it as blank email.
Is there anything that I can do with it? test it? debug?

Best Regards


On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto
<bfebrian.milis at gmail.com>wrote:

> Dear Martin,
>
> Already activated the archive facility.
> How to proper way to inject and debug mailscanner/sendmail?
>
> This is what I did, and maybe I did it wrong.
> shutdown the mailscanner
> copy the archive from /var/spool/MailScanner/archive/(date) to
> /var/spool/mqeue
> run mailscanner with --debug
>
> Mailscanner run, and than stop, with some error related with mailwatch
> about commit, but nothing else
>
> Best Regards
>
>
> On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth <maxsec at gmail.com> wrote:
>
>> Doubt it, unless the antivirus on the Domino server did something to it,
>> all Mailwatch does is log the information.
>>
>> Can you replay messages at all - ie do you use  the archive facility so
>> you can inject the message again while running in debug mode?
>>
>>
>>
>> --
>> Martin Hepworth, CISSP
>> Oxford, UK
>>
>>
>> On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>>
>>> Dear Martin,
>>>
>>> This happen not always with big emails, many big emails still delivered
>>> without any problems.
>>>
>>> This problem appears to be random, but often.
>>>
>>> The next host is the mail server, which is Lotus Domino 8.5.
>>>
>>> Is it possible that the anti virus or mailwatch somehow altered the mail
>>> format?
>>>
>>> Best regards
>>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>>>
>>>> Is this consistent with large emails above the spam checks size limit?
>>>>
>>>> If it is, you could run a test in debug mode of a large email to see
>>>> what's going flakey.
>>>>
>>>> I presume the next host down the line (192.168.10.17) is handling this
>>>> OK?
>>>>
>>>>
>>>> --
>>>> Martin Hepworth, CISSP
>>>> Oxford, UK
>>>>
>>>>
>>>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>
>>>>> Dear Martin,
>>>>>
>>>>> Thank you for the reply, but I don't see something strange in the
>>>>> maillog
>>>>>
>>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>>>> [202.77.100.39] (may be forged)
>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562, stat=queued
>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for
>>>>> spam checks (341198 > 200000 bytes)
>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message
>>>>> q917UfQF014676 to SQL
>>>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>>>> MailWatch SQL
>>>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>>>> (Message accepted for delivery)
>>>>>
>>>>> Best Regards
>>>>>
>>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>>>
>>>>>> Check the mailScanner logs for  that message to see if it's doing
>>>>>> anything 'unusual' with the message.
>>>>>>
>>>>>> --
>>>>>> Martin Hepworth, CISSP
>>>>>> Oxford, UK
>>>>>>
>>>>>>
>>>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>>
>>>>>>> Dear all,
>>>>>>>
>>>>>>> My customer have problems with their mailscanner installation,
>>>>>>> sometimes users emails with blank body. I already search the web for
>>>>>>> possible reasons, but can't find any.
>>>>>>>
>>>>>>> This is the configurations:
>>>>>>>
>>>>>>> MailScanner 4.84.5
>>>>>>> Centos 6.2 64 bit
>>>>>>> Sendmail 8.13
>>>>>>> MailWatch-1.1.5.1
>>>>>>> ClamAV 0.96.5
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> --
>>>>>>> MailScanner mailing list
>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>
>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>
>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/b29e5209/attachment.html 

From mailscanner at joolee.nl  Tue Oct 23 11:22:02 2012
From: mailscanner at joolee.nl (Joolee)
Date: Tue, 23 Oct 2012 12:22:02 +0200
Subject: Receives email with blank body
In-Reply-To: <CANcyygH8poWibobNNy7TkSDPxLWe9uaonNckNAQrmsymYFBKkQ@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
	<CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
	<CANcyygFHHHWR+QsMoHX4oUMLvSwndamrjAiMYfVFH-_ufB3V4w@mail.gmail.com>
	<CANcyygH8poWibobNNy7TkSDPxLWe9uaonNckNAQrmsymYFBKkQ@mail.gmail.com>
Message-ID: <CA+Q-w8XKH=EZzg5S8WyrMb6R21s11BdpEoTsPAB37k5RJHvpLg@mail.gmail.com>

Compare the e-mail the customer received (the source code, not the view)
and the original archive file.
You might post both versions to the mailing list after stripping personal
information.

On 23 October 2012 11:21, Budi Febrianto <bfebrian.milis at gmail.com> wrote:

> Dear all,
>
> I have the archive file that user received it as blank email.
> Is there anything that I can do with it? test it? debug?
>
> Best Regards
>
>
> On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto <bfebrian.milis at gmail.com
> > wrote:
>
>> Dear Martin,
>>
>> Already activated the archive facility.
>> How to proper way to inject and debug mailscanner/sendmail?
>>
>> This is what I did, and maybe I did it wrong.
>> shutdown the mailscanner
>> copy the archive from /var/spool/MailScanner/archive/(date) to
>> /var/spool/mqeue
>> run mailscanner with --debug
>>
>> Mailscanner run, and than stop, with some error related with mailwatch
>> about commit, but nothing else
>>
>> Best Regards
>>
>>
>> On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth <maxsec at gmail.com> wrote:
>>
>>> Doubt it, unless the antivirus on the Domino server did something to it,
>>> all Mailwatch does is log the information.
>>>
>>> Can you replay messages at all - ie do you use  the archive facility so
>>> you can inject the message again while running in debug mode?
>>>
>>>
>>>
>>> --
>>> Martin Hepworth, CISSP
>>> Oxford, UK
>>>
>>>
>>> On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>
>>>> Dear Martin,
>>>>
>>>> This happen not always with big emails, many big emails still delivered
>>>> without any problems.
>>>>
>>>> This problem appears to be random, but often.
>>>>
>>>> The next host is the mail server, which is Lotus Domino 8.5.
>>>>
>>>> Is it possible that the anti virus or mailwatch somehow altered the
>>>> mail format?
>>>>
>>>> Best regards
>>>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>>>>
>>>>> Is this consistent with large emails above the spam checks size limit?
>>>>>
>>>>> If it is, you could run a test in debug mode of a large email to see
>>>>> what's going flakey.
>>>>>
>>>>> I presume the next host down the line (192.168.10.17) is handling this
>>>>> OK?
>>>>>
>>>>>
>>>>> --
>>>>> Martin Hepworth, CISSP
>>>>> Oxford, UK
>>>>>
>>>>>
>>>>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>
>>>>>> Dear Martin,
>>>>>>
>>>>>> Thank you for the reply, but I don't see something strange in the
>>>>>> maillog
>>>>>>
>>>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>>>>> [202.77.100.39] (may be forged)
>>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562,
>>>>>> stat=queued
>>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for
>>>>>> spam checks (341198 > 200000 bytes)
>>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message
>>>>>> q917UfQF014676 to SQL
>>>>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>>>>> MailWatch SQL
>>>>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>>>>> (Message accepted for delivery)
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>>>>
>>>>>>> Check the mailScanner logs for  that message to see if it's doing
>>>>>>> anything 'unusual' with the message.
>>>>>>>
>>>>>>> --
>>>>>>> Martin Hepworth, CISSP
>>>>>>> Oxford, UK
>>>>>>>
>>>>>>>
>>>>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>>>
>>>>>>>> Dear all,
>>>>>>>>
>>>>>>>> My customer have problems with their mailscanner installation,
>>>>>>>> sometimes users emails with blank body. I already search the web for
>>>>>>>> possible reasons, but can't find any.
>>>>>>>>
>>>>>>>> This is the configurations:
>>>>>>>>
>>>>>>>> MailScanner 4.84.5
>>>>>>>> Centos 6.2 64 bit
>>>>>>>> Sendmail 8.13
>>>>>>>> MailWatch-1.1.5.1
>>>>>>>> ClamAV 0.96.5
>>>>>>>>
>>>>>>>> Best regards
>>>>>>>>
>>>>>>>> --
>>>>>>>> MailScanner mailing list
>>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>
>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>>
>>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> MailScanner mailing list
>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>
>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>
>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/3527f208/attachment.html 

From mailscanner at romehosting.com  Tue Oct 23 11:58:07 2012
From: mailscanner at romehosting.com (Dave Gattis)
Date: Tue, 23 Oct 2012 06:58:07 -0400
Subject: Remove headers before MailScanner
In-Reply-To: <508642F1.2010800@tradoc.fr>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
Message-ID: <dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>

Let me see if I can explain this properly:

a at hotmail.com sends to b at mydomain1.com.

a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore

a at hotmail.com arrives safely c at mydomain2.com.

When opening the email, it looks like this:

From: a at hotmail.com
To: b at mydomain1.com

This is exactly what I want and works perfectly in any mail client.

Unfortunately, when you look at the list of messages MailScanner has
processed (using the MailWatch frontend), every message, no matter who
from looks like this:

From: b at mydomain1.com
To: c at mydomain2.com

This renders white/blacklisting useless, and subject lines are the only
clues available for releasing SPAM.  When looking at the raw headers, the
redirect is adding a "Resent-From" header which I believe is overriding
the "From" header.

No matter what is received, MailScanner is basing some of it's decisions
on the "Resent-From" address which lowers the score for all messages.

This is what happens when corporations make poor decisions. 
Unfortunately, I am forced to find a workaround for it.

Thanks,
-- 
Dave Gattis


> Le 22/10/2012 15:26, Dave Gattis a ?crit :
>> Each message is stamped with "Resent-From" and "Return-Path" of the
>> redirecting address.  I can strip those headers out, after MailScanner,
>> but really need them removed before.
>
> Why do you really need them removed? If it's just for spamassassin, you
> can use bayes_ignore_header in your local.cf file.
>
> John.
>
> --
> -- Over 5000 webcams from ski resorts around the world - www.snoweye.com
> -- Translate your technical documents and web pages    - www.tradoc.fr
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



From mailscanner at joolee.nl  Tue Oct 23 12:39:05 2012
From: mailscanner at joolee.nl (Joolee)
Date: Tue, 23 Oct 2012 13:39:05 +0200
Subject: Remove headers before MailScanner
In-Reply-To: <dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
	<dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
Message-ID: <CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>

Mailwatch uses the "envelope-from" to display in the list.

On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com> wrote:

> Let me see if I can explain this properly:
>
> a at hotmail.com sends to b at mydomain1.com.
>
> a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore
>
> a at hotmail.com arrives safely c at mydomain2.com.
>
> When opening the email, it looks like this:
>
> From: a at hotmail.com
> To: b at mydomain1.com
>
> This is exactly what I want and works perfectly in any mail client.
>
> Unfortunately, when you look at the list of messages MailScanner has
> processed (using the MailWatch frontend), every message, no matter who
> from looks like this:
>
> From: b at mydomain1.com
> To: c at mydomain2.com
>
> This renders white/blacklisting useless, and subject lines are the only
> clues available for releasing SPAM.  When looking at the raw headers, the
> redirect is adding a "Resent-From" header which I believe is overriding
> the "From" header.
>
> No matter what is received, MailScanner is basing some of it's decisions
> on the "Resent-From" address which lowers the score for all messages.
>
> This is what happens when corporations make poor decisions.
> Unfortunately, I am forced to find a workaround for it.
>
> Thanks,
> --
> Dave Gattis
>
>
> > Le 22/10/2012 15:26, Dave Gattis a ?crit :
> >> Each message is stamped with "Resent-From" and "Return-Path" of the
> >> redirecting address.  I can strip those headers out, after MailScanner,
> >> but really need them removed before.
> >
> > Why do you really need them removed? If it's just for spamassassin, you
> > can use bayes_ignore_header in your local.cf file.
> >
> > John.
> >
> > --
> > -- Over 5000 webcams from ski resorts around the world - www.snoweye.com
> > -- Translate your technical documents and web pages    - www.tradoc.fr
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/eb4d43fe/attachment.html 

From mailscanner at romehosting.com  Tue Oct 23 14:08:36 2012
From: mailscanner at romehosting.com (Dave Gattis)
Date: Tue, 23 Oct 2012 09:08:36 -0400
Subject: Remove headers before MailScanner
In-Reply-To: <CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
	<dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
	<CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>
Message-ID: <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com>

According to mailwatch, here's all the listed headers:

Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX])
      by domain1.com (Postfix) with ESMTP id D30D01C100FB
      for <dave.gattis at domain2.com>; Tue, 23 Oct 2012 08:48:31 -0400 (EDT)
Received: from  mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by
mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP Server id
14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200
From: Dave Gattis <dave.gattis at hotmail.com>  <-- MailScanner/MailWatch
ignores this line
To: Dave Gattis <dave.gattis at domain1.com>
Subject: test for mailscanner group
Date: Tue, 23 Oct 2012 12:48:40 +0000
Message-ID: <b4339c5b9c53472eae950d4ff046d840 at mail2.domain1.com>
Resent-From: <dave.gattis at domain1.com>  <-- MailScanner/MailWatch
considers this line to be the sender
Content-Type: multipart/alternative;
      boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_"
MIME-Version: 1.0

MailWatch's recent messages tab displays the message like this, only in
column format:


Date/Time:
23/10/12
08:48:33

From:
dave.gattis at domain1.com  (needs to be dave.gattis at hotmail.com)

To:
dave.gattis at sdomain2.com

Subject:
test for mailscanner group

Size
2.2Kb

SA Score
-1.02

Status
Clean


-- 
Dave Gattis


> Mailwatch uses the "envelope-from" to display in the list.
>
> On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com> wrote:
>
>> Let me see if I can explain this properly:
>>
>> a at hotmail.com sends to b at mydomain1.com.
>>
>> a rule exists at mydomain1.com to redirect to c at mydomain2.com, therefore
>>
>> a at hotmail.com arrives safely c at mydomain2.com.
>>
>> When opening the email, it looks like this:
>>
>> From: a at hotmail.com
>> To: b at mydomain1.com
>>
>> This is exactly what I want and works perfectly in any mail client.
>>
>> Unfortunately, when you look at the list of messages MailScanner has
>> processed (using the MailWatch frontend), every message, no matter who
>> from looks like this:
>>
>> From: b at mydomain1.com
>> To: c at mydomain2.com
>>
>> This renders white/blacklisting useless, and subject lines are the only
>> clues available for releasing SPAM.  When looking at the raw headers,
>> the
>> redirect is adding a "Resent-From" header which I believe is overriding
>> the "From" header.
>>
>> No matter what is received, MailScanner is basing some of it's decisions
>> on the "Resent-From" address which lowers the score for all messages.
>>
>> This is what happens when corporations make poor decisions.
>> Unfortunately, I am forced to find a workaround for it.
>>
>> Thanks,
>> --
>> Dave Gattis
>>
>>
>> > Le 22/10/2012 15:26, Dave Gattis a ??crit :
>> >> Each message is stamped with "Resent-From" and "Return-Path" of the
>> >> redirecting address.  I can strip those headers out, after
>> MailScanner,
>> >> but really need them removed before.
>> >
>> > Why do you really need them removed? If it's just for spamassassin,
>> you
>> > can use bayes_ignore_header in your local.cf file.
>> >
>> > John.
>> >
>> > --
>> > -- Over 5000 webcams from ski resorts around the world -
>> www.snoweye.com
>> > -- Translate your technical documents and web pages    - www.tradoc.fr
>> > --
>> > MailScanner mailing list
>> > mailscanner at lists.mailscanner.info
>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> > Before posting, read http://wiki.mailscanner.info/posting
>> >
>> > Support MailScanner development - buy the book off the website!
>> >
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



From maxsec at gmail.com  Tue Oct 23 16:21:59 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 23 Oct 2012 16:21:59 +0100
Subject: Remove headers before MailScanner
In-Reply-To: <25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
	<dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
	<CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>
	<25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com>
Message-ID: <CAGDKor+duOi6-kpGp+Q31bngALmXGH1ngaGmJhnvxveaPP5D2w@mail.gmail.com>

hmm looks like exch doing a crap job of forwarding the emails, either that
or it's poorly setup. My exch just forwards the emails to my local exch
server without all this extra cruft in the logs.

Are these two sites part of the same AD domain or do they run some sort of
split design?

-- 
Martin Hepworth, CISSP
Oxford, UK


On 23 October 2012 14:08, Dave Gattis <mailscanner at romehosting.com> wrote:

> According to mailwatch, here's all the listed headers:
>
> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX])
>       by domain1.com (Postfix) with ESMTP id D30D01C100FB
>       for <dave.gattis at domain2.com>; Tue, 23 Oct 2012 08:48:31 -0400 (EDT)
> Received: from  mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by
> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP
> Server id
> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200
> From: Dave Gattis <dave.gattis at hotmail.com>  <-- MailScanner/MailWatch
> ignores this line
> To: Dave Gattis <dave.gattis at domain1.com>
> Subject: test for mailscanner group
> Date: Tue, 23 Oct 2012 12:48:40 +0000
> Message-ID: <b4339c5b9c53472eae950d4ff046d840 at mail2.domain1.com>
> Resent-From: <dave.gattis at domain1.com>  <-- MailScanner/MailWatch
> considers this line to be the sender
> Content-Type: multipart/alternative;
>       boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_"
> MIME-Version: 1.0
>
> MailWatch's recent messages tab displays the message like this, only in
> column format:
>
>
> Date/Time:
> 23/10/12
> 08:48:33
>
> From:
> dave.gattis at domain1.com  (needs to be dave.gattis at hotmail.com)
>
> To:
> dave.gattis at sdomain2.com
>
> Subject:
> test for mailscanner group
>
> Size
> 2.2Kb
>
> SA Score
> -1.02
>
> Status
> Clean
>
>
> --
> Dave Gattis
>
>
> > Mailwatch uses the "envelope-from" to display in the list.
> >
> > On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com>
> wrote:
> >
> >> Let me see if I can explain this properly:
> >>
> >> a at hotmail.com sends to b at mydomain1.com.
> >>
> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com,
> therefore
> >>
> >> a at hotmail.com arrives safely c at mydomain2.com.
> >>
> >> When opening the email, it looks like this:
> >>
> >> From: a at hotmail.com
> >> To: b at mydomain1.com
> >>
> >> This is exactly what I want and works perfectly in any mail client.
> >>
> >> Unfortunately, when you look at the list of messages MailScanner has
> >> processed (using the MailWatch frontend), every message, no matter who
> >> from looks like this:
> >>
> >> From: b at mydomain1.com
> >> To: c at mydomain2.com
> >>
> >> This renders white/blacklisting useless, and subject lines are the only
> >> clues available for releasing SPAM.  When looking at the raw headers,
> >> the
> >> redirect is adding a "Resent-From" header which I believe is overriding
> >> the "From" header.
> >>
> >> No matter what is received, MailScanner is basing some of it's decisions
> >> on the "Resent-From" address which lowers the score for all messages.
> >>
> >> This is what happens when corporations make poor decisions.
> >> Unfortunately, I am forced to find a workaround for it.
> >>
> >> Thanks,
> >> --
> >> Dave Gattis
> >>
> >>
> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit :
> >> >> Each message is stamped with "Resent-From" and "Return-Path" of the
> >> >> redirecting address.  I can strip those headers out, after
> >> MailScanner,
> >> >> but really need them removed before.
> >> >
> >> > Why do you really need them removed? If it's just for spamassassin,
> >> you
> >> > can use bayes_ignore_header in your local.cf file.
> >> >
> >> > John.
> >> >
> >> > --
> >> > -- Over 5000 webcams from ski resorts around the world -
> >> www.snoweye.com
> >> > -- Translate your technical documents and web pages    -
> www.tradoc.fr
> >> > --
> >> > MailScanner mailing list
> >> > mailscanner at lists.mailscanner.info
> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> >
> >> > Before posting, read http://wiki.mailscanner.info/posting
> >> >
> >> > Support MailScanner development - buy the book off the website!
> >> >
> >>
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/93270a91/attachment.html 

From maxsec at gmail.com  Tue Oct 23 16:24:44 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 23 Oct 2012 16:24:44 +0100
Subject: Receives email with blank body
In-Reply-To: <CA+Q-w8XKH=EZzg5S8WyrMb6R21s11BdpEoTsPAB37k5RJHvpLg@mail.gmail.com>
References: <CANcyygHtQL+wxMmDb2E_Rm9VyCP489Yoc-zXJQatTxn3E3wppQ@mail.gmail.com>
	<CAGDKorJTEBth2jUBfFVyH6ngvfQXzErEKRyb1d2B6MYgCkXfuA@mail.gmail.com>
	<CANcyygFFsCf7Bm2ancOWMrr_EBdmaYt-+CaMMJXarnByk2_LeQ@mail.gmail.com>
	<CAGDKorLaeuOJcOEy-o8dfJ70Mz87ovKP8oHEWu0dQ78K_n7pmg@mail.gmail.com>
	<CANcyygHMXzQvmFtUDeTC_XuBWvQbj4o1Cw-tkdzkBthQ7AhaRA@mail.gmail.com>
	<CAGDKorKSohS2mZjPQK8LdXHP2CLf8U-pOBXVNSCkNbDm_4FSkQ@mail.gmail.com>
	<CANcyygFHHHWR+QsMoHX4oUMLvSwndamrjAiMYfVFH-_ufB3V4w@mail.gmail.com>
	<CANcyygH8poWibobNNy7TkSDPxLWe9uaonNckNAQrmsymYFBKkQ@mail.gmail.com>
	<CA+Q-w8XKH=EZzg5S8WyrMb6R21s11BdpEoTsPAB37k5RJHvpLg@mail.gmail.com>
Message-ID: <CAGDKorKB14692MJsXpaBCLEr9omDFL8DqKk=Yi-G9GDi3JDQZw@mail.gmail.com>

and also look at  the archive for the original message and the logs for the
message to see what MS thought of the email and what it did with it.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 23 October 2012 11:22, Joolee <mailscanner at joolee.nl> wrote:

> Compare the e-mail the customer received (the source code, not the view)
> and the original archive file.
> You might post both versions to the mailing list after stripping personal
> information.
>
>
> On 23 October 2012 11:21, Budi Febrianto <bfebrian.milis at gmail.com> wrote:
>
>> Dear all,
>>
>> I have the archive file that user received it as blank email.
>> Is there anything that I can do with it? test it? debug?
>>
>> Best Regards
>>
>>
>> On Thu, Oct 11, 2012 at 10:25 AM, Budi Febrianto <
>> bfebrian.milis at gmail.com> wrote:
>>
>>> Dear Martin,
>>>
>>> Already activated the archive facility.
>>> How to proper way to inject and debug mailscanner/sendmail?
>>>
>>> This is what I did, and maybe I did it wrong.
>>> shutdown the mailscanner
>>> copy the archive from /var/spool/MailScanner/archive/(date) to
>>> /var/spool/mqeue
>>> run mailscanner with --debug
>>>
>>> Mailscanner run, and than stop, with some error related with mailwatch
>>> about commit, but nothing else
>>>
>>> Best Regards
>>>
>>>
>>> On Tue, Oct 9, 2012 at 1:31 AM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>
>>>> Doubt it, unless the antivirus on the Domino server did something to
>>>> it, all Mailwatch does is log the information.
>>>>
>>>> Can you replay messages at all - ie do you use  the archive facility so
>>>> you can inject the message again while running in debug mode?
>>>>
>>>>
>>>>
>>>> --
>>>> Martin Hepworth, CISSP
>>>> Oxford, UK
>>>>
>>>>
>>>> On 8 October 2012 18:05, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>
>>>>> Dear Martin,
>>>>>
>>>>> This happen not always with big emails, many big emails still
>>>>> delivered without any problems.
>>>>>
>>>>> This problem appears to be random, but often.
>>>>>
>>>>> The next host is the mail server, which is Lotus Domino 8.5.
>>>>>
>>>>> Is it possible that the anti virus or mailwatch somehow altered the
>>>>> mail format?
>>>>>
>>>>> Best regards
>>>>> On Oct 8, 2012 11:39 PM, "Martin Hepworth" <maxsec at gmail.com> wrote:
>>>>>
>>>>>> Is this consistent with large emails above the spam checks size limit?
>>>>>>
>>>>>> If it is, you could run a test in debug mode of a large email to see
>>>>>> what's going flakey.
>>>>>>
>>>>>> I presume the next host down the line (192.168.10.17) is handling
>>>>>> this OK?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Martin Hepworth, CISSP
>>>>>> Oxford, UK
>>>>>>
>>>>>>
>>>>>> On 8 October 2012 16:27, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>>
>>>>>>> Dear Martin,
>>>>>>>
>>>>>>> Thank you for the reply, but I don't see something strange in the
>>>>>>> maillog
>>>>>>>
>>>>>>> [root at spam log]# cat maillog.1 | grep q917UfQF014676
>>>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: from=<
>>>>>>> cory.margaret at abc.com>, size=340562, class=0, nrcpts=1, msgid=<
>>>>>>> E430C752C711024D996D49014F27FD10A78D9B at MT-XC-02-CB.abc.com>,
>>>>>>> proto=ESMTP, daemon=MTA, relay=ln-static-202-77-100-39.link.net.id
>>>>>>> [202.77.100.39] (may be forged)
>>>>>>> Oct  1 14:30:58 spam sendmail[14676]: q917UfQF014676: to=<
>>>>>>> amiws at xyz.co.id>, delay=00:00:11, mailer=smtp, pri=370562,
>>>>>>> stat=queued
>>>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Message q917UfQF014676 from
>>>>>>> 202.77.100.39 (cory.margaret at abc.com) to xyz.co.id is too big for
>>>>>>> spam checks (341198 > 200000 bytes)
>>>>>>> Oct  1 14:30:59 spam MailScanner[13678]: Logging message
>>>>>>> q917UfQF014676 to SQL
>>>>>>> Oct  1 14:30:59 spam MailScanner[13945]: q917UfQF014676: Logged to
>>>>>>> MailWatch SQL
>>>>>>> Oct  1 14:31:00 spam sendmail[14693]: q917UfQF014676: to=<
>>>>>>> amiws at xyz.co.id>, delay=00:00:13, xdelay=00:00:01, mailer=smtp,
>>>>>>> pri=460562, relay=[192.168.10.17] [192.168.10.17], dsn=2.0.0, stat=Sent
>>>>>>> (Message accepted for delivery)
>>>>>>>
>>>>>>> Best Regards
>>>>>>>
>>>>>>> On Mon, Oct 8, 2012 at 6:53 PM, Martin Hepworth <maxsec at gmail.com>wrote:
>>>>>>>
>>>>>>>> Check the mailScanner logs for  that message to see if it's doing
>>>>>>>> anything 'unusual' with the message.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Martin Hepworth, CISSP
>>>>>>>> Oxford, UK
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8 October 2012 11:30, Budi Febrianto <bfebrian.milis at gmail.com>wrote:
>>>>>>>>
>>>>>>>>> Dear all,
>>>>>>>>>
>>>>>>>>> My customer have problems with their mailscanner installation,
>>>>>>>>> sometimes users emails with blank body. I already search the web for
>>>>>>>>> possible reasons, but can't find any.
>>>>>>>>>
>>>>>>>>> This is the configurations:
>>>>>>>>>
>>>>>>>>> MailScanner 4.84.5
>>>>>>>>> Centos 6.2 64 bit
>>>>>>>>> Sendmail 8.13
>>>>>>>>> MailWatch-1.1.5.1
>>>>>>>>> ClamAV 0.96.5
>>>>>>>>>
>>>>>>>>> Best regards
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> MailScanner mailing list
>>>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>>
>>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>>>
>>>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> MailScanner mailing list
>>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>>
>>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>>
>>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> MailScanner mailing list
>>>>>>> mailscanner at lists.mailscanner.info
>>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>>
>>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>>
>>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121023/b6e1833b/attachment.html 

From mailscanner at romehosting.com  Tue Oct 23 18:11:21 2012
From: mailscanner at romehosting.com (Dave Gattis)
Date: Tue, 23 Oct 2012 13:11:21 -0400
Subject: Remove headers before MailScanner
In-Reply-To: <CAGDKor+duOi6-kpGp+Q31bngALmXGH1ngaGmJhnvxveaPP5D2w@mail.gmail.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
	<dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
	<CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>
	<25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com>
	<CAGDKor+duOi6-kpGp+Q31bngALmXGH1ngaGmJhnvxveaPP5D2w@mail.gmail.com>
Message-ID: <f7f309457f6ed9db02aebfc4058391bd.squirrel@mail.romehosting.com>

Forwarder (exchange) is in Switzerland.  Destination (postfix) is in USA. 
Non-related domains.
-- 
Dave Gattis


> hmm looks like exch doing a crap job of forwarding the emails, either that
> or it's poorly setup. My exch just forwards the emails to my local exch
> server without all this extra cruft in the logs.
>
> Are these two sites part of the same AD domain or do they run some sort of
> split design?
>
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
> On 23 October 2012 14:08, Dave Gattis <mailscanner at romehosting.com> wrote:
>
>> According to mailwatch, here's all the listed headers:
>>
>> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX])
>>       by domain1.com (Postfix) with ESMTP id D30D01C100FB
>>       for <dave.gattis at domain2.com>; Tue, 23 Oct 2012 08:48:31 -0400
>> (EDT)
>> Received: from  mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by
>> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP
>> Server id
>> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200
>> From: Dave Gattis <dave.gattis at hotmail.com>  <-- MailScanner/MailWatch
>> ignores this line
>> To: Dave Gattis <dave.gattis at domain1.com>
>> Subject: test for mailscanner group
>> Date: Tue, 23 Oct 2012 12:48:40 +0000
>> Message-ID: <b4339c5b9c53472eae950d4ff046d840 at mail2.domain1.com>
>> Resent-From: <dave.gattis at domain1.com>  <-- MailScanner/MailWatch
>> considers this line to be the sender
>> Content-Type: multipart/alternative;
>>       boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_"
>> MIME-Version: 1.0
>>
>> MailWatch's recent messages tab displays the message like this, only in
>> column format:
>>
>>
>> Date/Time:
>> 23/10/12
>> 08:48:33
>>
>> From:
>> dave.gattis at domain1.com  (needs to be dave.gattis at hotmail.com)
>>
>> To:
>> dave.gattis at sdomain2.com
>>
>> Subject:
>> test for mailscanner group
>>
>> Size
>> 2.2Kb
>>
>> SA Score
>> -1.02
>>
>> Status
>> Clean
>>
>>
>> --
>> Dave Gattis
>>
>>
>> > Mailwatch uses the "envelope-from" to display in the list.
>> >
>> > On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com>
>> wrote:
>> >
>> >> Let me see if I can explain this properly:
>> >>
>> >> a at hotmail.com sends to b at mydomain1.com.
>> >>
>> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com,
>> therefore
>> >>
>> >> a at hotmail.com arrives safely c at mydomain2.com.
>> >>
>> >> When opening the email, it looks like this:
>> >>
>> >> From: a at hotmail.com
>> >> To: b at mydomain1.com
>> >>
>> >> This is exactly what I want and works perfectly in any mail client.
>> >>
>> >> Unfortunately, when you look at the list of messages MailScanner has
>> >> processed (using the MailWatch frontend), every message, no matter
>> who
>> >> from looks like this:
>> >>
>> >> From: b at mydomain1.com
>> >> To: c at mydomain2.com
>> >>
>> >> This renders white/blacklisting useless, and subject lines are the
>> only
>> >> clues available for releasing SPAM.  When looking at the raw headers,
>> >> the
>> >> redirect is adding a "Resent-From" header which I believe is
>> overriding
>> >> the "From" header.
>> >>
>> >> No matter what is received, MailScanner is basing some of it's
>> decisions
>> >> on the "Resent-From" address which lowers the score for all messages.
>> >>
>> >> This is what happens when corporations make poor decisions.
>> >> Unfortunately, I am forced to find a workaround for it.
>> >>
>> >> Thanks,
>> >> --
>> >> Dave Gattis
>> >>
>> >>
>> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit :
>> >> >> Each message is stamped with "Resent-From" and "Return-Path" of
>> the
>> >> >> redirecting address.  I can strip those headers out, after
>> >> MailScanner,
>> >> >> but really need them removed before.
>> >> >
>> >> > Why do you really need them removed? If it's just for spamassassin,
>> >> you
>> >> > can use bayes_ignore_header in your local.cf file.
>> >> >
>> >> > John.
>> >> >
>> >> > --
>> >> > -- Over 5000 webcams from ski resorts around the world -
>> >> www.snoweye.com
>> >> > -- Translate your technical documents and web pages    -
>> www.tradoc.fr
>> >> > --
>> >> > MailScanner mailing list
>> >> > mailscanner at lists.mailscanner.info
>> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >> >
>> >> > Before posting, read http://wiki.mailscanner.info/posting
>> >> >
>> >> > Support MailScanner development - buy the book off the website!
>> >> >
>> >>
>> >>
>> >> --
>> >> MailScanner mailing list
>> >> mailscanner at lists.mailscanner.info
>> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >>
>> >> Before posting, read http://wiki.mailscanner.info/posting
>> >>
>> >> Support MailScanner development - buy the book off the website!
>> >>
>> > --
>> > MailScanner mailing list
>> > mailscanner at lists.mailscanner.info
>> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
>> >
>> > Before posting, read http://wiki.mailscanner.info/posting
>> >
>> > Support MailScanner development - buy the book off the website!
>> >
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



From glenn.steen at gmail.com  Thu Oct 25 14:55:32 2012
From: glenn.steen at gmail.com (Glenn Steen)
Date: Thu, 25 Oct 2012 15:55:32 +0200
Subject: Remove headers before MailScanner
In-Reply-To: <f7f309457f6ed9db02aebfc4058391bd.squirrel@mail.romehosting.com>
References: <855d1cd013fe492f97a4e85bca498014.squirrel@mail.romehosting.com>
	<508642F1.2010800@tradoc.fr>
	<dc6873c3bad4d14ffb83a9da2c5fb8cb.squirrel@mail.romehosting.com>
	<CA+Q-w8WasaBxGRFivNbdTRk_TyjS75tXJ1V7QwvfcPJfiJ7Kww@mail.gmail.com>
	<25332294760158a41e0ea190272a4559.squirrel@mail.romehosting.com>
	<CAGDKor+duOi6-kpGp+Q31bngALmXGH1ngaGmJhnvxveaPP5D2w@mail.gmail.com>
	<f7f309457f6ed9db02aebfc4058391bd.squirrel@mail.romehosting.com>
Message-ID: <CAAug_B9vG0outytSfZM7BNRbD76coVVCyrp7QUS-Kt6R__A_bw@mail.gmail.com>

So why dont they just relay your domain? Or am I reading this slightly
wrong, so that you actually mean "yes, the recipients being forwarded are
in the same domain (Swiss owned) as other non-forwarded recipients, and are
aliased to our local domain, rather than being a straightforward relay"?
If that is the case, you'd need do some hacking in MailWatch.pm to "solve"
this, as well as look at the Received: futzing in both SA and MS. Or make
the forward->relay...:-)

Cheers
-- 
-- Glenn
Den 23 okt 2012 19:36 skrev "Dave Gattis" <mailscanner at romehosting.com>:

> Forwarder (exchange) is in Switzerland.  Destination (postfix) is in USA.
> Non-related domains.
> --
> Dave Gattis
>
>
> > hmm looks like exch doing a crap job of forwarding the emails, either
> that
> > or it's poorly setup. My exch just forwards the emails to my local exch
> > server without all this extra cruft in the logs.
> >
> > Are these two sites part of the same AD domain or do they run some sort
> of
> > split design?
> >
> > --
> > Martin Hepworth, CISSP
> > Oxford, UK
> >
> >
> > On 23 October 2012 14:08, Dave Gattis <mailscanner at romehosting.com>
> wrote:
> >
> >> According to mailwatch, here's all the listed headers:
> >>
> >> Received: from mail1.domain1.com (mail1.domain1.com [XX.XXX.XXX.XX])
> >>       by domain1.com (Postfix) with ESMTP id D30D01C100FB
> >>       for <dave.gattis at domain2.com>; Tue, 23 Oct 2012 08:48:31 -0400
> >> (EDT)
> >> Received: from  mail2.domain1.com ([ffff::aaaa:8888:bbbb:7777]) by
> >> mail2.domain2.com ([ffff::aaaa:8888:bbbb:7777]) with Microsoft SMTP
> >> Server id
> >> 14.01.0355.002; Tue, 23 Oct 2012 14:48:25 +0200
> >> From: Dave Gattis <dave.gattis at hotmail.com>  <-- MailScanner/MailWatch
> >> ignores this line
> >> To: Dave Gattis <dave.gattis at domain1.com>
> >> Subject: test for mailscanner group
> >> Date: Tue, 23 Oct 2012 12:48:40 +0000
> >> Message-ID: <b4339c5b9c53472eae950d4ff046d840 at mail2.domain1.com>
> >> Resent-From: <dave.gattis at domain1.com>  <-- MailScanner/MailWatch
> >> considers this line to be the sender
> >> Content-Type: multipart/alternative;
> >>       boundary="_000_b4339c5b9c53472eae950d4ff046d840mail2domain1com_"
> >> MIME-Version: 1.0
> >>
> >> MailWatch's recent messages tab displays the message like this, only in
> >> column format:
> >>
> >>
> >> Date/Time:
> >> 23/10/12
> >> 08:48:33
> >>
> >> From:
> >> dave.gattis at domain1.com  (needs to be dave.gattis at hotmail.com)
> >>
> >> To:
> >> dave.gattis at sdomain2.com
> >>
> >> Subject:
> >> test for mailscanner group
> >>
> >> Size
> >> 2.2Kb
> >>
> >> SA Score
> >> -1.02
> >>
> >> Status
> >> Clean
> >>
> >>
> >> --
> >> Dave Gattis
> >>
> >>
> >> > Mailwatch uses the "envelope-from" to display in the list.
> >> >
> >> > On 23 October 2012 12:58, Dave Gattis <mailscanner at romehosting.com>
> >> wrote:
> >> >
> >> >> Let me see if I can explain this properly:
> >> >>
> >> >> a at hotmail.com sends to b at mydomain1.com.
> >> >>
> >> >> a rule exists at mydomain1.com to redirect to c at mydomain2.com,
> >> therefore
> >> >>
> >> >> a at hotmail.com arrives safely c at mydomain2.com.
> >> >>
> >> >> When opening the email, it looks like this:
> >> >>
> >> >> From: a at hotmail.com
> >> >> To: b at mydomain1.com
> >> >>
> >> >> This is exactly what I want and works perfectly in any mail client.
> >> >>
> >> >> Unfortunately, when you look at the list of messages MailScanner has
> >> >> processed (using the MailWatch frontend), every message, no matter
> >> who
> >> >> from looks like this:
> >> >>
> >> >> From: b at mydomain1.com
> >> >> To: c at mydomain2.com
> >> >>
> >> >> This renders white/blacklisting useless, and subject lines are the
> >> only
> >> >> clues available for releasing SPAM.  When looking at the raw headers,
> >> >> the
> >> >> redirect is adding a "Resent-From" header which I believe is
> >> overriding
> >> >> the "From" header.
> >> >>
> >> >> No matter what is received, MailScanner is basing some of it's
> >> decisions
> >> >> on the "Resent-From" address which lowers the score for all messages.
> >> >>
> >> >> This is what happens when corporations make poor decisions.
> >> >> Unfortunately, I am forced to find a workaround for it.
> >> >>
> >> >> Thanks,
> >> >> --
> >> >> Dave Gattis
> >> >>
> >> >>
> >> >> > Le 22/10/2012 15:26, Dave Gattis a ??crit :
> >> >> >> Each message is stamped with "Resent-From" and "Return-Path" of
> >> the
> >> >> >> redirecting address.  I can strip those headers out, after
> >> >> MailScanner,
> >> >> >> but really need them removed before.
> >> >> >
> >> >> > Why do you really need them removed? If it's just for spamassassin,
> >> >> you
> >> >> > can use bayes_ignore_header in your local.cf file.
> >> >> >
> >> >> > John.
> >> >> >
> >> >> > --
> >> >> > -- Over 5000 webcams from ski resorts around the world -
> >> >> www.snoweye.com
> >> >> > -- Translate your technical documents and web pages    -
> >> www.tradoc.fr
> >> >> > --
> >> >> > MailScanner mailing list
> >> >> > mailscanner at lists.mailscanner.info
> >> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> >> >
> >> >> > Before posting, read http://wiki.mailscanner.info/posting
> >> >> >
> >> >> > Support MailScanner development - buy the book off the website!
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> MailScanner mailing list
> >> >> mailscanner at lists.mailscanner.info
> >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> >>
> >> >> Before posting, read http://wiki.mailscanner.info/posting
> >> >>
> >> >> Support MailScanner development - buy the book off the website!
> >> >>
> >> > --
> >> > MailScanner mailing list
> >> > mailscanner at lists.mailscanner.info
> >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >> >
> >> > Before posting, read http://wiki.mailscanner.info/posting
> >> >
> >> > Support MailScanner development - buy the book off the website!
> >> >
> >>
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121025/fca2ab49/attachment.html 

From doctor at doctor.nl2k.ab.ca  Mon Oct 29 15:21:31 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 29 Oct 2012 09:21:31 -0600
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
Message-ID: <20121029152130.GA14009@doctor.nl2k.ab.ca>

Help!!

Need to get this running.

I have read the instructions and to date I do send but the e-mail
does not come back.

What am I doing wrong?

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

From mailscanner at joolee.nl  Mon Oct 29 16:43:17 2012
From: mailscanner at joolee.nl (Joolee)
Date: Mon, 29 Oct 2012 17:43:17 +0100
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
Message-ID: <CA+Q-w8VK6r10BU=O6ATjsy_GzGS8b4XhT9jOEy3ycgpouSs=0w@mail.gmail.com>

First thing your doing wrong is not sending any extra information in your
request for help. There are a million things that can go wrong so we need
more to go on.

Start with your installation. What did you do?
On what point do your logfiles say it's going wrong?

On 29 October 2012 16:21, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:

> Help!!
>
> Need to get this running.
>
> I have read the instructions and to date I do send but the e-mail
> does not come back.
>
> What am I doing wrong?
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November
> 2012
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/1962aef6/attachment.html 

From mikael at syska.dk  Mon Oct 29 16:49:33 2012
From: mikael at syska.dk (Mikael Syska)
Date: Mon, 29 Oct 2012 17:49:33 +0100
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
Message-ID: <CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>

Hi,

On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:
> Help!!
>
> Need to get this running.

Then hire someone for the job.

> I have read the instructions and to date I do send but the e-mail
> does not come back.

Since everybody else can get it working, I guess you are doing something wrong.

> What am I doing wrong?

Not doing it right :-)

You need to tell us about your setup, better more useless information,
than no information ... else the above will be my best guess.

> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November 2012
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

mvh

From doctor at doctor.nl2k.ab.ca  Mon Oct 29 18:32:00 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 29 Oct 2012 12:32:00 -0600
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
Message-ID: <20121029183200.GA424@doctor.nl2k.ab.ca>

On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote:
> Hi,
> 
> On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:
> > Help!!
> >
> > Need to get this running.
> 
> Then hire someone for the job.
> 
> > I have read the instructions and to date I do send but the e-mail
> > does not come back.
> 
> Since everybody else can get it working, I guess you are doing something wrong.
> 
> > What am I doing wrong?
> 
> Not doing it right :-)
> 
> You need to tell us about your setup, better more useless information,
> than no information ... else the above will be my best guess.
>


Sorry about that; I was wondering if this group was still alive.

Could I post the MailScanner.conf and the exim configuration files?
 
> > --
> > Member - Liberal International  This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
> > God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
> > http://www.fullyfollow.me/rootnl2k
> > USA petition to dissolve the Republic and vote to disoolve it in November 2012
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> 
> mvh
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

From mailscanner at joolee.nl  Mon Oct 29 19:05:36 2012
From: mailscanner at joolee.nl (Joolee)
Date: Mon, 29 Oct 2012 20:05:36 +0100
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029183200.GA424@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
	<20121029183200.GA424@doctor.nl2k.ab.ca>
Message-ID: <CA+Q-w8UtG-wQMg=ja+UwGB6KcOvkVQ_pvRvrbBs30_r0PPOexg@mail.gmail.com>

You could but I don't think anyone will fix your problem for you that way.

On 29 October 2012 19:32, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:

> On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote:
> > Hi,
> >
> > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca>
> wrote:
> > > Help!!
> > >
> > > Need to get this running.
> >
> > Then hire someone for the job.
> >
> > > I have read the instructions and to date I do send but the e-mail
> > > does not come back.
> >
> > Since everybody else can get it working, I guess you are doing something
> wrong.
> >
> > > What am I doing wrong?
> >
> > Not doing it right :-)
> >
> > You need to tell us about your setup, better more useless information,
> > than no information ... else the above will be my best guess.
> >
>
>
> Sorry about that; I was wondering if this group was still alive.
>
> Could I post the MailScanner.conf and the exim configuration files?
>
> > > --
> > > Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> > > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> > > http://www.fullyfollow.me/rootnl2k
> > > USA petition to dissolve the Republic and vote to disoolve it in
> November 2012
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> >
> > mvh
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November
> 2012
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/97cc8101/attachment.html 

From maxsec at gmail.com  Mon Oct 29 19:55:37 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Mon, 29 Oct 2012 19:55:37 +0000
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029183200.GA424@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
	<20121029183200.GA424@doctor.nl2k.ab.ca>
Message-ID: <CAGDKor+cOJqk0_A9+Y6wyeruuObzwcw+KAMq5HyozONJDKtXbQ@mail.gmail.com>

Which instructions did you use to setup exim and MailScanner- there are
seceral about

Best way to start is get exim moving email by itself with mailscanner, then
split exim into two and add Mailscanner into the mix.

Martin

On Monday, 29 October 2012, The Doctor wrote:

> On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote:
> > Hi,
> >
> > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca<javascript:;>>
> wrote:
> > > Help!!
> > >
> > > Need to get this running.
> >
> > Then hire someone for the job.
> >
> > > I have read the instructions and to date I do send but the e-mail
> > > does not come back.
> >
> > Since everybody else can get it working, I guess you are doing something
> wrong.
> >
> > > What am I doing wrong?
> >
> > Not doing it right :-)
> >
> > You need to tell us about your setup, better more useless information,
> > than no information ... else the above will be my best guess.
> >
>
>
> Sorry about that; I was wondering if this group was still alive.
>
> Could I post the MailScanner.conf and the exim configuration files?
>
> > > --
> > > Member - Liberal International  This is doctor at nl2k.ab.ca<javascript:;>Ici
> doctor at nl2k.ab.ca <javascript:;>
> > > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> > > http://www.fullyfollow.me/rootnl2k
> > > USA petition to dissolve the Republic and vote to disoolve it in
> November 2012
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info <javascript:;>
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> >
> > mvh
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info <javascript:;>
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca <javascript:;>Ici
> doctor at nl2k.ab.ca <javascript:;>
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November
> 2012
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info <javascript:;>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>


-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121029/a61fb9df/attachment.html 

From doctor at doctor.nl2k.ab.ca  Mon Oct 29 20:10:06 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 29 Oct 2012 14:10:06 -0600
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <CA+Q-w8UtG-wQMg=ja+UwGB6KcOvkVQ_pvRvrbBs30_r0PPOexg@mail.gmail.com>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
	<20121029183200.GA424@doctor.nl2k.ab.ca>
	<CA+Q-w8UtG-wQMg=ja+UwGB6KcOvkVQ_pvRvrbBs30_r0PPOexg@mail.gmail.com>
Message-ID: <20121029201006.GA28621@doctor.nl2k.ab.ca>

On Mon, Oct 29, 2012 at 08:05:36PM +0100, Joolee wrote:
> You could but I don't think anyone will fix your problem for you that way.
>

Then Step 1 please.
 
> On 29 October 2012 19:32, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:
> 
> > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote:
> > > Hi,
> > >
> > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca>
> > wrote:
> > > > Help!!
> > > >
> > > > Need to get this running.
> > >
> > > Then hire someone for the job.
> > >
> > > > I have read the instructions and to date I do send but the e-mail
> > > > does not come back.
> > >
> > > Since everybody else can get it working, I guess you are doing something
> > wrong.
> > >
> > > > What am I doing wrong?
> > >
> > > Not doing it right :-)
> > >
> > > You need to tell us about your setup, better more useless information,
> > > than no information ... else the above will be my best guess.
> > >
> >
> >
> > Sorry about that; I was wondering if this group was still alive.
> >
> > Could I post the MailScanner.conf and the exim configuration files?
> >
> > > > --
> > > > Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> > doctor at nl2k.ab.ca
> > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> > rising!
> > > > http://www.fullyfollow.me/rootnl2k
> > > > USA petition to dissolve the Republic and vote to disoolve it in
> > November 2012
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > >
> > > > Before posting, read http://wiki.mailscanner.info/posting
> > > >
> > > > Support MailScanner development - buy the book off the website!
> > >
> > > mvh
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> >
> > --
> > Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> > doctor at nl2k.ab.ca
> > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> > rising!
> > http://www.fullyfollow.me/rootnl2k
> > USA petition to dissolve the Republic and vote to disoolve it in November
> > 2012
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >

> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

> This message has been 'sanitized'.  This means that potentially
> dangerous content has been rewritten or removed.  The following
> log describes which actions were taken.
> 
> Sanitizer (start="1351537910"):
>   Part (pos="4248"):
>     Part (pos="107"):
>       SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>         Match (names="unnamed.txt", rule="2"):
>           Enforced policy: accept
> 
>     Part (pos="2576"):
>       SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
>         Match (names="unnamed.html, filetype.html", rule="2"):
>           Enforced policy: accept
> 
>       Note: Styles and layers give attackers many tools to fool the
>       user and common browsers interpret Javascript code found
>       within style definitions.
>       
>       Rewrote HTML tag: >>_div class="gmail_quote"_<<
>                     as: >>_p__DEFANGED_div class="gmail_quote"_<<
>       Rewrote HTML tag: >>_span dir="ltr"_<<
>                     as: >>_DEFANGED_span dir="ltr"_<<
>       Rewrote HTML tag: >>_/span_<<
>                     as: >>_/DEFANGED_span_<<
>       Rewrote HTML tag: >>_blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
>                     as: >>_blockquote class="gmail_quote" DEFANGED_style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
>       Rewrote HTML tag: >>_div class="im"_<<
>                     as: >>_p__DEFANGED_div class="im"_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_div class="HOEnZb"_<<
>                     as: >>_p__DEFANGED_div class="HOEnZb"_<<
>       Rewrote HTML tag: >>_div class="h5"_<<
>                     as: >>_p__DEFANGED_div class="h5"_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
>       Rewrote HTML tag: >>_/div_<<
>                     as: >>_/p__DEFANGED_div_<<
> 
>   Part (pos="11117"):
>     SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>       Match (names="unnamed.txt", rule="2"):
>         Enforced policy: accept
> 
>   Total modifications so far: 11
> 
> 
> Anomy 0.0.0 : Sanitizer.pm
> $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $


-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

From doctor at doctor.nl2k.ab.ca  Mon Oct 29 20:37:25 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 29 Oct 2012 14:37:25 -0600
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029201006.GA28621@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<CAJYT2XnDGRwGG97qtAMn0x0ZS30HfJsaCtT2tG1st8CCV0pJAQ@mail.gmail.com>
	<20121029183200.GA424@doctor.nl2k.ab.ca>
	<CA+Q-w8UtG-wQMg=ja+UwGB6KcOvkVQ_pvRvrbBs30_r0PPOexg@mail.gmail.com>
	<20121029201006.GA28621@doctor.nl2k.ab.ca>
Message-ID: <20121029203723.GA5541@doctor.nl2k.ab.ca>

On Mon, Oct 29, 2012 at 02:10:06PM -0600, The Doctor wrote:
> On Mon, Oct 29, 2012 at 08:05:36PM +0100, Joolee wrote:
> > You could but I don't think anyone will fix your problem for you that way.
> >
> 
> Then Step 1 please.

My MailScanner.conf file for exim is

RElevant lines

Run As User = exim
Run As Group = exim
Incoming Queue Dir = /var/spool/exim.in/input
Outgoing Queue Dir = /var/spool/exim/input
# Set whether to use postfix, sendmail, exim or zmailer.
MTA = exim
Sendmail = /usr/exim/bin/exim
#For Exim users: Sendmail2 = /usr/sbin/exim -C /etc/exim/exim_send.conf
#Sendmail2 = /usr/sbin/sendmail -C /etc/exim/exim_send.conf
Sendmail2 = /usr/exim/bin/exim -C /usr/exim/exim_send.conf   

>  
> > On 29 October 2012 19:32, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:
> > 
> > > On Mon, Oct 29, 2012 at 05:49:33PM +0100, Mikael Syska wrote:
> > > > Hi,
> > > >
> > > > On Mon, Oct 29, 2012 at 4:21 PM, The Doctor <doctor at doctor.nl2k.ab.ca>
> > > wrote:
> > > > > Help!!
> > > > >
> > > > > Need to get this running.
> > > >
> > > > Then hire someone for the job.
> > > >
> > > > > I have read the instructions and to date I do send but the e-mail
> > > > > does not come back.
> > > >
> > > > Since everybody else can get it working, I guess you are doing something
> > > wrong.
> > > >
> > > > > What am I doing wrong?
> > > >
> > > > Not doing it right :-)
> > > >
> > > > You need to tell us about your setup, better more useless information,
> > > > than no information ... else the above will be my best guess.
> > > >
> > >
> > >
> > > Sorry about that; I was wondering if this group was still alive.
> > >
> > > Could I post the MailScanner.conf and the exim configuration files?
> > >
> > > > > --
> > > > > Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> > > doctor at nl2k.ab.ca
> > > > > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> > > rising!
> > > > > http://www.fullyfollow.me/rootnl2k
> > > > > USA petition to dissolve the Republic and vote to disoolve it in
> > > November 2012
> > > > > --
> > > > > MailScanner mailing list
> > > > > mailscanner at lists.mailscanner.info
> > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > > >
> > > > > Before posting, read http://wiki.mailscanner.info/posting
> > > > >
> > > > > Support MailScanner development - buy the book off the website!
> > > >
> > > > mvh
> > > > --
> > > > MailScanner mailing list
> > > > mailscanner at lists.mailscanner.info
> > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > > >
> > > > Before posting, read http://wiki.mailscanner.info/posting
> > > >
> > > > Support MailScanner development - buy the book off the website!
> > >
> > > --
> > > Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> > > doctor at nl2k.ab.ca
> > > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> > > rising!
> > > http://www.fullyfollow.me/rootnl2k
> > > USA petition to dissolve the Republic and vote to disoolve it in November
> > > 2012
> > > --
> > > MailScanner mailing list
> > > mailscanner at lists.mailscanner.info
> > > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >
> > > Before posting, read http://wiki.mailscanner.info/posting
> > >
> > > Support MailScanner development - buy the book off the website!
> > >
> 
> > -- 
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > 
> > Before posting, read http://wiki.mailscanner.info/posting
> > 
> > Support MailScanner development - buy the book off the website! 
> 
> > This message has been 'sanitized'.  This means that potentially
> > dangerous content has been rewritten or removed.  The following
> > log describes which actions were taken.
> > 
> > Sanitizer (start="1351537910"):
> >   Part (pos="4248"):
> >     Part (pos="107"):
> >       SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
> >         Match (names="unnamed.txt", rule="2"):
> >           Enforced policy: accept
> > 
> >     Part (pos="2576"):
> >       SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
> >         Match (names="unnamed.html, filetype.html", rule="2"):
> >           Enforced policy: accept
> > 
> >       Note: Styles and layers give attackers many tools to fool the
> >       user and common browsers interpret Javascript code found
> >       within style definitions.
> >       
> >       Rewrote HTML tag: >>_div class="gmail_quote"_<<
> >                     as: >>_p__DEFANGED_div class="gmail_quote"_<<
> >       Rewrote HTML tag: >>_span dir="ltr"_<<
> >                     as: >>_DEFANGED_span dir="ltr"_<<
> >       Rewrote HTML tag: >>_/span_<<
> >                     as: >>_/DEFANGED_span_<<
> >       Rewrote HTML tag: >>_blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
> >                     as: >>_blockquote class="gmail_quote" DEFANGED_style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"_<<
> >       Rewrote HTML tag: >>_div class="im"_<<
> >                     as: >>_p__DEFANGED_div class="im"_<<
> >       Rewrote HTML tag: >>_/div_<<
> >                     as: >>_/p__DEFANGED_div_<<
> >       Rewrote HTML tag: >>_div class="HOEnZb"_<<
> >                     as: >>_p__DEFANGED_div class="HOEnZb"_<<
> >       Rewrote HTML tag: >>_div class="h5"_<<
> >                     as: >>_p__DEFANGED_div class="h5"_<<
> >       Rewrote HTML tag: >>_/div_<<
> >                     as: >>_/p__DEFANGED_div_<<
> >       Rewrote HTML tag: >>_/div_<<
> >                     as: >>_/p__DEFANGED_div_<<
> >       Rewrote HTML tag: >>_/div_<<
> >                     as: >>_/p__DEFANGED_div_<<
> > 
> >   Part (pos="11117"):
> >     SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
> >       Match (names="unnamed.txt", rule="2"):
> >         Enforced policy: accept
> > 
> >   Total modifications so far: 11
> > 
> > 
> > Anomy 0.0.0 : Sanitizer.pm
> > $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
> 
> 
> -- 
> Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
> http://www.fullyfollow.me/rootnl2k  
> USA petition to dissolve the Republic and vote to disoolve it in November 2012
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

From mogens at fumlersoft.dk  Mon Oct 29 21:59:55 2012
From: mogens at fumlersoft.dk (Mogens Melander)
Date: Mon, 29 Oct 2012 22:59:55 +0100 (CET)
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <20121029152130.GA14009@doctor.nl2k.ab.ca>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
Message-ID: <25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk>

My guess would be, your signature get caught in your filters.

On Mon, October 29, 2012 16:21, The Doctor wrote:
> Help!!
>
> Need to get this running.
>
> I have read the instructions and to date I do send but the e-mail
> does not come back.
>
> What am I doing wrong?
>
> --
> Member - Liberal International	This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November
> 2012
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


-- 
Mogens Melander
+66 8701 33224

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From doctor at doctor.nl2k.ab.ca  Mon Oct 29 22:57:39 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 29 Oct 2012 16:57:39 -0600
Subject: Exim 4.80.1 and MailScanner 4.82.6-1
In-Reply-To: <25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk>
References: <20121029152130.GA14009@doctor.nl2k.ab.ca>
	<25982.31318c7a.1351547995.nsm@mail.fumlersoft.dk>
Message-ID: <20121029225739.GB3102@doctor.nl2k.ab.ca>

On Mon, Oct 29, 2012 at 10:59:55PM +0100, Mogens Melander wrote:
> My guess would be, your signature get caught in your filters.
> 
> On Mon, October 29, 2012 16:21, The Doctor wrote:
> > Help!!
> >
> > Need to get this running.
> >
> > I have read the instructions and to date I do send but the e-mail
> > does not come back.
> >
> > What am I doing wrong?
> >
> > --
> > Member - Liberal International	This is doctor at nl2k.ab.ca Ici
> > doctor at nl2k.ab.ca
> > God,Queen and country!Never Satan President Republic!Beware AntiChrist
> > rising!
> > http://www.fullyfollow.me/rootnl2k
> > USA petition to dissolve the Republic and vote to disoolve it in November
> > 2012
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
>

LOL!!
 
> 
> -- 
> Mogens Melander
> +66 8701 33224
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website! 

-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

From doctor at doctor.nl2k.ab.ca  Tue Oct 30 14:56:30 2012
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Tue, 30 Oct 2012 08:56:30 -0600
Subject: Spam Lists
Message-ID: <20121030145630.GA14860@doctor.nl2k.ab.ca>

Right

Are the following Black Holes supported on MailScanner:

sbl-xbl.spamhaus.org 
zen.spamhaus.org 
dnsbl.njabl.org 
           combined.njabl.org 
           bl.spamcop.net 
           iscbl.anti-spam.org.cn 
           cbl.anti-spam.org.cn 
           cblplus.anti-spam.org.cn 
           cblless.anti-spam.org.cn
           hostkarma.junkemailfilter.com=127.0.0.2  


-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  
USA petition to dissolve the Republic and vote to disoolve it in November 2012

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From Kevin_Miller at ci.juneau.ak.us  Tue Oct 30 16:52:14 2012
From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller)
Date: Tue, 30 Oct 2012 08:52:14 -0800
Subject: Spam Lists
In-Reply-To: <20121030145630.GA14860@doctor.nl2k.ab.ca>
References: <20121030145630.GA14860@doctor.nl2k.ab.ca>
Message-ID: <4A09477D575C2C4B86497161427DD94C27A372BEF3@city-exchange07>

See /etc/MailScanner/spam.lists.conf

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of The Doctor
Sent: Tuesday, October 30, 2012 6:57 AM
To: mailscanner at lists.mailscanner.info
Subject: Spam Lists

Right

Are the following Black Holes supported on MailScanner:

sbl-xbl.spamhaus.org
zen.spamhaus.org
dnsbl.njabl.org 
           combined.njabl.org 
           bl.spamcop.net 
           iscbl.anti-spam.org.cn 
           cbl.anti-spam.org.cn 
           cblplus.anti-spam.org.cn 
           cblless.anti-spam.org.cn
           hostkarma.junkemailfilter.com=127.0.0.2  


-- 
Member - Liberal International	This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k
USA petition to dissolve the Republic and vote to disoolve it in November 2012

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

From maxsec at gmail.com  Tue Oct 30 17:05:48 2012
From: maxsec at gmail.com (Martin Hepworth)
Date: Tue, 30 Oct 2012 17:05:48 +0000
Subject: Spam Lists
In-Reply-To: <20121030145630.GA14860@doctor.nl2k.ab.ca>
References: <20121030145630.GA14860@doctor.nl2k.ab.ca>
Message-ID: <CAGDKor+swTtB4bhgO44GxQnvxp3FERV=US7O9s307TrDgodXDw@mail.gmail.com>

Best to use them in SpamAssassin rather than Mailscanner itself, so yes,
although the zen/xbl and others also contain feed from each other.

-- 
Martin Hepworth, CISSP
Oxford, UK


On 30 October 2012 14:56, The Doctor <doctor at doctor.nl2k.ab.ca> wrote:

> Right
>
> Are the following Black Holes supported on MailScanner:
>
> sbl-xbl.spamhaus.org
> zen.spamhaus.org
> dnsbl.njabl.org
>            combined.njabl.org
>            bl.spamcop.net
>            iscbl.anti-spam.org.cn
>            cbl.anti-spam.org.cn
>            cblplus.anti-spam.org.cn
>            cblless.anti-spam.org.cn
>            hostkarma.junkemailfilter.com=127.0.0.2
>
>
> --
> Member - Liberal International  This is doctor at nl2k.ab.ca Ici
> doctor at nl2k.ab.ca
> God,Queen and country!Never Satan President Republic!Beware AntiChrist
> rising!
> http://www.fullyfollow.me/rootnl2k
> USA petition to dissolve the Republic and vote to disoolve it in November
> 2012
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121030/190e3fb0/attachment.html 

From alvaro at hostalia.com  Tue Oct 30 17:08:06 2012
From: alvaro at hostalia.com (Alvaro Marin)
Date: Tue, 30 Oct 2012 18:08:06 +0100
Subject: Large rule files
Message-ID: <50900976.5050104@hostalia.com>

Hello,

we've some rule files (whitelist, blacklist, checks...) and some days 
ago, I added new rules so some of those files have more than 25000 lines 
now.

We have seen an important performance impact in MailScanner...Is there 
any "magic" solution to this?
I've been reading about Ruleset-from-Function.pm, is anyone using it?

Thanks!

Regards,

-- 
Alvaro Mar?n Illera
Hostalia Internet
www.hostalia.com


From ecasarero at gmail.com  Tue Oct 30 19:17:07 2012
From: ecasarero at gmail.com (Eduardo Casarero)
Date: Tue, 30 Oct 2012 16:17:07 -0300
Subject: Large rule files
In-Reply-To: <50900976.5050104@hostalia.com>
References: <50900976.5050104@hostalia.com>
Message-ID: <CAE1SQAN9kpZAXi987y9C2dJ2+ioNLPkH+5z7uScn8kcoeuu7TA@mail.gmail.com>

Hi alvaro, we are using an sqlite db to hold white/blacklists, we didn't
measure performance impacts, but both of our lists has over thousand rules
and works fine. We took some CustomFunctions from Mailwatch and tuned to
work with sqlite instead of mysql.

Regards,

Eduardo.

2012/10/30 Alvaro Marin <alvaro at hostalia.com>

> Hello,
>
> we've some rule files (whitelist, blacklist, checks...) and some days
> ago, I added new rules so some of those files have more than 25000 lines
> now.
>
> We have seen an important performance impact in MailScanner...Is there
> any "magic" solution to this?
> I've been reading about Ruleset-from-Function.pm, is anyone using it?
>
> Thanks!
>
> Regards,
>
> --
> Alvaro Mar?n Illera
> Hostalia Internet
> www.hostalia.com
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20121030/c75431b8/attachment.html